https://bz.apache.org/bugzilla/show_bug.cgi?id=67666
Bug ID: 67666 Summary: TLSCertificateReloadListener does not detect all certificates to reload Product: Tomcat 9 Version: 9.0.81 Hardware: All OS: All Status: NEW Severity: major Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: micha...@apache.org Target Milestone: ----- Tested with 9.0.82-dev, but I guess this happens on all versions Created one certificate: openssl req -x509 -newkey rsa:4096 -keyout key.crt -out cert.crt -sha256 -days 5 -passout file:key-password openssl pkcs12 -export -in cert.crt -inkey key.crt -out keystore.p12 -name "localhost" -passin file:key-password -passout file:keystore-password Declared in server.xml: <Listener className="org.apache.catalina.security.TLSCertificateReloadListener" checkPeriod="120" daysBefore="360" /> and <Connector port="20001" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig> <Certificate certificateKeyFile="conf/certs-localhost/key.crt" certificateFile="conf/certs-localhost/cert.crt" certificateChainFile="conf/cacerts.crt" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="20002" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/certs-localhost/keystore.p12" certificateKeyAlias="localhost" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="20003" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"> <SSLHostConfig> <Certificate certificateKeyFile="conf/certs-localhost/key.crt" certificateFile="conf/certs-localhost/cert.crt" certificateChainFile="conf/cacerts.crt" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="20004" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/certs-localhost/keystore.p12" certificateKeyAlias="localhost" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="30001" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000"> <SSLHostConfig> <Certificate certificateKeyFile="conf/certs-localhost/key.crt" certificateFile="conf/certs-localhost/cert.crt" certificateChainFile="conf/cacerts.crt" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="30002" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/certs-localhost/keystore.p12" certificateKeyAlias="localhost" type="RSA" /> </SSLHostConfig> </Connector> Starting Tomcat: 10-Oct-2023 20:21:25.310 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-20001"] 10-Oct-2023 20:21:25.802 SCHWERWIEGEND [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector["https-jsse-nio-20001"]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:554) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:578) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477) Caused by: java.lang.IllegalArgumentException: PBE parameter parsing error: expecting the object identifier for AES cipher at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:236) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1326) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1339) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009) ... 11 more Caused by: java.io.IOException: PBE parameter parsing error: expecting the object identifier for AES cipher at java.base/com.sun.crypto.provider.PBES2Parameters.parseES(PBES2Parameters.java:324) at java.base/com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:240) at java.base/java.security.AlgorithmParameters.init(AlgorithmParameters.java:311) at java.base/sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:149) at java.base/sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:131) at java.base/sun.security.x509.AlgorithmId.parse(AlgorithmId.java:416) at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:105) at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:245) at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:178) at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:107) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105) ... 18 more 10-Oct-2023 20:21:25.806 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-20002"] 10-Oct-2023 20:21:25.953 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-jsse-nio-20002], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:21:25.986 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-20003"] 10-Oct-2023 20:21:26.013 INFORMATION [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [conf/certs-localhost/cert.crt] or its private key [conf/certs-localhost/key.crt] could not be processed using a JSSE key manager and will be given directly to OpenSSL 10-Oct-2023 20:21:26.117 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-20003], TLS virtual host [_default_], certificate type [RSA] configured from key [conf/certs-localhost/key.crt], certificate [conf/certs-localhost/cert.crt] and certificate chain [conf/cacerts.crt] with trust store [null] 10-Oct-2023 20:21:26.119 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-20004"] 10-Oct-2023 20:21:26.141 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-20004], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:21:26.143 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-apr-30001"] 10-Oct-2023 20:21:26.157 INFORMATION [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [conf/certs-localhost/cert.crt] or its private key [conf/certs-localhost/key.crt] could not be processed using a JSSE key manager and will be given directly to OpenSSL 10-Oct-2023 20:21:26.209 INFORMATION [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [conf/certs-localhost/cert.crt] or its private key [conf/certs-localhost/key.crt] could not be processed using a JSSE key manager and will be given directly to OpenSSL 10-Oct-2023 20:21:26.210 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-30001], TLS virtual host [_default_], certificate type [RSA] configured from key [conf/certs-localhost/key.crt], certificate [conf/certs-localhost/cert.crt] and certificate chain [conf/cacerts.crt] with trust store [null] 10-Oct-2023 20:21:26.212 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-apr-30002"] 10-Oct-2023 20:21:26.248 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-30002], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:21:26.250 INFORMATION [main] org.apache.catalina.startup.Catalina.load Server initialization in [2178] milliseconds We will ignore 20001 for now because Java does not support DES-encrypted private keys, only AES. Waiting for the listener: 10-Oct-2023 20:35:11.441 INFORMATION [Catalina-utility-1] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-jsse-nio-20002], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:35:11.442 INFORMATION [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-jsse-nio-20002"]], TLS virtual host [_default_] reloaded TLS configuration 10-Oct-2023 20:35:11.442 WARNUNG [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-jsse-nio-20002"]], TLS virtual host [_default_] with name [CN=localhost, OU=IN IT IN, O=Siemens, L=Berlin, ST=Berlin, C=DE] that expires on [2023-10-15T17:20:55Z] is overdue for renewal 10-Oct-2023 20:35:11.456 INFORMATION [Catalina-utility-1] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-20004], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:35:11.457 INFORMATION [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-openssl-nio-20004"]], TLS virtual host [_default_] reloaded TLS configuration 10-Oct-2023 20:35:11.457 WARNUNG [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-openssl-nio-20004"]], TLS virtual host [_default_] with name [CN=localhost, OU=IN IT IN, O=Siemens, L=Berlin, ST=Berlin, C=DE] that expires on [2023-10-15T17:20:55Z] is overdue for renewal 10-Oct-2023 20:35:11.476 INFORMATION [Catalina-utility-1] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-30002], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:35:11.476 INFORMATION [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-openssl-apr-30002"]], TLS virtual host [_default_] reloaded TLS configuration 10-Oct-2023 20:35:11.477 WARNUNG [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-openssl-apr-30002"]], TLS virtual host [_default_] with name [CN=localhost, OU=IN IT IN, O=Siemens, L=Berlin, ST=Berlin, C=DE] that expires on [2023-10-15T17:20:55Z] is overdue for renewal Connectors for ports 20003 and 30001 do not appear because they use at some point "X509KeyManager x509KeyManager = certificate.getCertificateKeyManager();" returns null, thus "X509Certificate[] certificates = sslContext.getCertificateChain(alias);" is null and certificatesExpiringBefore() returns an empty set. I assume that the code needs refinement, I guess that renew bots will create OpenSSL-style cert and key this listener won't be usable for people at the moment. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org