You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jonathan Ho <jo...@neouisolutions.com> on 2024/02/28 11:36:57 UTC
server.xml setting broken with Tomcat 9.0.81
I have following connectors in server.xml file and working for a long time with various version of Tomcat 9 until I upgrade to 9.0.81 or newer versions. I verified that 9.0.80 is working.
What I am getting from 9.0.81 on startup is I will get pass phrase prompt on tomcat start up and following errors in the log.
I see openssl upgrade by tomcat from 1.x to 3.x in 9.0.81, could that be the problem?
Thanks
28-Feb-2024 06:26:05.127 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio2-8080"]
28-Feb-2024 06:26:05.150 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-nio-9749"] connector has been configured to support negotiation to [h2] via ALPN
28-Feb-2024 06:26:05.150 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-9749"]
28-Feb-2024 06:27:47.172 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context
java.lang.Exception: Unable to load certificate key C:\opt\Apache-SF\Tomcat-9/conf/r3m/files/server.key (error:1E08010C:DECODER routines::unsupported)
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:492)
at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:349)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:236)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1334)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1347)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1046)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127)
at org.apache.catalina.startup.Catalina.load(Catalina.java:686)
at org.apache.catalina.startup.Catalina.load(Catalina.java:709)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
28-Feb-2024 06:27:47.174 INFO [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-9749], TLS virtual host [_default_], certificate type [RSA] configured from key [C:\opt\Apache-SF\Tomcat-9/conf/r3m/files/server.key], certificate [C:\opt\Apache-SF\Tomcat-9/conf/r3m/files/server.cer] and certificate chain [C:\opt\Apache-SF\Tomcat-9/conf/r3m/files/server.chain.net.pem] with trust store [null]
28-Feb-2024 06:27:47.175 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-openssl-nio-9869"] connector has been configured to support negotiation to [h2] via ALPN
<Connector server="NOYB" port="9749" protocol="org.apache.coyote.http11.Http11NioProtocol" maxConnections="1000" acceptCount="100" keepAliveTimeout="20000" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" compression="on"
compressionMinSize="1024" compressibleMimeType="text/html,text/xml,text/csv,text/css,text/javascript,text/json,application/json" SSLEnabled="true" scheme="https" secure="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig insecureRenegotiation="true" certificateVerification="none" certificateVerificationDepth="0" protocols="TLSv1+TLSv1.1+TLSv1.2">
<Certificate certificateChainFile="${catalina.base}/conf/r3m/files/server.chain.net.pem" certificateFile="${catalina.base}/conf/r3m/files/server.cer" certificateKeyFile="${catalina.base}/conf/r3m/files/server.key" certificateKeyPassword="hideme" type="RSA"/>
</SSLHostConfig>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
<Connector server="NOYB" port="9869" protocol="org.apache.coyote.http11.Http11NioProtocol" maxConnections="1000" acceptCount="100" keepAliveTimeout="20000" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" compression="on"
compressionMinSize="1024" compressibleMimeType="text/html,text/xml,text/csv,text/css,text/javascript,text/json,application/json" SSLEnabled="true" scheme="https" secure="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig insecureRenegotiation="true" certificateVerification="none" certificateVerificationDepth="0" protocols="TLSv1+TLSv1.1+TLSv1.2">
<Certificate certificateChainFile="${catalina.base}/conf/r3m/files/server.chain.net.pem" certificateFile="${catalina.base}/conf/r3m/files/server.cer" certificateKeyFile="${catalina.base}/conf/r3m/files/server.key" certificateKeyPassword="hideme" type="RSA"/>
</SSLHostConfig>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
<Connector server="NOYB" port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxConnections="1000" acceptCount="100" keepAliveTimeout="20000" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" compression="on"
compressionMinSize="1024" compressibleMimeType="text/html,text/xml,text/csv,text/css,text/javascript,text/json,application/json" SSLEnabled="true" scheme="https" secure="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig insecureRenegotiation="true" certificateVerification="none" certificateVerificationDepth="0" protocols="TLSv1+TLSv1.1+TLSv1.2">
<Certificate certificateChainFile="${catalina.base}/conf/r3m/files/server.chain.net.pem" certificateFile="${catalina.base}/conf/r3m/files/server.cer" certificateKeyFile="${catalina.base}/conf/r3m/files/server.key" certificateKeyPassword="hideme" type="RSA"/>
</SSLHostConfig>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
<Connector server="NOYB" port="8888" protocol="org.apache.coyote.http11.Http11NioProtocol" maxConnections="1000" acceptCount="100" keepAliveTimeout="20000" connectionTimeout="20000" disableUploadTimeout="true" URIEncoding="UTF-8" compression="on"
compressionMinSize="1024" compressibleMimeType="text/html,text/xml,text/csv,text/css,text/javascript,text/json,application/json" SSLEnabled="true" scheme="https" secure="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation">
<SSLHostConfig insecureRenegotiation="true" certificateVerification="none" certificateVerificationDepth="0" protocols="TLSv1+TLSv1.1+TLSv1.2">
<Certificate certificateChainFile="${catalina.base}/conf/r3m/files/server.chain.net.pem" certificateFile="${catalina.base}/conf/r3m/files/server.cer" certificateKeyFile="${catalina.base}/conf/r3m/files/server.key" certificateKeyPassword="hideme" type="RSA"/>
</SSLHostConfig>
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol"/>
</Connector>
RE: server.xml setting broken with Tomcat 9.0.81
Posted by Jonathan Ho <jo...@neouisolutions.com>.
