On Thu, Mar 28, 2019 at 11:11 AM Mark Thomas <ma...@apache.org> wrote:
> On 28/03/2019 16:50, Ethan Jensen wrote: > > On Fri, Mar 22, 2019 at 1:13 PM Ethan Jensen <sr.agent.r...@gmail.com> > > wrote: > > > >> On Fri, Mar 22, 2019 at 12:51 PM Mark Thomas <ma...@apache.org> wrote: > >> > >>> On 22/03/2019 17:18, Ethan Jensen wrote: > >>>> On Fri, Mar 22, 2019 at 11:07 AM Ethan Jensen < > sr.agent.r...@gmail.com> > >>>> wrote: > >>>> > >>>>> > >>>>> > >>>>> On Fri, Mar 22, 2019 at 10:56 AM Mark Thomas <ma...@apache.org> > wrote: > >>>>> > >>>>>> On 22/03/2019 16:40, Ethan Jensen wrote: > >>>>>>> OS: Windows Server 2012 R2 > >>>>>>> JDK: Oracle JDK 1.8.0_201 > >>>>>>> > >>>>>>> Attempting to migrate from Tomcat 8.5.38 -> 8.5.39 results in > >>>>>>> > >>>>>>> Failed to initialize connector [Connector[HTTP/1.1-443]] > >>>>>>> > >>>>>>> when using the exact same configuration. Tomcat's > >>> .../conf/server.xml > >>>>>> is > >>>>>>> unchanged. Did a configuration parameter change or get renamed? > The > >>>>>>> exception is fairly cryptic from my point of view. > >>>>>> > >>>>>> <snip/> > >>>>>> > >>>>>>> Caused by: java.lang.IllegalArgumentException: ObjectIdentifier() > -- > >>>>>> data > >>>>>>> isn't an object ID (tag = 48) > >>>>>>> at > >>>>>>> org.apache.tomcat.util.net > >>>>>> .AprEndpoint.createSSLContext(AprEndpoint.java:404) > >>>>>>> at org.apache.tomcat.util.net > >>>>>> .AprEndpoint.bind(AprEndpoint.java:368) > >>>>>>> at > >>>>>>> org.apache.tomcat.util.net > >>>>>> .AbstractEndpoint.init(AbstractEndpoint.java:1105) > >>>>>>> at > >>>>>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) > >>>>>>> at > >>>>>>> > >>>>>> > >>> > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68) > >>>>>>> at > >>>>>>> > >>> > org.apache.catalina.connector.Connector.initInternal(Connector.java:993) > >>>>>>> ... 13 more > >>>>>> > >>>>>> Looks like a certificate in a format JSSE can't handle. If you can > >>>>>> provide the steps (e.g. OpenSSL commands) to recreate a > >>> key/certificate > >>>>>> in that format we should be able to reproduce it and figure out a > fix. > >>>>>> > >>>>>> Mark > >>>>>> > >>>>>> > >>>>> Mark, > >>>>> > >>>>> These are the steps I used to create my certificate a couple of years > >>> ago > >>>>> (3 year validity). > >>>>> > >>>>> 1. Generate CSR: > >>>>> > >>>>> openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout > cert.key > >>>>> > >>>>> 2. Create a certificate chain file, using the certificates from CA: > >>>>> > >>>>> cat CERT.crt > chain_certs.pem && > >>>>> echo "" >> chain_certs.pem && > >>>>> cat OV_NetworkSolutionsOVServerCA2.crt >> chain_certs.pem && > >>>>> echo "" >> chain_certs.pem && > >>>>> cat OV_USERTrustRSACertificationAuthority.crt >> chain_certs.pem && > >>>>> echo "" >> chain_certs.pem > >>>>> > >>>>> 3. Use openssl to package the certificate chain and private key into > a > >>>>> PKCS#12 container: > >>>>> > >>>>> openssl pkcs12 -export -out cert.p12 -inkey cert.key -in > >>> chain_certs.pem > >>>>> -name "cert_name" > >>>>> > >>>>> > >>>>> > >>>> Also, it should be noted that for the APR connector, I'm using the raw > >>>> individual certificate/chain/key files for the configuration > parameters. > >>>> The pkcs12 step I only use with the NIO fallback connector (currently > >>>> commented out in my server.xml) in the event the APR connector is > >>> broken. > >>> > >>> Thanks for the additional info. Those steps are effectively identical > to > >>> the ones we use to create the test certificates for Tomcat. > >>> > >>> It looks like the difference is the encryption you are using for the > >>> private key. What are you using? I've tried a few different ones here > >>> and while JSSE can't process the PEM file it throws a KeyStoreException > >>> which causes Tomcat to pass the cert directly to OpenSSL. > >>> > >>> I'd like to be able to reproduce this before I patch it although I do > >>> have a patch in mind for you to test based on the stack trace. > >>> > >>> Mark > >>> > >>> > >>> > >> I'm not quite clear what you mean here Can you elaborate?: > >> > >> "It looks like the difference is the encryption you are using for the > >> private key. What are you using?" > >> > >> I'm assuming whatever is the default (I generated the certificate on a > >> CentOS 7 host). Using the steps I outlined above, the only thing it > asked > >> me for was an Export Password to be tied to the private key. Perhaps > some > >> special characters in that password are tripping things up with the new > >> JSSE configuration? > >> > >> -- > >> Ethan > >> > >> > > > > Mark, > > > > Did you need any additional information from me regarding this config? > Or > > did you get everything you needed? > > Sorry, I missed replying to this. > > Can you post the header of your private key file? It should look > something like: > > -----BEGIN RSA PRIVATE KEY----- > Proc-Type: 4,ENCRYPTED > DEK-Info: AES-256-CBC,D02DE734A8C2DBA625FC4180E7AECC78 > > Thanks, > > Mark > > Here you are: Bag Attributes localKeyID: 14 A3 77 23 14 44 3E 99 FD 7D A4 BE C3 4C 10 D0 DD 5A DA 0B friendlyName: mydomain.com Key Attributes: <No Attributes> -----BEGIN ENCRYPTED PRIVATE KEY----- ... -- Ethan