On Tue, Oct 25, 2016 at 2:08 AM, Kreuser, Peter <pkreu...@airplus.com>
wrote:

> Dear all,
>
> > On Sun, Oct 23, 2016 at 3:15 PM, Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > > -----BEGIN PGP SIGNED MESSAGE-----
> > > Hash: SHA256
> > >
> > > William,
> > >
> > > On 10/21/16 6:08 PM, William Boyd wrote:
> > > > On Fri, Oct 21, 2016 at 2:05 PM, Christopher Schultz <
> > > > ch...@christopherschultz.net> wrote:
> > > >
> > > > William,
> > > >
> > > > On 10/21/16 4:37 PM, William Boyd wrote:
> > > >>>> Hello,
> > > >>>>
> > > >>>> I am attempting to upgrade from Tomcat 7 to 8.5.6. Everything
> > > >>>> was working great until I enabled SSL with a self-signed
> > > >>>> certificate. I am able to recreated the issue on 8.5.5. I
> > > >>>> finally had to down graded to 8.5.4 to get SSL working with
> > > >>>> identical configuration and cert.
> > > >>>>
> > > >>>> I want to be sure that this is not a known issue and that I'm
> > > >>>> not doing something wrong before I create a bug report.
> > > >>>>
> > > >>>> Server version:        Apache Tomcat/8.5.5 64-bit OS Name:
> > > >>>> Windows 7 JVM Version:           1.8.0_102-b14
> > > >>>>
> > > >>>> The cert was generated with this command: keytool
> > > >>>> -genkeypair -keyalg RSA -alias tomcat -keystore
> > > >>>> "C:/keys/keystore.jsk" -storepass changeit -validity 360
> > > >>>> -keysize 2048 -dname
> > > >>>> CN=localhost,OU=ITS,O=Co,L=City,ST=AB,C=CA
> > > >>>>
> > > >>>> Configuration includes adding
> > > >>>> -Djavax.net.ssl.trustStore=c:/keys/keystore.jsk to JAVA_OPTS
> > > >
> > > > I think this might be the problem. Tomcat doesn't use
> > > > javax.net.ssl.trustStore except as a backup in case you haven't
> > > > specified a trust store in your <Connector>. You have pointed that
> > > > system property at a keystore, not a trust store. Technically,
> > > > they are the same format, but they are used for different things.
> > > >
> > > > If you need that for making your own outgoing TLS connections then
> > > > leave it in there and we'll try to get it to work, otherwise it's
> > > > just confusing and might cause Tomcat to do weird things.
> > > >
> > > >>>> and using this connector config
> > > >>>>
> > > >>>> <Connector port="8002" protocol="HTTP/1.1"
> > > >>>> connectionTimeout="60000" maxThreads="200"
> > > >>>> minSpareThreads="4" enableLookups="false" compression="on"
> > > >>>> server="Apache" scheme="https" secure="true"
> > > >>>> SSLEnabled="true" keystoreFile="c:/keys/keystore.jsk"
> > > >>>> keystorePass="changeit" keyAlias="tomcat" clientAuth="false"
> > > >>>> sslProtocol="TLS"/>
> > > >
> > > > Looks good so far.
> > > >
> > > >>>> Here is the exception I get at startup
> > > >>>>
> > > >>>> 13-Oct-2016 15:05:17.309 SEVERE [main]
> > > >>>> org.apache.coyote.AbstractProtocol.init Failed to initialize
> > > >>>> end point associated with ProtocolHandler
> > > >>>> ["https-openssl-nio-8001"]
> > > >>>> java.lang.IllegalArgumentException:
> > > >>>> java.security.InvalidAlgorithmParameterException: the
> > > >>>> trustAnchors parameter must be non-empty at
> > > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.
> createSSLContext(Ab
> > > str
> > > >
> > > >>>>
> > > actJsseEndpoint.java:103)
> > > >>>>
> > > >>>>
> > > > at
> > > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.
