Re: certificateFile exception when certificateKeystoreFile is configured

Thu, 04 Mar 2021 09:07:20 -0800 

Rick,

On 3/3/21 09:23, Trudeau, Rick (Nokia - CA/Ottawa) wrote:


Tomcat version: 8.5.34

Hello,
I’m wondering if anyone has any theories about an SSL config related exception 
that we hit periodically on Tomcat startup that prevents the system from 
initializing properly.
I’ll emphasize “periodically” here, because we only trigger this rarely and 
have no reliable way of triggering the problem.
The exception seems to indicate that the certificateFile is missing, which is 
strange given that the certificateKeystoreFile is provided and available on the 
filesystem.
My understanding is that a certificateFile would is not required when using a 
certificateKeystoreFile.
Any idea why there could be a certifificateFile related exception when the 
certificateKeystoreFile is configured?

The stack trace is:

2021.02.28 21:19:48 890 +0000 SEVERE org.apache.catalina.core.StandardService 
Failed to initialize connector [Connector[HTTP/1.1-8544]]
org.apache.catalina.LifecycleException: Failed to initialize component 
[Connector[HTTP/1.1-8544]]
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
         at 
org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
         at 
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
         at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
         at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
         at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
         at java.lang.reflect.Method.invoke(Method.java:498)
         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler 
initialization failed
         at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
         at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
         ... 12 more
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute 
certificateFile must be defined when using an SSL connector
         at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
         at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
         at 
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
         at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
         at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
         at 
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
         at 
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
         ... 13 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be 
defined when using an SSL connector
         at 
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
         at 
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
         ... 20 more

Our connector is defined as follows:

     <Connector port="8544"
                protocol="HTTP/1.1"
                compression="on"
                
compressibleMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
                compressionMinSize="2048"
                connectionTimeout="60000"
                maxHttpHeaderSize="65536"
                scheme="https"
                secure="true"
                relaxedQueryChars="[]"
                SSLEnabled="true">
               <SSLHostConfig sslProtocol="TLS"
                        protocols=" TLSv1.2"
                        certificateVerification="optional"
                        honorCipherOrder="true"
                        ciphers="${server.cipher.suites.List}">
                         <Certificate 
certificateKeystoreFile="/opt/nsp/os/ssl/nsp.keystore"
                                certificateKeystorePassword="secret"
                                type="RSA"
                                certificateKeyPassword="secret" />
               </SSLHostConfig>
     </Connector>



Are you using tcnative and/or the APR connector? Your <Connector> 
doesn't choose, so the selection of the connector type will depend upon 
other configuration and/or the presence of the libtcnatire library.


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to