Chris, Thanks for your help so far! I am digging into this some more today.
First off, once i started bulding APR from source instead of doing "yum
install apr-devel" - my main linking issue went away. so I think we are
getting close!!
Now I am struggling to get Spring Boot's embedded Tomcat to startup in the
APR mode. Most of the blogs and docs i find are older and seem to be out
of date, or are otherwise not about embedded tomcat.
With these JVM Params:
-Djava.library.path="/usr/lib/tcnative/lib"
-Dserver.ssl.certificate-key-file="/testkey.pem"
-Dserver.ssl.certificate-file="/testcert.pem"
Spring Boot / Tomcat fails to start with this error:
org.springframework.context.ApplicationContextException: Unable to start
web server; nested exception is
org.springframework.boot.web.server.WebServerException: Could not load key
store 'null'
I have found tomcat notes on using this connector:
<!-- Define an SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
SSLVerifyClient="optional" SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"/>
But have not been able to figure out the right JVM params to tell Spring
Boot to work in that manner.
I am now trying setting up both .crt/.pem files AND ALSO the .pk12 to see
what happens....
Thanks!
Clay
On Thu, Apr 7, 2022 at 1:22 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> Clay,
>
> On 4/6/22 07:57, Clay Lehman wrote:
> > "Make sure you have the same versions of libssl, libapr, and libtcnative
> > that you built yourself and not those that e.g. ship with the OS. Where
> > are all your .so files for libtcnative, libssl, and libapr?"
> >
> > Do you know if there are instructions on building these, or where the .so
> > files normally live?
>
> The default LD_LIBRARY_PATH for your system may have lots of stuff in
> it. You'll have to check your system to see.
>
> When Tomcat starts-up, the AprLifecycleListener should report all the
> versions of the various things it's using. Does it get that far, or does
> it choke before that?
>
> -chris
>
> > On Tue, Apr 5, 2022 at 5:58 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> >> Clay,
> >>
> >> On 4/5/22 12:47, Clay Lehman wrote:
> >>> Hello!
> >>>
> >>>
> >>> I am trying to set up Tomcat Native using OpenSSL v3.0.2, and running
> >> into
> >>> an error on startup. I have tried a ton of things, searched, read the
> >> docs
> >>> over and over, and cannot get past this. Has anyone had success with
> >> this
> >>> setup?
> >>>
> >>>
> >>> I created a fully working sample project and Dockerfile to demonstrate
> >> the
> >>> issue:
> https://github.com/claylehman/spring-boot-tomcat-native-openssl3
> >>>
> >>>
> >>> Thanks!
> >>>
> >>> Clay
> >>>
> >>>
> >>> More info below....
> >>>
> >>>
> >>> Most of the examples and documentation that I have found is for old
> >>> versions of OpenSSL, but I do see some release notes mentioning OpenSSL
> >>> v3.0.x so I suspect this is supported to some degree.
> >>>
> >>>
> >>> I am testing this using a docker container for "Oracle Linux Server 8"
> >>> (specifically FROM openjdk:latest) I am running embedded tomcat from
> >>> Spring Boot, but I dont suspect that is important for my issue.
> >>>
> >>>
> >>>
> >>> Notes about the setup steps (in the Dockerfile example):
> >>>
> >>>
> >>> 1) Installed OpenSSL v3.0.2 from source with FIPS enabled.