> initialiseSsl(Abstr
> > > act
> > > >
> > > >>>>
> > > JsseEndpoint.java:81)
> > > >>>>
> > > >>>>
> > > > at
> > > > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
> > > >>>> at
> > > >>>> org.apache.tomcat.util.net.AbstractEndpoint.init(
> AbstractEndpoint.j
> > > ava
> > > >
> > > >>>>
> > > :866)
> > > >>>>
> > > >>>>
> > > > at
> > > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(
> AbstractJsseEn
> > > dpo
> > > >
> > > >>>>
> > > int.java:213)
> > > >>>>
> > > >>>>
> > > > at
> > > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
> > > >>>> at
> > > >>>> org.apache.coyote.http11.AbstractHttp11Protocol.init(
> AbstractHttp11
> > > Pro
> > > >
> > > >>>>
> > > tocol.java:65)
> > > >>>>
> > > >>>>
> > > > at
> > > > org.apache.catalina.connector.Connector.initInternal(
> Connector.java:9
> > > >
> > > >
> > > 44)
> > > >>>> at
> > > >>>> org.apache.catalina.util.LifecycleBase.init(
> LifecycleBase.java:107)
> > > >>>>
> > > >>>>
> > > >
> > > >>>>
> > > at
> > > >>>> org.apache.catalina.core.StandardService.initInternal(
> StandardServi
> > > ce.
> > > >
> > > >>>>
> > > java:549)
> > > >>>>
> > > >>>>
> > > > at
> > > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > > >>>>
> > > >
> > > at
> > > >>>> org.apache.catalina.core.StandardServer.initInternal(
> StandardServer
> > > .ja
> > > >
> > > >>>>
> > > va:873)
> > > >>>>
> > > >>>>
> > > > at
> > > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> > > >>>>
> > > >
> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at
> > > >>>> org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> > > >>>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
> > > >>>> Method) at
> > > >>>> sun.reflect.NativeMethodAccessorImpl.
> invoke(NativeMethodAccessorImp
> > > l.j
> > > >
> > > >>>>
> > > ava:62)
> > > >>>>
> > > >>>>
> > > > at
> > > >>>> sun.reflect.DelegatingMethodAccessorImpl.
> invoke(DelegatingMethodAcc
> > > ess
> > > >
> > > >>>>
> > > orImpl.java:43)
> > > >>>>
> > > >>>>
> > > > at java.lang.reflect.Method.invoke(Method.java:498)
> > > >>>> at
> > > >>>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> > > >>>>
> > > >>>>
> > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> > > >>>> Caused by: java.security.InvalidAlgorithmParameterException:
> > > >>>> the trustAnchors parameter must be non-empty at
> > > >>>> java.security.cert.PKIXParameters.setTrustAnchors(
> PKIXParameters.ja
> > > va:
> > > >
> > > >>>>
> > > 200)
> > > >>>>
> > > >>>>
> > > > at
> > > > java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
> > > >>>> at
> > > >>>> java.security.cert.PKIXBuilderParameters.<init>(
> PKIXBuilderParamete
> > > rs.
> > > >
> > > >>>>
> > > java:130)
> > > >>>>
> > > >>>>
> > > > at
> > > >>>> org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(
> JSSEUtil.jav
> > > a:3
> > > >
> > > >>>>
> > > 41)
> > > >>>>
> > > >>>>
> > > > at
> > > >>>> org.apache.tomcat.util.net.jsse.JSSEUtil.
> getTrustManagers(JSSEUtil.
> > > jav
> > > >
> > > >>>>
> > > a:273)
> > > >>>>
> > > >>>>
> > > > at
> > > >>>> org.apache.tomcat.util.net.openssl.OpenSSLUtil.
> getTrustManagers(Ope
> > > nSS
> > > >
> > > >>>>
> > > LUtil.java:93)
> > > >>>>
> > > >>>>
> > > > at
> > > >>>> org.apache.tomcat.util.net.AbstractJsseEndpoint.
> createSSLContext(Ab
> > > str
> > > >
> > > >>>>
> > > actJsseEndpoint.java:101)
> > > >>>>
> > > >>>>
> > > > ... 20 more
> > > >
> > > > Tomcat is choking when trying to load the trust managers, which is
> > > > synonymous with loading the data from the "trust store". You don't
> > > > need a "trust store", otherwise you'd have specified is in the
> > > > <Connector>.
