Using the certificate files instead of a Java Keystore file, Re: Let's Encrypt with Tomcat?

Wed, 08 Jan 2020 15:59:41 -0800 

I wrote:
Am I to understand that Tomcat 8.5.40 can use the ".cer," ".ca.crt" and ".key" files directly, instead of the Java Keystore file? 

On 12/30/19 1:41 PM, Peter Kreuser wrote:

Correct!


I tried an experiment this afternoon:

I made a copy of the existing server.xml file, and I changed the active
connector from this (keystore file and alias redacted for privacy,

ciphers and compressibleMimeTypes clauses redacted because they're quite 
long, and not relevant here):

<Connector port="8443" proxyPort="443" 
protocol="org.apache.coyote.http11.Http11NioProtocol"
 compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, 
traviata"
 compressableMimeType="[REDACTED]"
 maxThreads="1000" socket.appReadBufSize="1024" socket.appWriteBufSize="1024" 
bufferSize="1024"
 SSLEnabled="true" scheme="https" secure="true"
 keystoreFile="[REDACTED]" keyAlias="[REDACTED]" ciphers="[REDACTED]"
 clientAuth="false" sslProtocol="TLS" />


to this:

<Connector port="8443" proxyPort="443" 
protocol="org.apache.coyote.http11.Http11NioProtocol"
 compression="on" compressionMinSize="2048" noCompressionUserAgents="gozilla, 
traviata"
 compressableMimeType="[REDACTED]"
 maxThreads="1000" socket.appReadBufSize="1024" socket.appWriteBufSize="1024" 
bufferSize="1024"
 SSLEnabled="true" scheme="https" secure="true">
  <SSLHostConfig ciphers="[REDACTED]"
               certificateVerification="none" sslProtocol="TLS">
    <Certificate certificateFile="[REDACTED].cer" 
certificateKeyFile="[REDACTED].key"
     certificateChainFile="[REDACTED].ca.crt" />
  </SSLHostConfig>
</Connector>



and restarted Tomcat, and it failed to open the port, producing this in 
catalina.out:

08-Jan-2020 23:14:09.026 SEVERE [main] 
org.apache.catalina.core.StandardService.initInternal Failed to initialize 
connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-8443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
        at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        ... 12 more
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
        at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:224)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
        at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
        at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
        ... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
        at 
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:261)
        at 
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
        at 
sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
        at 
sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
        at 
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
        at 
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
        at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
        ... 20 more



Can anybody explain what I did wrong? These are fully-qualified paths to 
the certificate, chain, and key files. [REDACTED].ca.crt contains a 
certificate chain; [REDACTED].cer contains a certificate, and 
[REDACTED].key contains a private key, and they all work in Apache 
httpd, on the same box.


--
JHHL

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
























					Reply via email to