On Thu, Mar 28, 2019 at 11:11 AM Mark Thomas <ma...@apache.org> wrote:
> On 28/03/2019 16:50, Ethan Jensen wrote:
> > On Fri, Mar 22, 2019 at 1:13 PM Ethan Jensen <sr.agent.r...@gmail.com>
> > wrote:
> >
> >> On Fri, Mar 22, 2019 at 12:51 PM Mark Thomas <ma...@apache.org> wrote:
> >>
> >>> On 22/03/2019 17:18, Ethan Jensen wrote:
> >>>> On Fri, Mar 22, 2019 at 11:07 AM Ethan Jensen <
> sr.agent.r...@gmail.com>
> >>>> wrote:
> >>>>
> >>>>>
> >>>>>
> >>>>> On Fri, Mar 22, 2019 at 10:56 AM Mark Thomas <ma...@apache.org>
> wrote:
> >>>>>
> >>>>>> On 22/03/2019 16:40, Ethan Jensen wrote:
> >>>>>>> OS: Windows Server 2012 R2
> >>>>>>> JDK: Oracle JDK 1.8.0_201
> >>>>>>>
> >>>>>>> Attempting to migrate from Tomcat 8.5.38 -> 8.5.39 results in
> >>>>>>>
> >>>>>>> Failed to initialize connector [Connector[HTTP/1.1-443]]
> >>>>>>>
> >>>>>>> when using the exact same configuration. Tomcat's
> >>> .../conf/server.xml
> >>>>>> is
> >>>>>>> unchanged. Did a configuration parameter change or get renamed?
> The
> >>>>>>> exception is fairly cryptic from my point of view.
> >>>>>>
> >>>>>> <snip/>
> >>>>>>
> >>>>>>> Caused by: java.lang.IllegalArgumentException: ObjectIdentifier()
> --
> >>>>>> data
> >>>>>>> isn't an object ID (tag = 48)
> >>>>>>> at
> >>>>>>> org.apache.tomcat.util.net
> >>>>>> .AprEndpoint.createSSLContext(AprEndpoint.java:404)
> >>>>>>> at org.apache.tomcat.util.net
> >>>>>> .AprEndpoint.bind(AprEndpoint.java:368)
> >>>>>>> at
> >>>>>>> org.apache.tomcat.util.net
> >>>>>> .AbstractEndpoint.init(AbstractEndpoint.java:1105)
> >>>>>>> at
> >>>>>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> >>>>>>> at
> >>>>>>>
> >>>>>>
> >>>
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
> >>>>>>> at
> >>>>>>>
> >>>
> org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
> >>>>>>> ... 13 more
> >>>>>>
> >>>>>> Looks like a certificate in a format JSSE can't handle. If you can
> >>>>>> provide the steps (e.g. OpenSSL commands) to recreate a
> >>> key/certificate
> >>>>>> in that format we should be able to reproduce it and figure out a
> fix.
> >>>>>>
> >>>>>> Mark
> >>>>>>
> >>>>>>
> >>>>> Mark,
> >>>>>
> >>>>> These are the steps I used to create my certificate a couple of years
> >>> ago
> >>>>> (3 year validity).
> >>>>>
> >>>>> 1. Generate CSR:
> >>>>>
> >>>>> openssl req -out cert.csr -new -newkey rsa:2048 -nodes -keyout
> cert.key
> >>>>>
> >>>>> 2. Create a certificate chain file, using the certificates from CA:
> >>>>>
> >>>>> cat CERT.crt > chain_certs.pem &&
> >>>>> echo "" >> chain_certs.pem &&
> >>>>> cat OV_NetworkSolutionsOVServerCA2.crt >> chain_certs.pem &&
> >>>>> echo "" >> chain_certs.pem &&
> >>>>> cat OV_USERTrustRSACertificationAuthority.crt >> chain_certs.pem &&
> >>>>> echo "" >> chain_certs.pem
> >>>>>
> >>>>> 3. Use openssl to package the certificate chain and private key into
> a
> >>>>> PKCS#12 container:
> >>>>>
> >>>>> openssl pkcs12 -export -out cert.p12 -inkey cert.key -in
> >>> chain_certs.pem
> >>>>> -name "cert_name"
> >>>>>
> >>>>>
> >>>>>
> >>>> Also, it should be noted that for the APR connector, I'm using the raw
> >>>> individual certificate/chain/key files for the configuration
> parameters.
> >>>> The pkcs12 step I only use with the NIO fallback connector (currently
> >>>> commented out in my server.xml) in the event the APR connector is
> >>> broken.
> >>>
> >>> Thanks for the additional info. Those steps are effectively identical
> to
> >>> the ones we use to create the test certificates for Tomcat.
> >>>
> >>> It looks like the difference is the encryption you are using for the
> >>> private key. What are you using? I've tried a few different ones here
> >>> and while JSSE can't process the PEM file it throws a KeyStoreException
> >>> which causes Tomcat to pass the cert directly to OpenSSL.
> >>>
> >>> I'd like to be able to reproduce this before I patch it although I do
> >>> have a patch in mind for you to test based on the stack trace.
> >>>
> >>> Mark
> >>>
> >>>
> >>>
> >> I'm not quite clear what you mean here Can you elaborate?:
> >>
> >> "It looks like the difference is the encryption you are using for the
> >> private key. What are you using?"
> >>
> >> I'm assuming whatever is the default (I generated the certificate on a
> >> CentOS 7 host). Using the steps I outlined above, the only thing it
> asked
> >> me for was an Export Password to be tied to the private key. Perhaps
> some
> >> special characters in that password are tripping things up with the new
> >> JSSE configuration?
> >>
> >> --
> >> Ethan
> >>
> >>
> >
> > Mark,
> >
> > Did you need any additional information from me regarding this config?
> Or
> > did you get everything you needed?
>
> Sorry, I missed replying to this.
>
> Can you post the header of your private key file? It should look
> something like:
>
> -----BEGIN RSA PRIVATE KEY-----
> Proc-Type: 4,ENCRYPTED
> DEK-Info: AES-256-CBC,D02DE734A8C2DBA625FC4180E7AECC78
>
> Thanks,
>
> Mark
>
>
Here you are:
Bag Attributes
localKeyID: 14 A3 77 23 14 44 3E 99 FD 7D A4 BE C3 4C 10 D0 DD 5A DA 0B
friendlyName: mydomain.com
Key Attributes: <No Attributes>
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
--
Ethan
