Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
On 1/9/20 1:24 AM, Mark Thomas wrote: The moderators are aware of the situation. The subscriber in question was blocked from making further posts an hour or so ago. I'm glad to see that I'm not the only one who looked at those posts, and found them less-than-helpful (I think every link he posted was one using a JKS, and we already know they work fine), and in some cases downright nonsensical. Although making him only the third or fourth user to be kicked out, in the history of the List, seems a bit drastic, unless he has a history of similar actions. At any rate, in answer to Peter's question about my private key, the file looks like: -BEGIN RSA PRIVATE KEY- [REDACTED] -END RSA PRIVATE KEY- and looking at it with KeyStore Explorer tells me it's an RSA private key, 2048 bits, format PKCS#8. As to the cert and chain files, the .cer file looks like: -BEGIN CERTIFICATE- [REDACTED] -END CERTIFICATE- and looking at it with KSE shows that it contains our certificate, and the .ca.crt file looks like: -BEGIN CERTIFICATE- [REDACTED] -END CERTIFICATE- -BEGIN CERTIFICATE- [REDACTED] -END CERTIFICATE- -BEGIN CERTIFICATE- [REDACTED] -END CERTIFICATE- and looking at it with KSE shows that it contains "AddTrust External CA Root," "COMODO RSA Certification Authority," and "COMODO RSA Organization Validation Secure Server CA." -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Everyone, On 1/9/20 4:24 AM, Mark Thomas wrote: > On 09/01/2020 08:27, calder wrote: >> Moderators ? > > The moderators can be contacted via users-ow...@tomcat.apache.org > > The moderators are aware of the situation. The subscriber in > question was blocked from making further posts an hour or so ago. > > Blocking a user is not a decision the moderators take lightly. > Excluding obvious spambots, I can only think of 2 instances in the > last 20 years before this one (it might be 3 - my memory is a > little hazy going back that far) where a user has been blocked from > this list. The moderators try to point out inappropriate behaviour > and provide an opportunity for posters to change their behaviour > before a ban is applied. > > The moderators appreciate that behaviour like this can be > frustrating. We aim to deal with it as quickly as we can whilst at > the same time trying to allow for the fact that everyone can have a > bad day sometimes. I would encourage the lifting of this block. We have had posters in the past who have posted many confusing messages and frankly, it's fairly easy to sift-out the cruft. While some novice readers may be confused by such posts, it's up to the rest of us to provide better and more helpful responses. I'd prefer not to ban people unless they are being overtly abusive. Annoying is not being abusive. Picking fights with one or two community members is not being abusive. (Yet) I replied to this thread instead of starting a new one because I didn't want to start a whole new thread debating this topic. I apologize if this reply ends up hijacking the original thread (a second time). If you feel like this is a larger discussion to be had on the list, please start a new thread. - -chris -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4XcHcACgkQHPApP6U8 pFipQRAApFI15mbpZYeKDw++FJr5z8QzE5MAn/zKeckWA+tgOuc5hIN0lJk3lfFF IsyOYqlrrBfrPQQd9GEaDTrxHc8vCEVPEEQWgnm+04LwiPR6Udu/ADncjaMdVw9U j2KO5/wRoGAPl/6VfSEyxvIhW8+MZ88cM69AYIp91CCjHJBXZd59+ADXRjHcOHNo a3otBmZ5wJnjC3tg3LwUwS2u2+jimWEqN06Dp96oXy7xmzW8+nmKY1v24J0WjW/Z C7c2C1H/kGmi2lnolyqeYxzQmul2y9n9VkF2Uh2cmXFlWF3y99V7R3U7CXJM0FC2 seV0N9kVmbWgphYnG0Ihj6IfjbsANHjRfc+tEMT9KqIgKxR5QJPgdjNIUNN8To8u WoJnt30q8xgbPPkvdeYaLQlQU9JwWuU5Llz7I72rraig4ZLoaJitm+oBW2vtVs3I E9+vDQEEc3IDeU7odfNwO/18bQgz+bDf9Z3DD99XRvPKteutOMiFtiEpANpmDDZu P7ozxoSaCe2a6pITMRl75ioXVsDTS+3fBg0682ItJl0J+MjO6Ul97f8cV9sry7Jf iq2ucsiMT+CdSz8Xx9uKndOXyam7gbZVYvhUdtYIWUTQcF0isu9U3HJ0ipYhbhWn 9KgEq9XzHcMhTzaiEDFYaoyvUooEt/dNKmm0UF8aE+rMtuuFxCk= =39IH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
James, Am 2020-01-09 00:58, schrieb James H. H. Lampert: I wrote: Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" and ".key" files directly, instead of the Java Keystore file? On 12/30/19 1:41 PM, Peter Kreuser wrote: Correct! I tried an experiment this afternoon: I made a copy of the existing server.xml file, and I changed the active connector from this (keystore file and alias redacted for privacy, ciphers and compressibleMimeTypes clauses redacted because they're quite long, and not relevant here): protocol="org.apache.coyote.http11.Http11NioProtocol" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="[REDACTED]" maxThreads="1000" socket.appReadBufSize="1024" socket.appWriteBufSize="1024" bufferSize="1024" SSLEnabled="true" scheme="https" secure="true" keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]" clientAuth="false" sslProtocol="TLS" /> to