> > > >
> > > > Try just removing that system property and see what happens.
> > > >
> > > > -chris
> > > >>
> > > >> ------------------------------------------------------------
> ---------
> > > >>
> > > >>
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > >> For additional commands, e-mail: users-h...@tomcat.apache.org
> > > >>
> > > >>
> > > > Hi Christopher,
> > > >
> > > > Thanks for the quick response.
> > > >
> > > > I tried your suggestion but when I connect to the site via https,
> > > > tomcat returns a blank page with the SSLHandshakeException in it.
> > > > I’m not entirely sure but this may be a result of our use of AXIS
> > > > for communication between WARs in the deployed application.
> > > >
> > > > Caught Exception (javax.net.ssl.SSLHandshakeException:
> > > > sun.security.validator.ValidatorException: PKIX path building
> > > > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > > > unable to find valid certification path to requested target): ;
> > > > nested exception is: javax.net.ssl.SSLHandshakeException:
> > > > sun.security.validator.ValidatorException: PKIX path building
> > > > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > > > unable to find valid certification path to requested target
> > > >
> > > > The catalina log contains this stacktrace
> > > >
> > > > 2016-10-21 14:48:43,517 [ERROR] [mblinkLoginSoapInterface.java:207]
> > > > - org.apache.axis.AxisFault: ; nested exception is:
> > > > javax.net.ssl.SSLHandshakeException:
> > > > sun.security.validator.ValidatorException: PKIX path building
> > > > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > > > unable to find valid certification path to requested target at
> > > > org.apache.axis.AxisFault.makeFault(AxisFault.java:101)
> > > > ~[axis-1.4.jar:na] at
> > > > org.apache.axis.transport.http.HTTPSender.invoke(
> HTTPSender.java:154)
> > > >
> > > >
> > > ~[axis-1.4.jar:na]
> > > > : : Caused by: javax.net.ssl.SSLHandshakeException:
> > > > sun.security.validator.ValidatorException: PKIX path building
> > > > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > > > unable to find valid certification path to requested target at
> > > > sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.ssl.ClientHandshaker.serverCertificate(
> ClientHandshaker.j
> > > ava:1509)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > sun.security.ssl.ClientHandshaker.processMessage(
> ClientHandshaker.java
> > > :216)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.ssl.SSLSocketImpl.performInitialHandshake(
> SSLSocketImpl.j
> > > ava:1375)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1403)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > sun.security.ssl.SSLSocketImpl.startHandshake(
> SSLSocketImpl.java:1387)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > org.apache.axis.components.net.JSSESocketFactory.create(
> JSSESocketFact
> > > ory.java:186)
> > > >
> > > >
> > > ~[axis-1.4.jar:na]
> > > > at
> > > > org.apache.axis.transport.http.HTTPSender.getSocket(
> HTTPSender.java:19
> > > 1)
> > > >
> > > >
> > > ~[axis-1.4.jar:na]
> > > > at
> > > > org.apache.axis.transport.http.HTTPSender.writeToSocket(
> HTTPSender.jav
> > > a:404)
> > > >
> > > >
> > > ~[axis-1.4.jar:na]
> > > > at
> > > > org.apache.axis.transport.http.HTTPSender.invoke(
> HTTPSender.java:138)
> > > >
> > > >
> > > ~[axis-1.4.jar:na]
> > > > ... 38 common frames omitted Caused by:
> > > > sun.security.validator.ValidatorException: PKIX path building
> > > > failed: sun.security.provider.certpath.SunCertPathBuilderException:
> > > > unable to find valid certification path to requested target at
> > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > sun.security.validator.PKIXValidator.engineValidate(
> PKIXValidator.java
> > > :292)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at sun.security.validator.Validator.validate(Validator.java:260)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.ssl.X509TrustManagerImpl.validate(
> X509TrustManagerImpl.ja
> > > va:324)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > sun.security.ssl.X509TrustManagerImpl.checkTrusted(
> X509TrustManagerImp
> > > l.java:229)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(
> X509TrustMana
> > > gerImpl.java:124)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > sun.security.ssl.ClientHandshaker.serverCertificate(
> ClientHandshaker.j
> > > ava:1491)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > ... 49 common frames omitted Caused by:
> > > > sun.security.provider.certpath.SunCertPathBuilderException: unable
> > > > to find valid certification path to requested target at
> > > > sun.security.provider.certpath.SunCertPathBuilder.
