Hello,
I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything was working
great until I enabled SSL with a self-signed certificate. I am able to
recreated the issue on 8.5.5. I finally had to down graded to 8.5.4 to get
SSL working with identical configuration and cert.
I want to be sure that this is not a known issue and that I'm not doing
something wrong before I create a bug report.
Server version: Apache Tomcat/8.5.5 64-bit
OS Name: Windows 7
JVM Version: 1.8.0_102-b14
The cert was generated with this command:
keytool -genkeypair -keyalg RSA -alias tomcat -keystore
"C:/keys/keystore.jsk" -storepass changeit -validity 360 -keysize 2048
-dname CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
Configuration includes adding
-Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS and using this
connector config
<Connector port="8002" protocol="HTTP/1.1"
connectionTimeout="60000"
maxThreads="200"
minSpareThreads="4"
enableLookups="false"
compression="on"
server="Apache"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="c:/keys/keystore.jsk" keystorePass="changeit"
keyAlias="tomcat"
clientAuth="false" sslProtocol="TLS"/>
Here is the exception I get at startup
13-Oct-2016 15:05:17.309 SEVERE [main]
org.apache.coyote.AbstractProtocol.init Failed to initialize end point
associated with ProtocolHandler ["https-openssl-nio-8001"]
java.lang.IllegalArgumentException:
java.security.InvalidAlgorithmParameterException: the trustAnchors
parameter must be non-empty
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:944)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
at
java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
at
java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:341)
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:273)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSSLUtil.java:93)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101)
... 20 more
Thanks in advance
Will
