AW: Truststore in HTTPS Connector does not work with Linux

[David Weisgerber]

Hi Luis,

My keystore (for HTTPs):
-rw-r--r-- 1 root root 4067 Sep  8 10:27 /diagdata/keystore.jks
General Java Keystore:
-rw-r--r-- 1 root root 149549 Sep  8 09:32 /etc/ssl/certs/java/cacerts
lrwxrwxrwx 1 root root 27 Apr 18 14:25 
/usr/lib/jvm/java-14-openjdk-amd64/lib/security/cacerts -> 
/etc/ssl/certs/java/cacerts

<6>Starting ProtocolHandler ["https-openssl-nio-8443"]
javax.net.ssl|DEBUG|01|main|2020-09-08 10:39:18.507 
CEST|SunX509KeyManagerImpl.java:160|found key for : main (
  "certificate" : {
    "version"            : "v3",
    "serial number"      : "00 FC 1F BA 70 76 61 59 05",
    "signature algorithm": "SHA256withRSA",
    "issuer"             : "CN=localhost",
    "not before"         : "2020-09-08 10:27:50.000 CEST",
    "not  after"         : "2023-06-29 10:27:50.000 CEST",
    "subject"            : "CN=localhost",
    "subject public key" : "RSA",
    "extensions"         : [
      {
        ObjectId: 2.5.29.14 Criticality=false
        SubjectKeyIdentifier [
        KeyIdentifier [
        0000: 81 53 CD 0B 4F 48 05 13   43 BF 30 59 0C 85 A3 20  
.S..OH..C.0Y... 
        0010: 44 7D 01 9D                                        D...
        ]
        ]
      }
    ]}
)
<2>Failed to start component [Connector[HTTP/1.1-8443]]

[...]

keystore.jks is created by keytool -genkey -alias main -keyalg RSA -keysize 
4096 -sigalg SHA256withRSA -dname "CN=localhost" -validity 1024 -keypass 
custo1234 -storepass custo1234 -keystore /diagdata/keystore.jks

The interesting part, all of this works under Windows by using 
-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT

________________________________________
Von: Luis Rodríguez Fernández [uo67...@gmail.com]
Gesendet: Dienstag, 8. September 2020 10:16
An: Tomcat Users List
Betreff: Re: Truststore in HTTPS Connector does not work with Linux

Hello David,

That error usually happens when the java process (tomcat) can not access
the truststore file. May I ask you to check permissions and ownership of
the truststore file? You can always add -Djavax.net.debug=all to your
CATALINA_OPTS, it will give you way more information about the issue.

Hope it helps,

Luis







El mar., 8 sept. 2020 a las 9:58, David Weisgerber (<
david.weisger...@ms-gmbh.de>) escribió:

> Hi,
> I have some weird problem or bug with the HTTPS Connector. In our product,
> that ships with tomcat we want to achieve the following:
> There is one keystore where the customer puts its server certificate for
> HTTPs as well as (if intended) zero or one certificate for client
> authentication. The certificate for client authentication can be
> self-signed and the customer can setup its own certificate authority for
> this.
> For this I put the following code for configuring the connector in the
> server.xml:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
>                maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true" bindOnInit="false"
>                clientAuth="false" sslProtocol="TLS"
> keystoreFile="/diagdata/keystore.jks" keystorePass="custo1234"
> keyAlias="main" truststoreFile="/diagdata/keystore.jks"
> truststorePassword="custo1234" />
>
> (The real clientAuth is done in the deployed application because it is
> more complicated, I just need the feature to be enabled).
> This gives me the following error:
> org.apache.catalina.LifecycleException: Protocol handler start failed
> <2>    at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1038)
> <2>    at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> <2>    at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:438)
> <2>    at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> <2>    at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:930)
> <2>    at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
> <2>    at org.apache.catalina.startup.Catalina.start(Catalina.java:633)
> <2>    at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> <2>    at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> <2>    at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> <2>    at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> <2>    at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:343)
> <2>    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
> <2>Caused by: java.lang.IllegalArgumentException: the trustAnchors
> parameter must be non-empty
> <2>    at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
> <2>    at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
> <2>    at org.apache.tomcat.util.net
> .NioEndpoint.bind(NioEndpoint.java:217)
> <2>    at org.apache.tomcat.util.net
> .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
> <2>    at org.apache.tomcat.util.net
> .AbstractEndpoint.start(AbstractEndpoint.java:1227)
> <2>    at
> org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:592)
> <2>    at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1035)
> <2>    ... 12 more
> <2>Caused by: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty
> <2>    at
> java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
> <2>    at
> java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
> <2>    at
> java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
> <2>    at org.apache.tomcat.util.net
> .SSLUtilBase.getParameters(SSLUtilBase.java:494)
> <2>    at org.apache.tomcat.util.net
> .SSLUtilBase.getTrustManagers(SSLUtilBase.java:425)
> <2>    at org.apache.tomcat.util.net
> .SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
> <2>    at org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
> <2>    ... 18 more
>
> The error goes away when I remove truststoreFile and truststorePassword.
> Now comes the interesting part: The same configuration works under Windows
> (with other paths of course) using the Windows-Store as truststore for
> HTTPS connections to other servers. The same configuration worked with
> Tomcat 8.5.4 and the error just popped up from version 8.5.5. The error
> also seems not to be based on the java version, I tried it with Java 8 and
> Java 14. Under Windows we use Java 9...
>
> Is this a Linux specific bug? What is a trust anchor anyway?
>
> Thanks in advance,
> David
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

--

"Ever tried. Ever failed. No matter. Try Again. Fail again. Fail better."

- Samuel Beckett

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org