> build(SunCertPathBui
> > > lder.java:141)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > sun.security.provider.certpath.SunCertPathBuilder.
> engineBuild(SunCertP
> > > athBuilder.java:126)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > at
> > > > java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
> > > > ~[na:1.8.0_102] at
> > > > sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
> > > >
> > > >
> > > ~[na:1.8.0_102]
> > > > ... 55 common frames omitted
> > >
> > >
> > > If you need to make outgoing TLS connections to servers with
> > > certificates not trusted by Java's stock trust store, you'll have to
> > > supply your own. Do you have anything in the trust store other than
> > > the server's key and certificate? Are you making loopback connections?
> > >
> > > I'm surprised that this either worked in the past or is failing now.
> > > I'm not sure which makes more sense. There's no particular reason why
> > > I "keystore" couldn't be used as a "truststore"... the only difference
> > > is that "keystores" usually contain keys and certs, while
> > > "truststores" usually only contain certificates.
> > >
> > > I wonder if it has something to do with the aliases used or something.
> > >
> > > If in fact using the keystore as a trust store is tripping-up Tomcat,
> > > I'd say that's a bug that needs to be fixed.
> > >
> > > Try this: whatever certificate you need to TRUST needs to be in your
> > > trust store. Try creating a new keystore that contains nothing but the
> > > certificate you expect to trust, then configure *that* as your trust
> > > store (system property), leaving the keystore as-is -- configured as
> > > Tomcat's keystore.
> > >
> > > - -chris
> > > -----BEGIN PGP SIGNATURE-----
> > > Comment: GPGTools - http://gpgtools.org
> > > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
> > >
> > > iQIcBAEBCAAGBQJYDTaRAAoJEBzwKT+lPKRYFy4QAI5vHVUofkmImGCO3gth+fQ6
> > > tYk2FatDLqGk332UGZnzLbrJxPXNE+DazzPjOyaIMETFzxInY9z32ABqQqWIZRp0
> > > ItZtLPuUsQTh108UIGU1yVaEG2XhFAE90QfO63JEI5r/d6gzI+lNj6Kfv0aEMNNG
> > > dgvTxUIjBCrEzBekoEPwP3XtYZSGtr2u+CxxO+OMKNKiLLWEGQQHk/CRZjAgosPy
> > > iHsEjAQiDvkqkRaJTMyqpbx43CM/eS5X1facftvWsdYiVTsXgzwgEH3vQXLTuByw
> > > XGjH4IwFsvT92AJ/0C1FgQHcXasGF6HwYKkPMHI/s1cZWMwKmFaDT0EeMdrxC9ll
> > > EbrXui6VQi8Hf3ya5nFWRwrvlN51PshortQ7eEx2MOP7XQFeHr6i8k+5LCmeQBcQ
> > > +STseFmbSIFyUu2SjDKIDluIUWppJhGodIH84hJMj8UCtXlGbE9u2D7wIloQz1El
> > > GzJuooYP6P+Rm5PWaGuT5WNnVAfNkAJ0h9B8CRBc+KQkXYDBFlD3XFx1zL46iU+x
> > > aFWi2UqJJhNKXW3j111HP31CA77XJCHHsbJpwotqEwO3+1ChToK7WV+3tUBzax3w
> > > i8UB+b38e7y2ZlT0B2D5wHu/aPJ+Sx2w/ThJmz5wgpU7EshNkSUW1TBmz7MCFvgW
> > > fJ071CkiXAb1UnBxchZT
> > > =VMdG
> > > -----END PGP SIGNATURE-----
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > > For additional commands, e-mail: users-h...@tomcat.apache.org
> > >
> > >
> > Hi Chris,
> >
> > I tested a couple things to no avail.  I can confirm that I've
> successfully
> > used this configuration with JDK 1.6.0_45, 1.7.0_80, 1.8.0_102 and Tomcat
> > 6.0.10, 7.0.56, 8.5.4.