> >>>
> >>> (
> >>>
> >>
> https://wiki.openssl.org/index.php/OpenSSL_3.0#Installation_and_Compilation_of_OpenSSL_3.0
> >>> )
> >>>
> >>>
> >>> RUN cd /usr/src \
> >>>
> >>> && wget https://www.openssl.org/source/openssl-3.0.2.tar.gz \
> >>>
> >>> && tar -zxf openssl-3.0.2.tar.gz \
> >>>
> >>> && rm openssl-3.0.2.tar.gz \
> >>>
> >>> && cd openssl-3.0.2 \
> >>>
> >>> && ./config enable-fips && make -j8 && make -j8 install
> >>>
> >>>
> >>> RUN ln -s /usr/local/lib/libcrypto.so.3 /usr/lib64/libcrypto.so.3 \
> >>>
> >>> && ln -s /usr/local/lib/libssl.so.3 /usr/lib64/libssl.so.3
> >>>
> >>>
> >>> RUN openssl fipsinstall -out /usr/local/ssl/fipsmodule.cnf -module
> >>> /usr/local/lib/ossl-modules/fips.so
> >>>
> >>>
> >>> 2) Installed Tomcat Native from source:
> >>>
> >>> (https://tomcat.apache.org/native-doc/)
> >>>
> >>>
> >>> RUN microdnf install apr-devel openssl-devel \
> >>>
> >>> && mkdir /usr/lib/tcnative
> >>>
> >>>
> >>> RUN cd /usr/src \
> >>>
> >>> && wget
> >>>
> >>
> https://dlcdn.apache.org/tomcat/tomcat-connectors/native/1.2.32/source/tomcat-native-1.2.32-src.tar.gz
> >>> \
> >>>
> >>> && tar -xvf tomcat-native-1.2.32-src.tar.gz \
> >>>
> >>> && rm tomcat-native-1.2.32-src.tar.gz \
> >>>
> >>> && cd tomcat-native-1.2.32-src/native \
> >>>
> >>> && ./configure --with-api=/usr/bin/apr-1-config
> >>> --with-java-home=/usr/java/latest --with-ssl=yes
> >> --prefix=/usr/lib/tcnative
> >>> \
> >>>
> >>> && make \
> >>>
> >>> && make install
> >>>
> >>>
> >>> 3) Generate a self-signed certificate:
> >>>
> >>> RUN openssl req -x509 -newkey rsa:4096 -passout pass:test
> >>> -keyout testkey.pem -out testcert.pem -sha256 -days 90 -subj '/CN=
> >>> test.lehmansoftware.com'
> >>>
> >>>
> >>>
> >>> 4) To enable tomcat native, i pass these parameters:
> >>>
> >>> ENTRYPOINT java \
> >>>
> >>> -Dserver.port=8443 \
> >>>
> >>> -Dserver.ssl.enabled=true \
> >>>
> >>> -Djava.library.path="/usr/lib/tcnative/lib" \
> >>>
> >>> -Dserver.ssl.certificate-key-file="/testkey.pem" \
> >>>
> >>> -Dserver.ssl.certificate-file="/testcert.pem" \
> >>>
> >>> -jar app.jar
> >>>
> >>>
> >>>
> >>> 5) And finally, here is the error message that I receive on application
> >>> startup trying to use tcnative.
> >>>
> >>> cmts-docker-cmts-1 | [2022-04-04 14:49:01.549][${appenders}] WARN
> >> [main]
> >>> core.AprLifecycleListener - The Apache Tomcat Native library failed to
> >>> load. The error reported was
> >>> [/usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> >>> EVP_PKEY_get_bits]
> >>>
> >>> cmts-docker-cmts-1 | java.lang.UnsatisfiedLinkError:
> >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32:
> >>> /usr/lib/tcnative/lib/libtcnative-1.so.0.2.32: undefined symbol:
> >>> EVP_PKEY_get_bits
> >>>
> >>> cmts-docker-cmts-1 | at
> jdk.internal.loader.NativeLibraries.load(Native
> >>> Method) ~[?:?]
> >>
> >> Looks like the build worked (right?) so any "undefined symbol" issues
> >> you see must be related to the versions made available to the process at
> >> runtime.
> >>
> >> Make sure you have the same versions of libssl, libapr, and libtcnative
> >> that you built yourself and not those that e.g. ship with the OS. Where
> >> are all your .so files for libtcnative, libssl, and libapr?
> >>
> >> -chris
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
