RE: server.xml setting broken with Tomcat 9.0.81
I resolved my issue by recreate the private key with different encryption My old key was encrypted with DES-CBC, and new one I used AES-256-CBC https://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key openssl rsa -aes256 -in server.key -out new.key To answer some of your questions: I tested with 9.0.86, 9.0.82, 9.0.81 and they all gave the me same error/failure. -Original Message- From: Konstantin Kolinko Sent: Wednesday, February 28, 2024 10:48 AM To: users@tomcat.apache.org Subject: Re: server.xml setting broken with Tomcat 9.0.81 ср, 28 февр. 2024 г. в 14:42, Jonathan Ho : > > I have following connectors in server.xml file and working for a long time > with various version of Tomcat 9 until I upgrade to 9.0.81 or newer versions. > I verified that 9.0.80 is working. > What I am getting from 9.0.81 on startup is I will get pass phrase prompt on > tomcat start up and following errors in the log. > I see openssl upgrade by tomcat from 1.x to 3.x in 9.0.81, could that be the > problem? > 1. OpenSSL 1.1.1 has reached End-of-Life, https://www.openssl.org/blog/blog/2023/09/11/eol-111/ 2. If you suspect, that the version of Tomcat Native is the trigger of this issue: On Windows it is easy to verify whether it is the cause: just replace "bin/tcnative-1.dll" with an older version. > or newer versions. 3. What never versions have you tested? Have you tested the current Tomcat 9.0.86? It updates Tomcat Native further, to 1.3.0. Have you tested 9.0.83 or later? https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 Is not exactly your issue, but of a similar topic. > I will get pass phrase prompt 4. That prompt is not issued by Tomcat. Is that prompt expected? Are you typing the password correctly? Are you able to decode your key file using openssl.exe from a command line? Note that a copy of openssl.exe is included with Tomcat Native binaries downloadable from https://tomcat.apache.org/download-native.cgi Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: server.xml setting broken with Tomcat 9.0.81
ср, 28 февр. 2024 г. в 14:42, Jonathan Ho : > > I have following connectors in server.xml file and working for a long time > with various version of Tomcat 9 until I upgrade to 9.0.81 or newer versions. > I verified that 9.0.80 is working. > What I am getting from 9.0.81 on startup is I will get pass phrase prompt on > tomcat start up and following errors in the log. > I see openssl upgrade by tomcat from 1.x to 3.x in 9.0.81, could that be the > problem? > 1. OpenSSL 1.1.1 has reached End-of-Life, https://www.openssl.org/blog/blog/2023/09/11/eol-111/ 2. If you suspect, that the version of Tomcat Native is the trigger of this issue: On Windows it is easy to verify whether it is the cause: just replace "bin/tcnative-1.dll" with an older version. > or newer versions. 3. What never versions have you tested? Have you tested the current Tomcat 9.0.86? It updates Tomcat Native further, to 1.3.0. Have you tested 9.0.83 or later? https://bz.apache.org/bugzilla/show_bug.cgi?id=67675 Is not exactly your issue, but of a similar topic. > I will get pass phrase prompt 4. That prompt is not issued by Tomcat. Is that prompt expected? Are you typing the password correctly? Are you able to decode your key file using openssl.exe from a command line? Note that a copy of openssl.exe is included with Tomcat Native binaries downloadable from https://tomcat.apache.org/download-native.cgi Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
server.xml setting broken with Tomcat 9.0.81
I have following connectors in server.xml file and working for a long time with various version of Tomcat 9 until I upgrade to 9.0.81 or newer versions. I verified that 9.0.80 is working. What I am getting from 9.0.81 on startup is I will get pass phrase prompt on tomcat start up and following errors in the log. I see openssl upgrade by tomcat from 1.x to 3.x in 9.0.81, could that be the problem? Thanks 28-Feb-2024 06:26:05.127 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio2-8080"] 28-Feb-2024 06:26:05.150 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-nio-9749"] connector has been configured to support negotiation to [h2] via ALPN 28-Feb-2024 06:26:05.150 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-9749"] 28-Feb-2024 06:27:47.172 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context java.lang.Exception: Unable to load certificate key C:\opt\Apache-SF\Tomcat-9/conf/r3m/files/server.key (error:1E08010C:DECODER routines::unsupported) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:492) at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:349) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:236) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1334) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1347) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:554) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1046) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.startup.Catalina.load(Catalina.java:686) at org.apache.catalina.startup.Catalina.load(Catalina.java:709) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475) 28-Feb-2024 06:27:47.174 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-9749], TLS virtual host [_default_], certificate type [RSA] configured from key [C:\opt\Apache-SF\Tomcat-9/conf/r3m/files/server.key], certificate [C:\opt\Apache-SF\Tomcat-9/conf/r3m/files/server.cer] and certificate chain [C:\opt\Apache-SF\Tomcat-9/conf/r3m/files/server.chain.net.pem] with trust store [null] 28-Feb-2024 06:27:47.175 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-nio-9869"] connector has been configured to support negotiation to [h2] via ALPN