> >
> > Here's what I tested:
> >
> >  1. I recreated the keystore with the alias localhost and got the same
> > error:
> >     IllegalArgumentException:
> > java.security.InvalidAlgorithmParameterException: the trustAnchors
> > parameter must be non-empty
> >
> >  2. I restored the tomcat alias, exported the certificate and set my
> system
> > property to point to that tomcat.crt file. This caused the following
> > stacktrace
> >     java.lang.IllegalArgumentException: java.io.IOException: Invalid
> > keystore format
> >         at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(
> AbstractJsseEndpoint.java:103)
> >         at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(
> AbstractJsseEndpoint.java:81)
> >         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.
> java:244)
> >         at
> > org.apache.tomcat.util.net.AbstractEndpoint.init(
> AbstractEndpoint.java:866)
> >         at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(
> AbstractJsseEndpoint.java:213)
> >         at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:575)
> >         at
> > org.apache.coyote.http11.AbstractHttp11Protocol.init(
> AbstractHttp11Protocol.java:65)
> >         at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:944)
> >         at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >         at
> > org.apache.catalina.core.StandardService.initInternal(
> StandardService.java:549)
> >         at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >         at
> > org.apache.catalina.core.StandardServer.initInternal(
> StandardServer.java:873)
> >         at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >         at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
> >         at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> >         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >         at
> > sun.reflect.NativeMethodAccessorImpl.invoke(
> NativeMethodAccessorImpl.java:62)
> >         at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(
> DelegatingMethodAccessorImpl.java:43)
> >         at java.lang.reflect.Method.invoke(Method.java:498)
> >         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:
> 311)
> >         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:
> 494)
> >     Caused by: java.io.IOException: Invalid keystore format
> >         at
> > sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:658)
> >         at
> > sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
> >         at
> > sun.security.provider.KeyStoreDelegator.engineLoad(
> KeyStoreDelegator.java:224)
> >         at
> > sun.security.provider.JavaKeyStore$DualFormatJKS.
> engineLoad(JavaKeyStore.java:70)
> >         at java.security.KeyStore.load(KeyStore.java:1445)
> >         at
> > org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:136)
> >         at
> > org.apache.tomcat.util.net.SSLHostConfig.getTruststore(
> SSLHostConfig.java:614)
> >         at
> > org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.
> java:256)
> >         at
> > org.apache.tomcat.util.net.openssl.OpenSSLUtil.
> getTrustManagers(OpenSSLUtil.java:93)
> >         at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(
> AbstractJsseEndpoint.java:101)
> >         ... 20 more
> >  2. I tried setting the system property to point to keystore.jsk and
> tomcat
> > keystoreFile to tomcat.crt and got the same stacktrace above.
> >
> > Below are listings of my keystore.jsk and tomcat.crt file generated from
> > the JRE 8 keytool
> >
> > ------------------------------------------------------------
> -------------------------------
> > keystore.jsk
> > ------------------------------------------------------------
> -------------------------------
> > Keystore type: JKS
> > Keystore provider: SUN
> > Your keystore contains 1 entry
> > Alias name: tomcat
> > Creation date: Oct 24, 2016
> > Entry type: PrivateKeyEntry
> > Certificate chain length: 1
> > Certificate[1]:
> > Owner: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA
> > Issuer: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA
> > Serial number: 220d2cc
> > Valid from: Mon Oct 24 11:56:22 PDT 2016 until: Thu Oct 19 11:56:22 PDT
> 2017
> > Certificate fingerprints:
> >          MD5:  5E:F8:3A:6F:BB:CF:5D:72:5A:A8:CE:16:7B:B6:75:61
> >          SHA1: DA:86:EB:A9:4C:56:D9:6B:E4:88:
> F4:A1:4D:91:5B:BD:4F:1A:F2:16
> >          SHA256:
> > 75:66:92:B3:57:0C:28:05:03:EA:BC:DE:C5:51:45:00:65:82:4C:7C:
> F4:BD:E6:90:CE:61:90:30:B2:3D:67:57
> >          Signature algorithm name: SHA256withRSA
> >          Version: 3
> > Extensions:
> > #1: ObjectId: 2.5.29.14 Criticality=false
> > SubjectKeyIdentifier [
> > KeyIdentifier [
> > 0000: 22 EA 63 DB 74 90 D1 F7   28 56 E9 B3 87 74 7A 14  ".c.t...(V...tz.