this: protocol="org.apache.coyote.http11.Http11NioProtocol" compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata" compressableMimeType="[REDACTED]" maxThreads="1000" socket.appReadBufSize="1024" socket.appWriteBufSize="1024" bufferSize="1024" SSLEnabled="true" scheme="https" secure="true"> certificateKeyFile="[REDACTED].key" certificateChainFile="[REDACTED].ca.crt" /> and restarted Tomcat, and it failed to open the port, producing this in catalina.out: 08-Jan-2020 23:14:09.026 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:639) at org.apache.catalina.startup.Catalina.load(Catalina.java:662) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:995) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 12 more Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) ... 13 more Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261) at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70) at java.security.KeyStore.setKeyEntry(KeyStore.java:1140) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) ... 20 more I recently came across a similar problem (at least the same error message), where the key was in an unsupported format (first line of the file: "BEGIN EC PRIVATE KEY"; Mark is working on a solution for this). What type of private key are you using? all files PEM encode
Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
On 09/01/2020 08:27, calder wrote: > Moderators ? The moderators can be contacted via users-ow...@tomcat.apache.org The moderators are aware of the situation. The subscriber in question was blocked from making further posts an hour or so ago. Blocking a user is not a decision the moderators take lightly. Excluding obvious spambots, I can only think of 2 instances in the last 20 years before this one (it might be 3 - my memory is a little hazy going back that far) where a user has been blocked from this list. The moderators try to point out inappropriate behaviour and provide an opportunity for posters to change their behaviour before a ban is applied. The moderators appreciate that behaviour like this can be frustrating. We aim to deal with it as quickly as we can whilst at the same time trying to allow for the fact that everyone can have a bad day sometimes. Mark wearing his list moderator hat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
Moderators ? On Wed, Jan 8, 2020, 20:44 Zahid Rahman wrote: > > https://stackoverflow.com/questions/46786046/severe-main-org-apache-catalina-core-standardservice-initinternal-failed-to-in > > I went to college and studied IT before finding a job. My teacher explained > to me that you should always look at the first error and ignore the rest. > Then your "teacher" has NO IDEA what they are talking about, as related to log interpretation ... and now, YOU foster the same INVALID information. When one reads a log file, if there are any "Caused by" statements, locate the last "Caused by" in the stack trace, and that is the area of root cause. One can see there are "Caused by's" in the stack trace, so "looking at the first error" does NOT apply in this case. James, do not take Zahid's information as accurate - his knowledge is lacking. First error. > 08-Jan-2020 23:14:09.026 SEVERE [main] > org.apache.catalina.core.StandardService.initInternal > Failed to initialize connector [Connector[HTTP/1.1-8443]] > > > Once that has been addressed then either the remaining will disappear or > address the second error which will then be the first error. > > > On Wed, 8 Jan 2020, 23:59 James H. H. Lampert, > wrote: > > > I wrote: > > > Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" > > > and ".key" files directly, instead of the Java Keystore file? > > > > On 12/30/19 1:41 PM, Peter Kreuser wrote: > > > Correct! > > > > I tried an experiment this afternoon: > > > > I made a copy of the existing server.xml file, and I changed the active > > connector from this (keystore file and alias redacted for privacy, > > ciphers and compressibleMimeTypes clauses redacted because they're quite > > long, and not relevant here): > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > compression="on" compressionMinSize="2048" > > noCompressionUserAgents="gozilla, traviata" > > > compressableMimeType="[REDACTED]" > > > maxThreads="1000" socket.appReadBufSize="1024" > > socket.appWriteBufSize="1024" bufferSize="1024" > > > SSLEnabled="true" scheme="https" secure="true" > > > keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]" > > > clientAuth="false" sslProtocol="TLS" /> > > > > to this: > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > > compression="on" compressionMinSize="2048" > > noCompressionUserAgents="gozilla, traviata" > > > compressableMimeType="[REDACTED]" > > > maxThreads="1000" socket.appReadBufSize="1024" > > socket.appWriteBufSize="1024" bufferSize="1024" > > > SSLEnabled="true" scheme="https" secure="true"> > > >> >certificateVerification="none" sslProtocol="TLS"> > > > > certificateKeyFile="[REDACTED].key" > > > certificateChainFile="[REDACTED].ca.crt" /> > > > > > > > > > > and restarted Tomcat, and it failed to open the port, producing this in > > catalina.out: > > > 08-Jan-2020 23:14:09.026 SEVERE [main] > > org.apache.catalina.core.StandardService.initInternal Failed to > initialize > > connector [Connector[HTTP/1.1-8443]] > > > org.apache.catalina.LifecycleException: Failed to initialize component > > [Connector[HTTP/1.1-8443]] > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) > > > at > > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > > at > > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > at > > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > > at > > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > > at java.lang.reflect.Method.invoke(Method.java:498) > > > at > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) > > > at > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) > > > Caused by: org.apache.catalina.LifecycleException: Protocol handler > > initialization failed > > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:995) > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > > ... 12 more > > > Caused by: java.lang.IllegalArgumentException: Cannot store > > non-PrivateKeys > > > at org.apache.tomcat.util.net > > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) > > > at org.apache.tomcat.util.net > > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) > > > a
Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
The second technique is to use the *.nix command. The result is as below diff a.out b.out I draw your attention to third line in FILE b.out 5,7c5,7 < SSLEnabled="true" scheme="https" secure="true" < keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]" < clientAuth="false" sslProtocol="TLS" /> --- > SSLEnabled="true" scheme="https" secure="true"> > certificateVerification="none" sslProtocol="TLS"> *cat a.out* *cat b.out* www.backbutton.co.uk ♡۶¯\_(ツ)_/¯ ♡۶ Marriage of loose and tight coupling -> healthy applications ♡۶ java -cp classpath class-path On Wed, 8 Jan 2020 at 23:59, James H. H. Lampert wrote: > I wrote: > > Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" > > and ".key" files directly, instead of the Java Keystore file? > > On 12/30/19 1:41 PM, Peter Kreuser wrote: > > Correct! > > I tried an experiment this afternoon: > > I made a copy of the existing server.xml file, and I changed the active > connector from this (keystore file and alias redacted for privacy, > ciphers and compressibleMimeTypes clauses redacted because they're quite > long, and not relevant here): > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > compression="on" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > > compressableMimeType="[REDACTED]" > > maxThreads="1000" socket.appReadBufSize="1024" > socket.appWriteBufSize="1024" bufferSize="1024" > > SSLEnabled="true" scheme="https" secure="true" > > keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]" > > clientAuth="false" sslProtocol="TLS" /> > > to this: > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > compression="on" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > > compressableMimeType="[REDACTED]" > > maxThreads="1000" socket.appReadBufSize="1024" > socket.appWriteBufSize="1024" bufferSize="1024" > > SSLEnabled="true" scheme="https" secure="true"> > >>certificateVerification="none" sslProtocol="TLS"> > > certificateKeyFile="[REDACTED].key" > > certificateChainFile="[REDACTED].ca.crt" /> > > > > > > and restarted Tomcat, and it failed to open the port, producing this in > catalina.out: > > 08-Jan-2020 23:14:09.026 SEVERE [main] > org.apache.catalina.core.StandardService.initInternal Failed to initialize > connector [Connector[HTTP/1.1-8443]] > > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-8443]] > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) > > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) > > Caused by: org.apache.catalina.LifecycleException: Protocol handler > initialization failed > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:995) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > ... 12 more > > Caused by: java.lang.IllegalArgumentException: Cannot store > non-PrivateKeys > > at org.apache.tomcat.util.net > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) > > at org.apache.tomcat.util.net > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) > > at org.apache.tomcat.util.net > .NioEndpoint.bind(NioEndpoint.java:244) > > at org.apache.tomcat.util.net > .AbstractEndpoint.init(AbstractEndpoint.java:1105) > > at org.apache.tomcat.util.net > .AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) > > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:993) > > ... 13 more > > Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys > > at > sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261) > > at > sun.security.pro
Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
http://tomcat.10.x6.nabble.com/Can-t-Get-SSL-to-Work-in-8-5-td5071245.html On Thu, 9 Jan 2020, 03:01 Zahid Rahman, wrote: > > https://confluence.atlassian.com/confkb/ssl-connector-fails-to-initialize-during-tomcat-startup-646251490.html > > On Thu, 9 Jan 2020, 02:44 Zahid Rahman, wrote: > >> >> https://stackoverflow.com/questions/46786046/severe-main-org-apache-catalina-core-standardservice-initinternal-failed-to-in >> >> I went to college and studied IT before finding a job. My teacher >> explained to me that you should always look at the first error and ignore >> the rest. >> >> >> First error. >> 08-Jan-2020 23:14:09.026 SEVERE [main] >> org.apache.catalina.core.StandardService.initInternal >> Failed to initialize connector [Connector[HTTP/1.1-8443]] >> >> >> Once that has been addressed then either the remaining will disappear >> or address the second error which will then be the first error. >> >> >> >> >> >> >> On Wed, 8 Jan 2020, 23:59 James H. H. Lampert, >> wrote: >> >>> I wrote: >>> > Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" >>> > and ".key" files directly, instead of the Java Keystore file? >>> >>> On 12/30/19 1:41 PM, Peter Kreuser wrote: >>> > Correct! >>> >>> I tried an experiment this afternoon: >>> >>> I made a copy of the existing server.xml file, and I changed the active >>> connector from this (keystore file and alias redacted for privacy, >>> ciphers and compressibleMimeTypes clauses redacted because they're quite >>> long, and not relevant here): >>> > >> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> > compression="on" compressionMinSize="2048" >>> noCompressionUserAgents="gozilla, traviata" >>> > compressableMimeType="[REDACTED]" >>> > maxThreads="1000" socket.appReadBufSize="1024" >>> socket.appWriteBufSize="1024" bufferSize="1024" >>> > SSLEnabled="true" scheme="https" secure="true" >>> > keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]" >>> > clientAuth="false" sslProtocol="TLS" /> >>> >>> to this: >>> > >> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> > compression="on" compressionMinSize="2048" >>> noCompressionUserAgents="gozilla, traviata" >>> > compressableMimeType="[REDACTED]" >>> > maxThreads="1000" socket.appReadBufSize="1024" >>> socket.appWriteBufSize="1024" bufferSize="1024" >>> > SSLEnabled="true" scheme="https" secure="true"> >>> > >> >certificateVerification="none" sslProtocol="TLS"> >>> > >> certificateKeyFile="[REDACTED].key" >>> > certificateChainFile="[REDACTED].ca.crt" /> >>> > >>> > >>> >>> and restarted Tomcat, and it failed to open the port, producing this in >>> catalina.out: >>> > 08-Jan-2020 23:14:09.026 SEVERE [main] >>> org.apache.catalina.core.StandardService.initInternal Failed to initialize >>> connector [Connector[HTTP/1.1-8443]] >>> > org.apache.catalina.LifecycleException: Failed to initialize >>> component [Connector[HTTP/1.1-8443]] >>> > at >>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) >>> > at >>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) >>> > at >>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >>> > at >>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) >>> > at >>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >>> > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) >>> > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) >>> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> > at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >>> > at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >>> > at java.lang.reflect.Method.invoke(Method.java:498) >>> > at >>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) >>> > at >>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) >>> > Caused by: org.apache.catalina.LifecycleException: Protocol handler >>> initialization failed >>> > at >>> org.apache.catalina.connector.Connector.initInternal(Connector.java:995) >>> > at >>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >>> > ... 12 more >>> > Caused by: java.lang.IllegalArgumentException: Cannot store >>> non-PrivateKeys >>> > at org.apache.tomcat.util.net >>> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) >>> > at org.apache.tomcat.util.net >>> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) >>> > at org.apache.tomcat.util.net >>> .NioEndpoint.bind(NioEndpoint.java:244) >>> > at org.apache.tomcat.util.net >>> .AbstractEndpoint.init(AbstractEndpoint.java:1105) >>> > at org.apache.tomcat.util.net >>> .AbstractJsseEndpoint.init(Abstract
Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
https://confluence.atlassian.com/confkb/ssl-connector-fails-to-initialize-during-tomcat-startup-646251490.html On Thu, 9 Jan 2020, 02:44 Zahid Rahman, wrote: > > https://stackoverflow.com/questions/46786046/severe-main-org-apache-catalina-core-standardservice-initinternal-failed-to-in > > I went to college and studied IT before finding a job. My teacher > explained to me that you should always look at the first error and ignore > the rest. > > > First error. > 08-Jan-2020 23:14:09.026 SEVERE [main] > org.apache.catalina.core.StandardService.initInternal > Failed to initialize connector [Connector[HTTP/1.1-8443]] > > > Once that has been addressed then either the remaining will disappear or > address the second error which will then be the first error. > > > > > > > On Wed, 8 Jan 2020, 23:59 James H. H. Lampert, > wrote: > >> I wrote: >> > Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" >> > and ".key" files directly, instead of the Java Keystore file? >> >> On 12/30/19 1:41 PM, Peter Kreuser wrote: >> > Correct! >> >> I tried an experiment this afternoon: >> >> I made a copy of the existing server.xml file, and I changed the active >> connector from this (keystore file and alias redacted for privacy, >> ciphers and compressibleMimeTypes clauses redacted because they're quite >> long, and not relevant here): >> > > protocol="org.apache.coyote.http11.Http11NioProtocol" >> > compression="on" compressionMinSize="2048" >> noCompressionUserAgents="gozilla, traviata" >> > compressableMimeType="[REDACTED]" >> > maxThreads="1000" socket.appReadBufSize="1024" >> socket.appWriteBufSize="1024" bufferSize="1024" >> > SSLEnabled="true" scheme="https" secure="true" >> > keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]" >> > clientAuth="false" sslProtocol="TLS" /> >> >> to this: >> > > protocol="org.apache.coyote.http11.Http11NioProtocol" >> > compression="on" compressionMinSize="2048" >> noCompressionUserAgents="gozilla, traviata" >> > compressableMimeType="[REDACTED]" >> > maxThreads="1000" socket.appReadBufSize="1024" >> socket.appWriteBufSize="1024" bufferSize="1024" >> > SSLEnabled="true" scheme="https" secure="true"> >> > > >certificateVerification="none" sslProtocol="TLS"> >> > > certificateKeyFile="[REDACTED].key" >> > certificateChainFile="[REDACTED].ca.crt" /> >> > >> > >> >> and restarted Tomcat, and it failed to open the port, producing this in >> catalina.out: >> > 08-Jan-2020 23:14:09.026 SEVERE [main] >> org.apache.catalina.core.StandardService.initInternal Failed to initialize >> connector [Connector[HTTP/1.1-8443]] >> > org.apache.catalina.LifecycleException: Failed to initialize component >> [Connector[HTTP/1.1-8443]] >> > at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) >> > at >> org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) >> > at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> > at >> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) >> > at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) >> > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) >> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> > at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) >> > at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> > at java.lang.reflect.Method.invoke(Method.java:498) >> > at >> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) >> > at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) >> > Caused by: org.apache.catalina.LifecycleException: Protocol handler >> initialization failed >> > at >> org.apache.catalina.connector.Connector.initInternal(Connector.java:995) >> > at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> > ... 12 more >> > Caused by: java.lang.IllegalArgumentException: Cannot store >> non-PrivateKeys >> > at org.apache.tomcat.util.net >> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) >> > at org.apache.tomcat.util.net >> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) >> > at org.apache.tomcat.util.net >> .NioEndpoint.bind(NioEndpoint.java:244) >> > at org.apache.tomcat.util.net >> .AbstractEndpoint.init(AbstractEndpoint.java:1105) >> > at org.apache.tomcat.util.net >> .AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224) >> > at >> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) >> > at >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) >> > at >> org.apache.cata
Re: Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
