Dear all, > On Sun, Oct 23, 2016 at 3:15 PM, Christopher Schultz < > > ch...@christopherschultz.net> wrote: > > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > Hash: SHA256 > > > > > > > > William, > > > > > > > > On 10/21/16 6:08 PM, William Boyd wrote: > > > > > On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz < > > > > > > ch...@christopherschultz.net> wrote: > > > > > > > > > > > > William, > > > > > > > > > > > > On 10/21/16 4:37 PM, William Boyd wrote: > > > > > >>>> Hello, > > >>>> > > >>>> > > >>>> > > >>>> I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything > > >>>> > > >>>> was working great until I enabled SSL with a self-signed > > >>>> > > >>>> certificate. I am able to recreated the issue on 8.5.5. I > > >>>> > > >>>> finally had to down graded to 8.5.4 to get SSL working with > > >>>> > > >>>> identical configuration and cert. > > >>>> > > >>>> > > >>>> > > >>>> I want to be sure that this is not a known issue and that I'm > > >>>> > > >>>> not doing something wrong before I create a bug report. > > >>>> > > >>>> > > >>>> > > >>>> Server version: Apache Tomcat/8.5.5 64-bit OS Name: > > >>>> > > >>>> Windows 7 JVM Version: 1.8.0_102-b14 > > >>>> > > >>>> > > >>>> > > >>>> The cert was generated with this command: keytool > > >>>> > > >>>> -genkeypair -keyalg RSA -alias tomcat -keystore > > >>>> > > >>>> "C:/keys/keystore.jsk" -storepass changeit -validity 360 > > >>>> > > >>>> -keysize 2048 -dname > > >>>> > > >>>> CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA > > >>>> > > >>>> > > >>>> > > >>>> Configuration includes adding > > >>>> > > >>>> -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS > > >>>> > > > > > > > > > I think this might be the problem. Tomcat doesn't use > > > > > > javax.net.ssl.trustStore except as a backup in case you haven't > > > > > > specified a trust store in your <Connector>. You have pointed that > > > > > > system property at a keystore, not a trust store. Technically, > > > > > > they are the same format, but they are used for different things. > > > > > > > > > > > > If you need that for making your own outgoing TLS connections then > > > > > > leave it in there and we'll try to get it to work, otherwise it's > > > > > > just confusing and might cause Tomcat to do weird things. > > > > > > > > > > > >>>> and using this connector config > > >>>> > > >>>> > > >>>> > > >>>> <Connector port="8002" protocol="HTTP/1.1" > > >>>> > > >>>> connectionTimeout="60000" maxThreads="200" > > >>>> > > >>>> minSpareThreads="4" enableLookups="false" compression="on" > > >>>> > > >>>> server="Apache" scheme="https" secure="true" > > >>>> > > >>>> SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk" > > >>>> > > >>>> keystorePass="changeit" keyAlias="tomcat" clientAuth="false" > > >>>> > > >>>> sslProtocol="TLS"/> > > >>>> > > > > > > > > > Looks good so far. > > > > > > > > > > > >>>> Here is the exception I get at startup > > >>>> > > >>>> > > >>>> > > >>>> 13-Oct-2016 15:05:17.309 SEVERE [main] > > >>>> > > >>>> org.apache.coyote.AbstractProtocol.init Failed to initialize > > >>>> > > >>>> end point associated with ProtocolHandler > > >>>> > > >>>> ["https-openssl-nio-8001"] > > >>>> > > >>>> java.lang.IllegalArgumentException: > > >>>> > > >>>> java.security.InvalidAlgorithmParameterException: the > > >>>> > > >>>> trustAnchors parameter must be non-empty at > > >>>> > > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab > > >>>> > > str > > > > > > > > > > >>>> > > >>>> > > actJsseEndpoint.java:103) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstr > > >>>> > > act > > > > > > > > > > >>>> > > >>>> > > JsseEndpoint.java:81) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) > > > > > >>>> at > > >>>> > > >>>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.j > > >>>> > > ava > > > > > > > > > > >>>> > > >>>> > > :866) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEn > > >>>> > > dpo > > > > > > > > > > >>>> > > >>>> > > int.java:213) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575) > > > > > >>>> at > > >>>> > > >>>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11 > > >>>> > > Pro > > > > > > > > > > >>>> > > >>>> > > tocol.java:65) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > > org.apache.catalina.connector.Connector.initInternal(Connector.java:9 > > > > > > > > > > > > > > > > > 44) > > > > >>>> at > > >>>> > > >>>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > > > > > > > >>>> > > >>>> > > at > > > > >>>> org.apache.catalina.core.StandardService.initInternal(StandardServi > > >>>> > > ce. > > > > > > > > > > >>>> > > >>>> > > java:549) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > > > > >>>> > > >>>> > > > > > > > > at > > > > >>>> org.apache.catalina.core.StandardServer.initInternal(StandardServer > > >>>> > > .ja > > > > > > > > > > >>>> > > >>>> > > va:873) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > > > > >>>> > > >>>> > > > > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at > > > > >>>> org.apache.catalina.startup.Catalina.load(Catalina.java:629) > > >>>> > > >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native > > >>>> > > >>>> Method) at > > >>>> > > >>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImp > > >>>> > > l.j > > > > > > > > > > >>>> > > >>>> > > ava:62) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > >>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcc > > >>>> > > ess > > > > > > > > > > >>>> > > >>>> > > orImpl.java:43) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at java.lang.reflect.Method.invoke(Method.java:498) > > > > > >>>> at > > >>>> > > >>>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > > >>>> > > >>>> > > >>>> > > >>>> > > >>>> > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > > > > >>>> Caused by: java.security.InvalidAlgorithmParameterException: > > >>>> > > >>>> the trustAnchors parameter must be non-empty at > > >>>> > > >>>> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.ja > > >>>> > > va: > > > > > > > > > > >>>> > > >>>> > > 200) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > > java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) > > > > > >>>> at > > >>>> > > >>>> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParamete > > >>>> > > rs. > > > > > > > > > > >>>> > > >>>> > > java:130) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > >>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.jav > > >>>> > > a:3 > > > > > > > > > > >>>> > > >>>> > > 41) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > >>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil. > > >>>> > > jav > > > > > > > > > > >>>> > > >>>> > > a:273) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > >>>> org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(Ope > > >>>> > > nSS > > > > > > > > > > >>>> > > >>>> > > LUtil.java:93) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > at > > > > > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Ab > > >>>> > > str > > > > > > > > > > >>>> > > >>>> > > actJsseEndpoint.java:101) > > > > >>>> > > >>>> > > >>>> > > >>>> > > > ... 20 more > > > > > > > > > > > > Tomcat is choking when trying to load the trust managers, which is > > > > > > synonymous with loading the data from the "trust store". You don't > > > > > > need a "trust store", otherwise you'd have specified is in the > > > > > > <Connector>. > > > > > > > > > > > > Try just removing that system property and see what happens. > > > > > > > > > > > > -chris > > > > > >> > > >> > > >> --------------------------------------------------------------------- > > >> > > >> > > >> > > >> > > >> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >> > > >> > > >> > > >> > > >> > > > Hi Christopher, > > > > > > > > > > > > Thanks for the quick response. > > > > > > > > > > > > I tried your suggestion but when I connect to the site via https, > > > > > > tomcat returns a blank page with the SSLHandshakeException in it. > > > > > > I’m not entirely sure but this may be a result of our use of AXIS > > > > > > for communication between WARs in the deployed application. > > > > > > > > > > > > Caught Exception (javax.net.ssl.SSLHandshakeException: > > > > > > sun.security.validator.ValidatorException: PKIX path building > > > > > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > > > > > unable to find valid certification path to requested target): ; > > > > > > nested exception is: javax.net.ssl.SSLHandshakeException: > > > > > > sun.security.validator.ValidatorException: PKIX path building > > > > > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > > > > > unable to find valid certification path to requested target > > > > > > > > > > > > The catalina log contains this stacktrace > > > > > > > > > > > > 2016-10-21 14:48:43,517 [ERROR] [mblinkLoginSoapInterface.java:207] > > > > > > - org.apache.axis.AxisFault: ; nested exception is: > > > > > > javax.net.ssl.SSLHandshakeException: > > > > > > sun.security.validator.ValidatorException: PKIX path building > > > > > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > > > > > unable to find valid certification path to requested target at > > > > > > org.apache.axis.AxisFault.makeFault(AxisFault.java:101) > > > > > > ~[axis-1.4.jar:na] at > > > > > > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:154) > > > > > > > > > > > > > > > > > ~[axis-1.4.jar:na] > > > > > : : Caused by: javax.net.ssl.SSLHandshakeException: > > > > > > sun.security.validator.ValidatorException: PKIX path building > > > > > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > > > > > unable to find valid certification path to requested target at > > > > > > sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.j > > > > > ava:1509) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java > > > > > :216) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.ssl.Handshaker.process_record(Handshaker.java:914) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.j > > > > > ava:1375) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) > > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) > > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFact > > > > > ory.java:186) > > > > > > > > > > > > > > > > ~[axis-1.4.jar:na] > > > > > at > > > > > > org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:19 > > > > > 1) > > > > > > > > > > > > > > > > ~[axis-1.4.jar:na] > > > > > at > > > > > > org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.jav > > > > > a:404) > > > > > > > > > > > > > > > > ~[axis-1.4.jar:na] > > > > > at > > > > > > org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) > > > > > > > > > > > > > > > > > ~[axis-1.4.jar:na] > > > > > ... 38 common frames omitted Caused by: > > > > > > sun.security.validator.ValidatorException: PKIX path building > > > > > > failed: sun.security.provider.certpath.SunCertPathBuilderException: > > > > > > unable to find valid certification path to requested target at > > > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) > > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java > > > > > :292) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at sun.security.validator.Validator.validate(Validator.java:260) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.ja > > > > > va:324) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImp > > > > > l.java:229) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMana > > > > > gerImpl.java:124) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.j > > > > > ava:1491) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > ... 49 common frames omitted Caused by: > > > > > > sun.security.provider.certpath.SunCertPathBuilderException: unable > > > > > > to find valid certification path to requested target at > > > > > > sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBui > > > > > lder.java:141) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertP > > > > > athBuilder.java:126) > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > at > > > > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) > > > > > > ~[na:1.8.0_102] at > > > > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) > > > > > > > > > > > > > > > > > ~[na:1.8.0_102] > > > > > ... 55 common frames omitted > > > > > > > > > > > > > If you need to make outgoing TLS connections to servers with > > > > certificates not trusted by Java's stock trust store, you'll have to > > > > supply your own. Do you have anything in the trust store other than > > > > the server's key and certificate? Are you making loopback connections? > > > > > > > > I'm surprised that this either worked in the past or is failing now. > > > > I'm not sure which makes more sense. There's no particular reason why > > > > I "keystore" couldn't be used as a "truststore"... the only difference > > > > is that "keystores" usually contain keys and certs, while > > > > "truststores" usually only contain certificates. > > > > > > > > I wonder if it has something to do with the aliases used or something. > > > > > > > > If in fact using the keystore as a trust store is tripping-up Tomcat, > > > > I'd say that's a bug that needs to be fixed. > > > > > > > > Try this: whatever certificate you need to TRUST needs to be in your > > > > trust store. Try creating a new keystore that contains nothing but the > > > > certificate you expect to trust, then configure *that* as your trust > > > > store (system property), leaving the keystore as-is -- configured as > > > > Tomcat's keystore. > > > > > > > > - -chris > > > > -----BEGIN PGP SIGNATURE----- > > > > Comment: GPGTools - http://gpgtools.org > > > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > > > > > > > iQIcBAEBCAAGBQJYDTaRAAoJEBzwKT+lPKRYFy4QAI5vHVUofkmImGCO3gth+fQ6 > > > > tYk2FatDLqGk332UGZnzLbrJxPXNE+DazzPjOyaIMETFzxInY9z32ABqQqWIZRp0 > > > > ItZtLPuUsQTh108UIGU1yVaEG2XhFAE90QfO63JEI5r/d6gzI+lNj6Kfv0aEMNNG > > > > dgvTxUIjBCrEzBekoEPwP3XtYZSGtr2u+CxxO+OMKNKiLLWEGQQHk/CRZjAgosPy > > > > iHsEjAQiDvkqkRaJTMyqpbx43CM/eS5X1facftvWsdYiVTsXgzwgEH3vQXLTuByw > > > > XGjH4IwFsvT92AJ/0C1FgQHcXasGF6HwYKkPMHI/s1cZWMwKmFaDT0EeMdrxC9ll > > > > EbrXui6VQi8Hf3ya5nFWRwrvlN51PshortQ7eEx2MOP7XQFeHr6i8k+5LCmeQBcQ > > > > +STseFmbSIFyUu2SjDKIDluIUWppJhGodIH84hJMj8UCtXlGbE9u2D7wIloQz1El > > > > GzJuooYP6P+Rm5PWaGuT5WNnVAfNkAJ0h9B8CRBc+KQkXYDBFlD3XFx1zL46iU+x > > > > aFWi2UqJJhNKXW3j111HP31CA77XJCHHsbJpwotqEwO3+1ChToK7WV+3tUBzax3w > > > > i8UB+b38e7y2ZlT0B2D5wHu/aPJ+Sx2w/ThJmz5wgpU7EshNkSUW1TBmz7MCFvgW > > > > fJ071CkiXAb1UnBxchZT > > > > =VMdG > > > > -----END PGP SIGNATURE----- > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > > > > Hi Chris, > > > > I tested a couple things to no avail. I can confirm that I've successfully > > used this configuration with JDK 1.6.0_45, 1.7.0_80, 1.8.0_102 and Tomcat > > 6.0.10, 7.0.56, 8.5.4. > > > > Here's what I tested: > > > > 1. I recreated the keystore with the alias localhost and got the same > > error: > > IllegalArgumentException: > > java.security.InvalidAlgorithmParameterException: the trustAnchors > > parameter must be non-empty > > > > 2. I restored the tomcat alias, exported the certificate and set my system > > property to point to that tomcat.crt file. This caused the following > > stacktrace > > java.lang.IllegalArgumentException: java.io.IOException: Invalid > > keystore format > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81) > > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866) > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213) > > at > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575) > > at > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65) > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:944) > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873) > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:629) > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > > at java.lang.reflect.Method.invoke(Method.java:498) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > > Caused by: java.io.IOException: Invalid keystore format > > at > > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658) > > at > > sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56) > > at > > sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224) > > at > > sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70) > > at java.security.KeyStore.load(KeyStore.java:1445) > > at > > org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:136) > > at > > org.apache.tomcat.util.net.SSLHostConfig.getTruststore(SSLHostConfig.java:614) > > at > > org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:256) > > at > > org.apache.tomcat.util.net.openssl.OpenSSLUtil.getTrustManagers(OpenSSLUtil.java:93) > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) > ... 20 more > > 2. I tried setting the system property to point to keystore.jsk and tomcat > > keystoreFile to tomcat.crt and got the same stacktrace above. > > > > Below are listings of my keystore.jsk and tomcat.crt file generated from > > the JRE 8 keytool > > > > ------------------------------------------------------------------------------------------- > > keystore.jsk > > ------------------------------------------------------------------------------------------- > > Keystore type: JKS > > Keystore provider: SUN > > Your keystore contains 1 entry > > Alias name: tomcat > > Creation date: Oct 24, 2016 > > Entry type: PrivateKeyEntry > > Certificate chain length: 1 > > Certificate[1]: > > Owner: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA > > Issuer: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA > > Serial number: 220d2cc > > Valid from: Mon Oct 24 11:56:22 PDT 2016 until: Thu Oct 19 11:56:22 PDT 2017 > > Certificate fingerprints: > > MD5: 5E:F8:3A:6F:BB:CF:5D:72:5A:A8:CE:16:7B:B6:75:61 > > SHA1: DA:86:EB:A9:4C:56:D9:6B:E4:88:F4:A1:4D:91:5B:BD:4F:1A:F2:16 > > SHA256: > > 75:66:92:B3:57:0C:28:05:03:EA:BC:DE:C5:51:45:00:65:82:4C:7C:F4:BD:E6:90:CE:61:90:30:B2:3D:67:57 > Signature algorithm name: SHA256withRSA > > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > > SubjectKeyIdentifier [ > > KeyIdentifier [ > > 0000: 22 EA 63 DB 74 90 D1 F7 28 56 E9 B3 87 74 7A 14 ".c.t...(V...tz. > > 0010: 0A 62 1A AE .b.. > > ] > > ] > > > > ******************************************* > > ******************************************* > > ------------------------------------------------------------------------------------------- > > tomcat.crt > > ------------------------------------------------------------------------------------------- > > Owner: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA > > Issuer: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA > > Serial number: 220d2cc > > Valid from: Mon Oct 24 11:56:22 PDT 2016 until: Thu Oct 19 11:56:22 PDT 2017 > > Certificate fingerprints: > > MD5: 5E:F8:3A:6F:BB:CF:5D:72:5A:A8:CE:16:7B:B6:75:61 > > SHA1: DA:86:EB:A9:4C:56:D9:6B:E4:88:F4:A1:4D:91:5B:BD:4F:1A:F2:16 > > SHA256: > > 75:66:92:B3:57:0C:28:05:03:EA:BC:DE:C5:51:45:00:65:82:4C:7C:F4:BD:E6:90:CE:61:90:30:B2:3D:67:57 > Signature algorithm name: SHA256withRSA > > Version: 3 > > Extensions: > > #1: ObjectId: 2.5.29.14 Criticality=false > > SubjectKeyIdentifier [ > > KeyIdentifier [ > > 0000: 22 EA 63 DB 74 90 D1 F7 28 56 E9 B3 87 74 7A 14 ".c.t...(V...tz. > > 0010: 0A 62 1A AE .b.. > > ] > > ] > > > > Regards > > Will >
I can confirm that this has happened to me too in the transition from 8.5.4 to 8.5.5. Over time the -Djavax.net.ssl.trustStore parameter with the link to the tomcat certificate store was forgotten in the setenv.sh and as I did not use it, I was able to just disable it. It never bothered tomcat until 8.5.5 though. Best regards Peter --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