> > 0010: 0A 62 1A AE                                        .b..
> > ]
> > ]
> >
> > *******************************************
> > *******************************************
> > ------------------------------------------------------------
> -------------------------------
> > tomcat.crt
> > ------------------------------------------------------------
> -------------------------------
> > Owner: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA
> > Issuer: CN=localhost, OU=ITS, O=xxx, L=xxx, ST=BC, C=CA
> > Serial number: 220d2cc
> > Valid from: Mon Oct 24 11:56:22 PDT 2016 until: Thu Oct 19 11:56:22 PDT
> 2017
> > Certificate fingerprints:
> >          MD5:  5E:F8:3A:6F:BB:CF:5D:72:5A:A8:CE:16:7B:B6:75:61
> >          SHA1: DA:86:EB:A9:4C:56:D9:6B:E4:88:
> F4:A1:4D:91:5B:BD:4F:1A:F2:16
> >          SHA256:
> > 75:66:92:B3:57:0C:28:05:03:EA:BC:DE:C5:51:45:00:65:82:4C:7C:
> F4:BD:E6:90:CE:61:90:30:B2:3D:67:57
> >          Signature algorithm name: SHA256withRSA
> >          Version: 3
> > Extensions:
> > #1: ObjectId: 2.5.29.14 Criticality=false
> > SubjectKeyIdentifier [
> > KeyIdentifier [
> > 0000: 22 EA 63 DB 74 90 D1 F7   28 56 E9 B3 87 74 7A 14  ".c.t...(V...tz.
> > 0010: 0A 62 1A AE                                        .b..
> > ]
> > ]
> >
> > Regards
> > Will
>
>
> I can confirm that this has happened to me too in the transition from
> 8.5.4 to 8.5.5. Over time the -Djavax.net.ssl.trustStore parameter with the
> link to the tomcat certificate store was forgotten in the setenv.sh and as
> I did not use it, I was able to just disable it.
>
> It never bothered tomcat until 8.5.5 though.
>
> Best regards
>
> Peter
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
Hello,

First, I'd like to thank everyone for the help.

Is it now safe to say that the behaviour we've been taking advantage of is
undocumented and will no long be supported?

Also, for those that hit this thread and need to get HTTPS working with a
*self-signed* certificate in a dev environment...

Here's what worked for me:
1. Copy %JAVA_HOME%\jre\lib\security\cacerts some place (say C:\keystore)
2. Create a *self-signed* certificate with
    %JAVA_HOME%\bin\keytool -genkeypair -keyalg RSA -alias myAlias
-keystore "C:\keystore\keystore.jsk" -storepass changeit -validity 360
-keysize 2048 -dname CN=localhost,OU=OrgUnit,O=Org,L=City,ST=State,C=Country
3. Export the myAlias certificate with
    %JAVA_HOME%\bin\keytool -export -alias myAlias -keystore
C:\keystore\keystore.jsk -rfc -file C:\keystore\myAlias.cer
4. Import the myAlias certificate into your copy of cacerts with:
    %JAVA_HOME%\bin\keytool -import -alias myAlias -keystore
C:\keystore\cacerts -file C:\keystore\myAlias.cer
5. Add this to setclasspath.bat in tomcat:
     set JAVA_OPTS=%JAVA_OPTS%
-Djavax.net.ssl.trustStore="C:\keystore\cacert"
6. In server.xml, add these attributes to the Connector element
      keystoreFile="C:\keystore\keystore.jsk"
      keystorePass="changeit"
      keyAlias="myAlias"
      scheme="https"
      secure="true"
      SSLEnabled="true"
      clientAuth="false"
      sslProtocol="TLS"

Now you should be good to go in with HTTPS in Tomcat 8.5.5 +

Regards
Will

Reply via email to