I resolved my issue by recreate the private key with different encryption
My old key was encrypted with DES-CBC, and new one I used AES-256-CBC
https://stackoverflow.com/questions/17733536/how-to-convert-a-private-key-to-an-rsa-private-key
openssl rsa -aes256 -in server.key -out new.key
To answer some of your questions:
I tested with 9.0.86, 9.0.82, 9.0.81 and they all gave the me same error/failure.
-----Original Message-----
From: Konstantin Kolinko <kn...@gmail.com>
Sent: Wednesday, February 28, 2024 10:48 AM
To: users@tomcat.apache.org
Subject: Re: server.xml setting broken with Tomcat 9.0.81
ср, 28 февр. 2024 г. в 14:42, Jonathan Ho <jo...@neouisolutions.com>:
>
> I have following connectors in server.xml file and working for a long time with various version of Tomcat 9 until I upgrade to 9.0.81 or newer versions. I verified that 9.0.80 is working.
> What I am getting from 9.0.81 on startup is I will get pass phrase prompt on tomcat start up and following errors in the log.
> I see openssl upgrade by tomcat from 1.x to 3.x in 9.0.81, could that be the problem?
>
1. OpenSSL 1.1.1 has reached End-of-Life, https://www.openssl.org/blog/blog/2023/09/11/eol-111/
2. If you suspect, that the version of Tomcat Native is the trigger of this issue:
On Windows it is easy to verify whether it is the cause:
just replace "bin/tcnative-1.dll" with an older version.
> or newer versions.
3. What never versions have you tested?
Have you tested the current Tomcat 9.0.86?
It updates Tomcat Native further, to 1.3.0.
Have you tested 9.0.83 or later?
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
Is not exactly your issue, but of a similar topic.
> I will get pass phrase prompt
4. That prompt is not issued by Tomcat.
Is that prompt expected?
Are you typing the password correctly?
Are you able to decode your key file using openssl.exe from a command line?
Note that a copy of openssl.exe is included with Tomcat Native binaries downloadable from https://tomcat.apache.org/download-native.cgi
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: server.xml setting broken with Tomcat 9.0.81
Posted by Konstantin Kolinko <kn...@gmail.com>.
ср, 28 февр. 2024 г. в 14:42, Jonathan Ho <jo...@neouisolutions.com>:
>
> I have following connectors in server.xml file and working for a long time with various version of Tomcat 9 until I upgrade to 9.0.81 or newer versions. I verified that 9.0.80 is working.
> What I am getting from 9.0.81 on startup is I will get pass phrase prompt on tomcat start up and following errors in the log.
> I see openssl upgrade by tomcat from 1.x to 3.x in 9.0.81, could that be the problem?
>
1. OpenSSL 1.1.1 has reached End-of-Life,
https://www.openssl.org/blog/blog/2023/09/11/eol-111/
2. If you suspect, that the version of Tomcat Native is the trigger of
this issue:
On Windows it is easy to verify whether it is the cause:
just replace "bin/tcnative-1.dll" with an older version.
> or newer versions.
3. What never versions have you tested?
Have you tested the current Tomcat 9.0.86?
It updates Tomcat Native further, to 1.3.0.
Have you tested 9.0.83 or later?
https://bz.apache.org/bugzilla/show_bug.cgi?id=67675
Is not exactly your issue, but of a similar topic.
> I will get pass phrase prompt
4. That prompt is not issued by Tomcat.
Is that prompt expected?
Are you typing the password correctly?
Are you able to decode your key file using openssl.exe from a command line?
Note that a copy of openssl.exe is included with Tomcat Native
binaries downloadable from
https://tomcat.apache.org/download-native.cgi
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org