On 22/03/2019 17:18, Ethan Jensen wrote: > On Fri, Mar 22, 2019 at 11:07 AM Ethan Jensen <sr.agent.r...@gmail.com> > wrote: > >> >> >> On Fri, Mar 22, 2019 at 10:56 AM Mark Thomas <ma...@apache.org> wrote: >> >>> On 22/03/2019 16:40, Ethan Jensen wrote: >>>> OS: Windows Server 2012 R2 >>>> JDK: Oracle JDK 1.8.0_201 >>>> >>>> Attempting to migrate from Tomcat 8.5.38 -> 8.5.39 results in >>>> >>>> Failed to initialize connector [Connector[HTTP/1.1-443]] >>>> >>>> when using the exact same configuration. Tomcat's .../conf/server.xml >>> is >>>> unchanged. Did a configuration parameter change or get renamed? The >>>> exception is fairly cryptic from my point of view. >>> >>> <snip/> >>> >>>> Caused by: java.lang.IllegalArgumentException: ObjectIdentifier() -- >>> data >>>> isn't an object ID (tag = 48) >>>> at >>>> org.apache.tomcat.util.net >>> .AprEndpoint.createSSLContext(AprEndpoint.java:404) >>>> at org.apache.tomcat.util.net >>> .AprEndpoint.bind(AprEndpoint.java:368) >>>> at >>>> org.apache.tomcat.util.net >>> .AbstractEndpoint.init(AbstractEndpoint.java:1105) >>>> at >>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) >>>> at >>>> >>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) >>>> at >>>> org.apache.catalina.connector.Connector.initInternal(Connector.java:993) >>>> ... 13 more >>> >>> Looks like a certificate in a format JSSE can't handle. If you can >>> provide the steps (e.g. OpenSSL commands) to recreate a key/certificate >>> in that format we should be able to reproduce it and figure out a fix. >>> >>> Mark >>> >>> >> Mark, >> >> These are the steps I used to create my certificate a couple of years ago >> (3 year validity). >> >> 1. Generate CSR: >> >> openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout cert.key >> >> 2. Create a certificate chain file, using the certificates from CA: >> >> cat CERT.crt > chain_certs.pem && >> echo "" >> chain_certs.pem && >> cat OV_NetworkSolutionsOVServerCA2.crt >> chain_certs.pem && >> echo "" >> chain_certs.pem && >> cat OV_USERTrustRSACertificationAuthority.crt >> chain_certs.pem && >> echo "" >> chain_certs.pem >> >> 3. Use openssl to package the certificate chain and private key into a >> PKCS#12 container: >> >> openssl pkcs12 -export -out cert.p12 -inkey cert.key -in chain_certs.pem >> -name "cert_name" >> >> >> > Also, it should be noted that for the APR connector, I'm using the raw > individual certificate/chain/key files for the configuration parameters. > The pkcs12 step I only use with the NIO fallback connector (currently > commented out in my server.xml) in the event the APR connector is broken.
Thanks for the additional info. Those steps are effectively identical to the ones we use to create the test certificates for Tomcat. It looks like the difference is the encryption you are using for the private key. What are you using? I've tried a few different ones here and while JSSE can't process the PEM file it throws a KeyStoreException which causes Tomcat to pass the cert directly to OpenSSL. I'd like to be able to reproduce this before I patch it although I do have a patch in mind for you to test based on the stack trace. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
