Hang on. I'm panicking. I have a plane to catch in 3 hours and need
this working by then.
ws s3 cp fullca.p12 s3://691459864434-sgs-source/certs/sgstrust.p12
splatting one file on top of the other
Midway through this email when you last came in: "Not running" is
spot-on becase...
The current problem is actaully
Jun 02, 2022 6:01:27 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["https-jsse-nio-10.0.2.118-15002"]
Jun 02, 2022 6:01:27 PM org.apache.catalina.util.LifecycleBase
handleSubClassException
SEVERE: Failed to initialize component [Connector[HTTP/1.1-15002]]
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:173)
at org.apache.catalina.startup.Tomcat.start(Tomcat.java:486)
at
edu.utah.camplab.server.SGSSelector.kickOff(SGSSelector.java:175)
at
edu.utah.camplab.server.SGSSelector.run(SGSSelector.java:187)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.IllegalArgumentException: Alias name [sgsAgent]
does not identify a key entry
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)
... 10 more
Caused by: java.io.IOException: Alias name [sgsAgent] does not
identify a key entry
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:337)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 17 more
but I believe the alias is in place, both places
## check, different files
[ec2-user@ip-10-0-2-118 certs]ls -l fullca.p12 sgstrust.p12
-rw-rw-r-- 1 ec2-user ec2-user 281500 Jun 2 17:12 fullca.p12
-rw-rw-r-- 1 ec2-user ec2-user 2726 Jun 2 17:13 sgstrust.p12
## checks for alias
[ec2-user@ip-10-0-2-118 certs]$ keytool -storetype pkcs12 -list
-keystore sgstrust.p12 -alias sgsAgent -storepass changeit
sgsAgent, Jun 2, 2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256):
65:F1:9C:07:37:C4:13:A8:82:D5:09:E7:51:F9:C0:E2:94:E4:41:64:F1:41:86:E6:60:5F:50:87:A8:13:74:17
[ec2-user@ip-10-0-2-118 certs]$ keytool -storetype pkcs12 -list
-keystore fullca.p12 -alias sgsAgent -storepass changeit
sgsAgent, Jun 2, 2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
65:F1:9C:07:37:C4:13:A8:82:D5:09:E7:51:F9:C0:E2:94:E4:41:64:F1:41:86:E6:60:5F:50:87:A8:13:74:17
## upload to s3
[ec2-user@ip-10-0-2-118 certs]$ aws s3 cp fullca.p12
s3://691459864434-sgs-source/certs/fullca.p12
upload: ./fullca.p12 to s3://691459864434-sgs-source/certs/fullca.p12
[ec2-user@ip-10-0-2-118 certs]$ aws s3 cp sgstrust.p12
s3://691459864434-sgs-source/certs/sgstrust.p12
aws s3 cp sgstrust.p12 s3://691459864434-sgs-source/certs/sgstrust.p12
upload: ./sgstrust.p12 to
s3://691459864434-sgs-source/certs/sgstrust.p12
## program downloads p12 filesfrom s3
To your latest
I add my cert to truststore.
Which one? Are you using client certs for mutual-TLS or just
plain-old "I only need to trust the server" checking?
I add sgstrust to fullca. I think the latter mode is fine
If it's vanilla, then you need:
1. Key + cert in the key store used by the Tomcat <Connector>
2. cert in the trust store used by the client (optional if it's
signed by a trusted CA)
Remember if your key store from #1 has more than one cert+key in it,
Tomcat will choose the first one (which is basically a crap-shoot,
given the API) unless you specify the alias of the one to use. I
think it's best to have only a single key+cert in each keystore
(unless it's multiple flavors of the same thing, like RSA and ECDSA
for the same server). That way you don't get confused by "too much
stuff".
I'm starting both the server and the client with both key and trust.
Does that bite?