You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/09/06 15:08:22 UTC
[Bug 61497] New: JKS Keystore Handling regression
https://bz.apache.org/bugzilla/show_bug.cgi?id=61497
Bug ID: 61497
Summary: JKS Keystore Handling regression
Product: Tomcat 8
Version: 8.5.20
Hardware: PC
Status: NEW
Severity: regression
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: gmilewski@celerant.com
Target Milestone: ----
Created attachment 35302
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35302&action=edit
Zip containing key, cert, chain, and keystore.
Attached are throwaway key/cert/keystore
Configuring a Tomcat instance with an internal CA and Java Keystore in Tomcat
8.5.16 works without issue. Migrating the same install to 8.5.19 or 8.5.20
results in "java.security.KeyStoreException: Cannot store non-PrivateKeys",
failing to create the SSL port.
Taking the SAME keystore, extracting to PKCS12 via keytool.exe, then to PEM
through OpenSSL, then configuring server.xml to use PEM results in a
working/trusted SSL port in 8.5.20, however we need the keystore method.
Keystore password is: 6d454df3d881bf61ccc0540d36cff1a5
8.5.16 KEYSTORE:
06-Sep-2017 10:12:46.247 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based
Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
06-Sep-2017 10:12:46.247 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities:
IPv6 [true], sendfile [true], accept filters [false], random [true].
06-Sep-2017 10:12:46.247 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
06-Sep-2017 10:12:46.966 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.0.2k 26 Jan 2017]
06-Sep-2017 10:12:47.153 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["http-nio-8080"]
06-Sep-2017 10:12:47.294 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
selector for servlet write/read
06-Sep-2017 10:12:47.310 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-openssl-nio-8443"]
06-Sep-2017 10:12:47.591 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
selector for servlet write/read
06-Sep-2017 10:12:47.591 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
06-Sep-2017 10:12:47.591 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
selector for servlet write/read
06-Sep-2017 10:12:47.591 INFO [main] org.apache.catalina.startup.Catalina.load
Initialization processed in 1882 ms
8.5.20 KEYSTORE:
06-Sep-2017 10:15:44.562 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based
Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
06-Sep-2017 10:15:44.562 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities:
IPv6 [true], sendfile [true], accept filters [false], random [true].
06-Sep-2017 10:15:44.562 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
06-Sep-2017 10:15:45.345 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.0.2k 26 Jan 2017]
06-Sep-2017 10:15:45.579 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["http-nio-8080"]
06-Sep-2017 10:15:45.720 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
selector for servlet write/read
06-Sep-2017 10:15:45.735 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-openssl-nio-8443"]
06-Sep-2017 10:15:46.014 SEVERE [main] org.apache.coyote.AbstractProtocol.init
Failed to initialize end point associated with ProtocolHandler
["https-openssl-nio-8443"]
java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot
store non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
at
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at
sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at
sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
06-Sep-2017 10:15:46.030 SEVERE [main]
org.apache.catalina.core.StandardService.initInternal Failed to initialize
connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:999)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException:
Cannot store non-PrivateKeys
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at
sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
at
sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at
sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at
sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:79)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
06-Sep-2017 10:15:46.030 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
06-Sep-2017 10:15:46.030 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
selector for servlet write/read
06-Sep-2017 10:15:46.030 INFO [main] org.apache.catalina.startup.Catalina.load
Initialization processed in 2099 ms
8.5.20 PEM FILES:
06-Sep-2017 10:28:35.271 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based
Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
06-Sep-2017 10:28:35.271 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities:
IPv6 [true], sendfile [true], accept filters [false], random [true].
06-Sep-2017 10:28:35.271 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
06-Sep-2017 10:28:36.052 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.0.2k 26 Jan 2017]
06-Sep-2017 10:28:36.271 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["http-nio-8080"]
06-Sep-2017 10:28:36.427 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
selector for servlet write/read
06-Sep-2017 10:28:36.427 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-openssl-nio-8443"]
06-Sep-2017 10:28:36.442 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
selector for servlet write/read
06-Sep-2017 10:28:36.442 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["ajp-nio-127.0.0.1-8009"]
06-Sep-2017 10:28:36.442 INFO [main]
org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared
selector for servlet write/read
06-Sep-2017 10:28:36.458 INFO [main] org.apache.catalina.startup.Catalina.load
Initialization processed in 1768 ms
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61497] JKS Keystore Handling regression
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61497
--- Comment #2 from gmilewski@celerant.com ---
Thank you kindly - search did not turn up that bug, nor the autosearch, sorry!
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 61497] JKS Keystore Handling regression
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61497
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |DUPLICATE
OS| |All
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
*** This bug has been marked as a duplicate of bug 61451 ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org