Re: cert/key config woes

Thu, 02 Jun 2022 11:19:26 -0700

Hang on.  I'm panicking.  I have a plane to catch in 3 hours and need this working by then. 

   ws s3 cp fullca.p12 s3://691459864434-sgs-source/certs/sgstrust.p12

splatting one file on top of the other
Midway through this email when you last came in:  "Not running" is spot-on becase... 


The current problem is actaully

   Jun 02, 2022 6:01:27 PM org.apache.coyote.AbstractProtocol init
   INFO: Initializing ProtocolHandler ["https-jsse-nio-10.0.2.118-15002"]
   Jun 02, 2022 6:01:27 PM org.apache.catalina.util.LifecycleBase
   handleSubClassException
   SEVERE: Failed to initialize component [Connector[HTTP/1.1-15002]]
   org.apache.catalina.LifecycleException: Protocol handler
   initialization failed
            at
   org.apache.catalina.connector.Connector.initInternal(Connector.java:1049)

            at
   org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
            at
   
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)

            at
   org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
            at
   
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)

            at
   org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
            at
   org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:173)
            at org.apache.catalina.startup.Tomcat.start(Tomcat.java:486)
            at
   edu.utah.camplab.server.SGSSelector.kickOff(SGSSelector.java:175)
            at
   edu.utah.camplab.server.SGSSelector.run(SGSSelector.java:187)
            at java.base/java.lang.Thread.run(Thread.java:833)
   Caused by: java.lang.IllegalArgumentException: Alias name [sgsAgent]
   does not identify a key entry
            at
   
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)

            at
   
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)

            at
   org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234)
            at
   
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)

            at
   org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)

            at
   org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:603)
            at
   
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)

            at
   org.apache.catalina.connector.Connector.initInternal(Connector.java:1046)

            ... 10 more
   Caused by: java.io.IOException: Alias name [sgsAgent] does not
   identify a key entry
            at
   org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:337)

            at
   org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)

            at
   
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)

            ... 17 more

but I believe the alias is in place, both places

   ## check, different files
   [ec2-user@ip-10-0-2-118 certs]ls -l fullca.p12 sgstrust.p12
   -rw-rw-r-- 1 ec2-user ec2-user 281500 Jun  2 17:12 fullca.p12
   -rw-rw-r-- 1 ec2-user ec2-user   2726 Jun  2 17:13 sgstrust.p12

   ## checks for alias
   [ec2-user@ip-10-0-2-118 certs]$ keytool -storetype pkcs12 -list
   -keystore sgstrust.p12 -alias sgsAgent -storepass changeit
   sgsAgent, Jun 2, 2022, PrivateKeyEntry,
   Certificate fingerprint (SHA-256):
   
65:F1:9C:07:37:C4:13:A8:82:D5:09:E7:51:F9:C0:E2:94:E4:41:64:F1:41:86:E6:60:5F:50:87:A8:13:74:17

   [ec2-user@ip-10-0-2-118 certs]$ keytool -storetype pkcs12 -list
   -keystore fullca.p12 -alias sgsAgent -storepass changeit
   sgsAgent, Jun 2, 2022, trustedCertEntry,
   Certificate fingerprint (SHA-256):
   
65:F1:9C:07:37:C4:13:A8:82:D5:09:E7:51:F9:C0:E2:94:E4:41:64:F1:41:86:E6:60:5F:50:87:A8:13:74:17


   ## upload to s3
   [ec2-user@ip-10-0-2-118 certs]$ aws s3 cp fullca.p12
   s3://691459864434-sgs-source/certs/fullca.p12
   upload: ./fullca.p12 to s3://691459864434-sgs-source/certs/fullca.p12
   [ec2-user@ip-10-0-2-118 certs]$ aws s3 cp sgstrust.p12
   s3://691459864434-sgs-source/certs/sgstrust.p12
   aws s3 cp sgstrust.p12 s3://691459864434-sgs-source/certs/sgstrust.p12
   upload: ./sgstrust.p12 to
   s3://691459864434-sgs-source/certs/sgstrust.p12

   ## program downloads p12 filesfrom s3


To your latest


    I add my cert to truststore.


   Which one? Are you using client certs for mutual-TLS or just
   plain-old "I only need to trust the server" checking?

I add sgstrust to fullca.  I think the latter mode is fine


   If it's vanilla, then you need:

   1. Key + cert in the key store used by the Tomcat <Connector>
   2. cert in the trust store used by the client (optional if it's
   signed by a trusted CA)

   Remember if your key store from #1 has more than one cert+key in it,
   Tomcat will choose the first one (which is basically a crap-shoot,
   given the API) unless you specify the alias of the one to use. I
   think it's best to have only a single key+cert in each keystore
   (unless it's multiple flavors of the same thing, like RSA and ECDSA
   for the same server). That way you don't get confused by "too much
   stuff".
I'm starting both the server and the client with both key and trust.  Does that bite?

Reply via email to