On Fri, Mar 22, 2019 at 10:56 AM Mark Thomas <ma...@apache.org> wrote:
> On 22/03/2019 16:40, Ethan Jensen wrote: > > OS: Windows Server 2012 R2 > > JDK: Oracle JDK 1.8.0_201 > > > > Attempting to migrate from Tomcat 8.5.38 -> 8.5.39 results in > > > > Failed to initialize connector [Connector[HTTP/1.1-443]] > > > > when using the exact same configuration. Tomcat's .../conf/server.xml is > > unchanged. Did a configuration parameter change or get renamed? The > > exception is fairly cryptic from my point of view. > > <snip/> > > > Caused by: java.lang.IllegalArgumentException: ObjectIdentifier() -- data > > isn't an object ID (tag = 48) > > at > > org.apache.tomcat.util.net > .AprEndpoint.createSSLContext(AprEndpoint.java:404) > > at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:368) > > at > > org.apache.tomcat.util.net > .AbstractEndpoint.init(AbstractEndpoint.java:1105) > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) > > at > > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:993) > > ... 13 more > > Looks like a certificate in a format JSSE can't handle. If you can > provide the steps (e.g. OpenSSL commands) to recreate a key/certificate > in that format we should be able to reproduce it and figure out a fix. > > Mark > > Mark, These are the steps I used to create my certificate a couple of years ago (3 year validity). 1. Generate CSR: openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout cert.key 2. Create a certificate chain file, using the certificates from CA: cat CERT.crt > chain_certs.pem && echo "" >> chain_certs.pem && cat OV_NetworkSolutionsOVServerCA2.crt >> chain_certs.pem && echo "" >> chain_certs.pem && cat OV_USERTrustRSACertificationAuthority.crt >> chain_certs.pem && echo "" >> chain_certs.pem 3. Use openssl to package the certificate chain and private key into a PKCS#12 container: openssl pkcs12 -export -out cert.p12 -inkey cert.key -in chain_certs.pem -name "cert_name"