You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Arnold Morein <ar...@me.com.INVALID> on 2018/08/08 19:22:39 UTC
Working JKS file for SSL from Tomcat8 doesn't work with Tomcat9
I have a company-issued, signed SSL cert installed in my Tomcat 8 system and all is well.
I downloaded and set up Tomcat 9.0.10 and simply copied the same JKS file over to match my TC8 config.
[code]
<Connector SSLEnabled="true" clientAuth="false"
keyAlias="developer-server"
keystoreFile="conf/ssl/mockServerKeyStore.jks"
keystorePass="xxx"
truststoreFile="conf/ssl/mockClientTrustStore.jks"
truststorePass="xxx"
maxConnections="1000" maxThreads="100"
port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" sslProtocol="TLS" />
[code]
[code]
SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.__invoke(DelegatingMethodAccessorImpl.java:43)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45009)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45012)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 15 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:389)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:313)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
[code]
There is nothing wrong with the JKS files since SSL works fine with TC8. So why is this error appearing in TC9? They are both using JDK 1.8.0_172.
Re: Working JKS file for SSL from Tomcat8 doesn't work with Tomcat9
Posted by Mark Thomas <ma...@apache.org>.
On 08/08/2018 20:22, Arnold Morein wrote:
> I have a company-issued, signed SSL cert installed in my Tomcat 8 system
> and all is well.
>
> I downloaded and set up Tomcat 9.0.10 and simply copied the same JKS
> file over to match my TC8 config.
>
> [code]
> <Connector SSLEnabled="true" clientAuth="false"
> keyAlias="developer-server"
> keystoreFile="conf/ssl/mockServerKeyStore.jks"
> keystorePass="xxx"
> truststoreFile="conf/ssl/mockClientTrustStore.jks"
> truststorePass="xxx"
> maxConnections="1000" maxThreads="100"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> scheme="https" secure="true" sslProtocol="TLS" />
> [code]
>
> [code]
> SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.__invoke(DelegatingMethodAccessorImpl.java:43)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45009)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45012)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
> Caused by: java.lang.IllegalArgumentException: the trustAnchors
> parameter must be non-empty
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
> ... 15 more
> Caused by: java.security.InvalidAlgorithmParameterException: the
> trustAnchors parameter must be non-empty
> at
> java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
> at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
> at
> java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:389)
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:313)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
> [code]
>
> There is nothing wrong with the JKS files since SSL works fine with TC8.
> So why is this error appearing in TC9? They are both using JDK 1.8.0_172.
Tomcat 9.0.x and 8.5.x have stricter requirements than 8.0.x and will
throw exceptions where 8.0.x doesn't.
Generally, a good place to start would be using keytool to list the
contents of the trust store, confirm the password is correct and that
the trust store contains at least one certificate.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Working JKS file for SSL from Tomcat8 doesn't work with Tomcat9
Posted by Arnold Morein <ar...@me.com.INVALID>.
Ugh, right after I sent this, the next search turned up what I needed, the XML had changed.
<Connector ...>
<SSLHostConfig>
<Certificate ... />
</SSLHostConfig>
</Connector>
On Aug 08, 2018, at 02:22 PM, Arnold Morein <ar...@me.com.INVALID> wrote:
I have a company-issued, signed SSL cert installed in my Tomcat 8 system and all is well.
I downloaded and set up Tomcat 9.0.10 and simply copied the same JKS file over to match my TC8 config.
[code]
<Connector SSLEnabled="true" clientAuth="false"
keyAlias="developer-server"
keystoreFile="conf/ssl/mockServerKeyStore.jks"
keystorePass="xxx"
truststoreFile="conf/ssl/mockClientTrustStore.jks"
truststorePass="xxx"
maxConnections="1000" maxThreads="100"
port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https" secure="true" sslProtocol="TLS" />
[code]
[code]
SEVERE: Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.__invoke(DelegatingMethodAccessorImpl.java:43)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45009)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:45012)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 15 more
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:389)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:313)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
[code]
There is nothing wrong with the JKS files since SSL works fine with TC8. So why is this error appearing in TC9? They are both using JDK 1.8.0_172.