https://stackoverflow.com/questions/46786046/severe-main-org-apache-catalina-core-standardservice-initinternal-failed-to-in I went to college and studied IT before finding a job. My teacher explained to me that you should always look at the first error and ignore the rest. First error. 08-Jan-2020 23:14:09.026 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] Once that has been addressed then either the remaining will disappear or address the second error which will then be the first error. On Wed, 8 Jan 2020, 23:59 James H. H. Lampert, wrote: > I wrote: > > Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" > > and ".key" files directly, instead of the Java Keystore file? > > On 12/30/19 1:41 PM, Peter Kreuser wrote: > > Correct! > > I tried an experiment this afternoon: > > I made a copy of the existing server.xml file, and I changed the active > connector from this (keystore file and alias redacted for privacy, > ciphers and compressibleMimeTypes clauses redacted because they're quite > long, and not relevant here): > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > compression="on" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > > compressableMimeType="[REDACTED]" > > maxThreads="1000" socket.appReadBufSize="1024" > socket.appWriteBufSize="1024" bufferSize="1024" > > SSLEnabled="true" scheme="https" secure="true" > > keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]" > > clientAuth="false" sslProtocol="TLS" /> > > to this: > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > compression="on" compressionMinSize="2048" > noCompressionUserAgents="gozilla, traviata" > > compressableMimeType="[REDACTED]" > > maxThreads="1000" socket.appReadBufSize="1024" > socket.appWriteBufSize="1024" bufferSize="1024" > > SSLEnabled="true" scheme="https" secure="true"> > >>certificateVerification="none" sslProtocol="TLS"> > > certificateKeyFile="[REDACTED].key" > > certificateChainFile="[REDACTED].ca.crt" /> > > > > > > and restarted Tomcat, and it failed to open the port, producing this in > catalina.out: > > 08-Jan-2020 23:14:09.026 SEVERE [main] > org.apache.catalina.core.StandardService.initInternal Failed to initialize > connector [Connector[HTTP/1.1-8443]] > > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-8443]] > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) > > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:639) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:662) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) > > Caused by: org.apache.catalina.LifecycleException: Protocol handler > initialization failed > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:995) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > ... 12 more > > Caused by: java.lang.IllegalArgumentException: Cannot store > non-PrivateKeys > > at org.apache.tomcat.util.net > .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) > > at org.apache.tomcat.util.net > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) > > at org.apache.tomcat.util.net > .NioEndpoint.bind(NioEndpoint.java:244) > > at org.apache.tomcat.util.net > .AbstractEndpoint.init(AbstractEndpoint.java:1105) > > at org.apache.tomcat.util.net > .AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) > > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:993) > > ... 13 more > > Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys > > at > sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261) > > at > sun.security.provider.JavaKeyS
Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?
I wrote: Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" and ".key" files directly, instead of the Java Keystore file? On 12/30/19 1:41 PM, Peter Kreuser wrote: Correct! I tried an experiment this afternoon: I made a copy of the existing server.xml file, and I changed the active connector from this (keystore file and alias redacted for privacy, ciphers and compressibleMimeTypes clauses redacted because they're quite long, and not relevant here): to this: and restarted Tomcat, and it failed to open the port, producing this in catalina.out: 08-Jan-2020 23:14:09.026 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:639) at org.apache.catalina.startup.Catalina.load(Catalina.java:662) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:995) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 12 more Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) at org.apache.catalina.connector.Connector.initInternal(Connector.java:993) ... 13 more Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261) at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56) at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117) at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70) at java.security.KeyStore.setKeyEntry(KeyStore.java:1140) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98) ... 20 more Can anybody explain what I did wrong? These are fully-qualified paths to the certificate, chain, and key files. [REDACTED].ca.crt contains a certificate chain; [REDACTED].cer contains a certificate, and [REDACTED].key contains a private key, and they all work in Apache httpd, on the same box. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
