On Fri, Mar 22, 2019 at 11:07 AM Ethan Jensen <sr.agent.r...@gmail.com> wrote:
> > > On Fri, Mar 22, 2019 at 10:56 AM Mark Thomas <ma...@apache.org> wrote: > >> On 22/03/2019 16:40, Ethan Jensen wrote: >> > OS: Windows Server 2012 R2 >> > JDK: Oracle JDK 1.8.0_201 >> > >> > Attempting to migrate from Tomcat 8.5.38 -> 8.5.39 results in >> > >> > Failed to initialize connector [Connector[HTTP/1.1-443]] >> > >> > when using the exact same configuration. Tomcat's .../conf/server.xml >> is >> > unchanged. Did a configuration parameter change or get renamed? The >> > exception is fairly cryptic from my point of view. >> >> <snip/> >> >> > Caused by: java.lang.IllegalArgumentException: ObjectIdentifier() -- >> data >> > isn't an object ID (tag = 48) >> > at >> > org.apache.tomcat.util.net >> .AprEndpoint.createSSLContext(AprEndpoint.java:404) >> > at org.apache.tomcat.util.net >> .AprEndpoint.bind(AprEndpoint.java:368) >> > at >> > org.apache.tomcat.util.net >> .AbstractEndpoint.init(AbstractEndpoint.java:1105) >> > at >> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) >> > at >> > >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) >> > at >> > org.apache.catalina.connector.Connector.initInternal(Connector.java:993) >> > ... 13 more >> >> Looks like a certificate in a format JSSE can't handle. If you can >> provide the steps (e.g. OpenSSL commands) to recreate a key/certificate >> in that format we should be able to reproduce it and figure out a fix. >> >> Mark >> >> > Mark, > > These are the steps I used to create my certificate a couple of years ago > (3 year validity). > > 1. Generate CSR: > > openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout cert.key > > 2. Create a certificate chain file, using the certificates from CA: > > cat CERT.crt > chain_certs.pem && > echo "" >> chain_certs.pem && > cat OV_NetworkSolutionsOVServerCA2.crt >> chain_certs.pem && > echo "" >> chain_certs.pem && > cat OV_USERTrustRSACertificationAuthority.crt >> chain_certs.pem && > echo "" >> chain_certs.pem > > 3. Use openssl to package the certificate chain and private key into a > PKCS#12 container: > > openssl pkcs12 -export -out cert.p12 -inkey cert.key -in chain_certs.pem > -name "cert_name" > > > Also, it should be noted that for the APR connector, I'm using the raw individual certificate/chain/key files for the configuration parameters. The pkcs12 step I only use with the NIO fallback connector (currently commented out in my server.xml) in the event the APR connector is broken. -- Ethan