-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 1/8/20 12:35 PM, James H. H. Lampert wrote: > On 1/8/20 5:18 AM, Christopher Schultz wrote: . . . >> Now the URL line becomes (for me, using a management port): >> >> http://localhost:8217/manager/jmxproxy?invoke=Catalina:type%3DProtoco lHa >> >> ndler,port%3D8215&op=reloadSslHostConfigs > . . . >> Have you configured any <SSLHostConfig> elements, or are you >> using the old-style configuration like: >> >> <Connector SSLProtocol="TLS" keystoreFile="..." /> > > I just have a connector definition in server.xml, almost exactly > the same as I've been using in Tomcat 7 installations. I don't > think prior to this discussion, I'd even *heard* of > "SSLHostConfig." > >> You may need to change your connector configuration to use >> nested <SSLHostConfig> elements if it's not that way already. >> >> Try invoking the "findSslHostConfigs" operation to see if it >> completes. That will at least tell you if you have your >> objectname correct. >> >> Like this: >> >> $ curl -k -u "test:test" >> "https://localhost:8443/manager/jmxproxy?invoke=Catalina:type%3DProto col >> >> Handler,port%3D8443,address%3D127.0.0.1&op=findSslHostConfigs" > > This gave me a stacktrace: >> curl -k -u "test:test" >> "https://localhost:8443/manager/jmxproxy?invoke=Catalina:type%3DProto colHandler,port%3D8443,ad >> >> >> dress%3D127.0.0.1&op=findSslHostConfigs" > > But omitting the address parameter, as in your own test, gave me > this: >> curl -k -u test:test >> "https://localhost:8443/manager/jmxproxy?invoke=Catalina:type%3DProto colHandler,port%3D8443& >> >> >> op=findSslHostConfigs" >> OK - Operation findSslHostConfigs returned: >> org.apache.tomcat.util.net.SSLHostConfig@1a9b80c2 > >> curl -k -u test:test >> "https://localhost:8443/manager/jmxproxy?invoke=Catalina:type%3DProto colHandler,port%3D8443& >> >> >> op=reloadSslHostConfigs" >> OK - Operation reloadSslHostConfigs without return value > > And I just now confirmed that the latter did indeed reload the > keystore when I swapped between the regular keystore and a > self-signed one, even though I just have the old-style connector > definition. > > So apparently, it was the "address" parameter that was killing me. > Interesting. > > The idea was to put the Tomcat server on the same certificate and > private key files as the httpd server on the same EC2 box. Do I > need this newfangled "SSLHostConfig" for that? > > At any rate, I think we have another breakthrough here, but at the > same time, I think I also need to disable the "test" user, and get > back to another project I have going, at least for now. Glad you got it working. The next releases of Tomcat will give you a better error message from JMXProxyServlet in cases like these. No more NPEs. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl4WXLQACgkQHPApP6U8 pFgVRw/+O3zCPWww0FgzSp46NIkqh50j6bGwu95N9mM9r43DNHZ4XOBNoZ/04khc 0otFGF0xnCvXX/3s3RPvYHeV+ZggMhtb8Sd/IZjHAWArVPC1+iXOlydIniaqXeJ5 jEvF4fu67FVLIFRz625gHVGrERwIfUM4om7qo3KYaOOA8+KQY/pCEZGPqMV90FRy Dx2n2ifLEwSFV9lq1yDaqelhW2YgvqaAaoocRoRBaEBnWtgMl+vAtTpWTCFk5bwM iH2mgdc9DIUawjLpIjuCsXb7AlAI4GrB4ATSpMIcvHNkyWSubxvm9PpdYSbwR4vQ N5QJGOdYbpNdY9kylyKi5AteS0IpCBD+iXwTn5QJIxwarIlluIj9pGhZbibumg9M JhwzLpyK90OF6lFlNNWLuc5frC8R2rJFEWCPwGPwml7V8RCzNi8YzTi13UyyaMJi 1wa6uyICKGJIWexyz5sLG/Juo9wDqZzojN4Bxl2AxMWHDpN6M/fXMeesB3B5ScKg kBoHf+1SZTjD5j61QarkyUgfskgG7oH+PaZkQNudggZ/QghuuSmSHjGcIECbRaiC oSWdlv2acRs5eExXu5PedLrQO66HoecMlOA1Sl/B5gajlZCerhTEBqLq6ebwIefF U4sQsBwmwfwo6U1wd0377nTGj/+zWV31BqXfAP3cZ/duyo9g9kA= =oXVx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org