Richard,
> Gesendet: Mittwoch, 22. November 2017 um 14:40 Uhr
> Von: "Richard Tearle"
> <richard.tea...@northgateps.com[mailto:richard.tea...@northgateps.com]>
> An: users@tomcat.apache.org[mailto:users@tomcat.apache.org]
> Betreff: Trouble with TLS/SSL and Tomcat 8.5.23
> Hello
>
> Apache Tomcat 8.5.23
> Centos 7.4 (3.10.0-514.16.1.el7.x86_64)
> Java 1.8.0_152 (with jce)
> Running in Docker Container
>
> I'm upgrading our applications from Apache Tomcat 8.0.47 to 8.5.23,
> but when trying to get TLS/SSL working on a connector I get the
> following error:
>
> 22-Nov-2017 11:52:46.098 SEVERE [main]
> org.apache.coyote.AbstractProtocol.init Failed to initialize end point
> associated with ProtocolHandler ["https-jsse-nio2-18443"]
> java.lang.IllegalArgumentException:
> java.security.InvalidAlgorithmParameterException: the trustAnchors
> parameter must be non-empty
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
> at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:163)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:245)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:621)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:644)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty
> at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
> at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
> at
> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
> at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:368)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:292)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
> ... 20 more
>
> I've changed the connector configuration to use
> SSLHostConfig/Certificate, but our certificate generation process
> (self signed certificates) has remained the same. I did a quick
> internet search, and saw that other people had similar, but not exact
> issues, and going back to 8.5.4 "solved" the issue. So I did this as a
> quick test, so at least I could see that our configuration changes
> where correct, and yes the application ran ok with Tomcat 8.5.4. The
> connector configuration is:
>
> <Connector port="${servers.port}"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true" server="Apache" maxPostSize="100000">
> <SSLHostConfig certificateVerification="none"
> sslProtocol="TLSv1.2" protocols="TLSv1.2"
> truststoreFile="/usr/local/tomcat/ssl/ca-truststore.p12"
> truststoreType="PKCS12"
> truststorePassword="${truststore.pass}" honorCipherOrder="true"
The error message says that either the file simply is not there or the cert
that you expect is not in the keystore, maybe even empty...
Peter
> ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
>
> TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
>
> TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
>
> TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
>
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
>
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
>
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
>
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
>
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
>
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
>
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
>
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA">
> <Certificate
> certificateKeystoreFile="/usr/local/tomcat/ssl/server-keystore.p12"
> certificateKeyAlias="tomcat-ssl"
> certificateKeystoreType="PKCS12"
> certificateKeystorePassword="${keystore.pass}">
> </Certificate>
> </SSLHostConfig>
> </Connector>
>
> Setting javax.net.debug=all in CATALINA_OPTS and viewing the resultant
> logging, seems to indicate that the certificate is being loaded, but
> not the trust store, with the only truststore loaded coming from:
> /opt/jre1.8.0_152/lib/security/cacerts
>
> Best Regards
>
>
> Richard
>
> --
> This email is sent on behalf of Northgate Public Services (UK) Limited and
> its associated companies including Rave Technologies (India) Pvt Limited
> (together "Northgate Public Services") and is strictly confidential and
> intended solely for the addressee(s).
> If you are not the intended recipient of this email you must: (i) not
> disclose, copy or distribute its contents to any other person nor use its
> contents in any way or you may be acting unlawfully; (ii) contact
> Northgate Public Services immediately on +44(0)1442 768445 quoting the name
> of the sender and the addressee then delete it from your system.
> Northgate Public Services has taken reasonable precautions to ensure that
> no viruses are contained in this email, but does not accept any
> responsibility once this email has been transmitted. You should scan
> attachments (if any) for viruses.
>
> Northgate Public Services (UK) Limited, registered in England and Wales
> under number 00968498 with a registered address of Peoplebuilding 2,
> Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2
> 4NW. Rave Technologies (India) Pvt Limited, registered in India under
> number 117068 with a registered address of 2nd Floor, Ballard House, Adi
> Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> users-unsubscr...@tomcat.apache.org[mailto:users-unsubscr...@tomcat.apache.org]
> For additional commands, e-mail:
> users-h...@tomcat.apache.org[mailto:users-h...@tomcat.apache.org]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
