You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by "George S." <ge...@mhsoftware.com> on 2018/03/01 23:31:40 UTC

Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys

I'm hitting the error:

SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys

The connector is configured as:


     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                 address="10.0.0.62"
                maxThreads="150" SSLEnabled="true">
         <SSLHostConfig>
            <Certificate certificateKeyFile="conf/key.pem"
                          certificateFile="conf/certificate.pem"
                          type="RSA" />
         </SSLHostConfig>
     </Connector>

I've verified the tomcat user can read the two files, and I've su'd to user tomcat and used:

openssl rsa -in key.pem -text

and the private key was dumped as expected. The key is not encrypted. The cert is self-signed and was generated by OpenSSL using CA.sh.

I'm kind of at a loss here. The example server.xml entries show naming PEM files directly, and the connector docs seem to imply that pem files are supported.

Can anyone give me a pointer on what to do here?

-- 
George S.
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

George,

On 3/1/18 6:31 PM, George S. wrote:
> I'm hitting the error:
> 
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] 
> org.apache.catalina.LifecycleException: Failed to initialize
> component [Connector[HTTP/1.1-8443]] Caused by:
> org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed Caused by:
> java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
> 
> The connector is configured as:
> 
> 
> <Connector port="8443" 
> protocol="org.apache.coyote.http11.Http11NioProtocol" 
> address="10.0.0.62" maxThreads="150" SSLEnabled="true"> 
> <SSLHostConfig> <Certificate certificateKeyFile="conf/key.pem" 
> certificateFile="conf/certificate.pem" type="RSA" /> 
> </SSLHostConfig> </Connector>
> 
> I've verified the tomcat user can read the two files, and I've su'd
> to user tomcat and used:
> 
> openssl rsa -in key.pem -text
> 
> and the private key was dumped as expected. The key is not
> encrypted. The cert is self-signed and was generated by OpenSSL
> using CA.sh.
> 
> I'm kind of at a loss here. The example server.xml entries show
> naming PEM files directly, and the connector docs seem to imply
> that pem files are supported.
> 
> Can anyone give me a pointer on what to do here?

Can you post the full stack trace?

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpMncdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjjfxAAih2I3LYlq1CK/jr3
+kSQnlBd/A8jEG5DhgWHxNogc6kWRg06FhF/vahoAkcik/dP1378tf7J19M1uMRM
zjvoB9is69ndSWEZd4s6IRxuevgb41Z4f95vbkkoLINc66OdW8dkNy1dIiE2FU6I
zEePIpr0x+A00fIYHTn4MaTFp0KmthnfK1xpJ/8sfa07aWj61o1WoIhgZ947izN7
oEidKrpabsSyhTxRMJcOQRrOje6nHYpuSnSrOTAMpdTy9gx3jOrMgp4jdZGlkxSe
6WAWabYj9Vp3YEBABgRC6xBfA1OSF1pDWGL86KikTI7DgIjlDRuWsCxAWMKTRZts
Qhe30w6XVhb8oYqqsgnHcUl+7Y1bcoCp58bswmwyHAUpo8oSMD8l5+H7kzyKFyWl
Sr+lirwBZaFEaQcso0xjT5onUWcWmEnQCeDL+mEGbrBzhkzsgw3JnyY49piFxdPa
I9ITf1JIuzEzdgf/eb+X2aQFhsYdeYGQxjo1bR0i0FysNaa+bTDj+PzA2wmw/Jsr
MWsjsfUQywf+3JlMsxJTqoE5tsrMc1YHpcRSdekPPe0JTO/s/2noEwsJ6m6nyzUR
/s847U+GcrII/R6btN+4ZhgaxFlTLxZbNrKQyjGyY2EadaAoCOEBRqV2C7SaJIbi
IECm0k0MhI+BvHWTiBrguFKWabE=
=udOa
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys

Posted by Richard Tearle <ri...@northgateps.com>.

Hello

On 1 March 2018 at 23:31, George S. <ge...@mhsoftware.com> wrote:

> I'm hitting the error:
>
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]]
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> Caused by: java.lang.IllegalArgumentException: Cannot store
> non-PrivateKeys
>
> The connector is configured as:
>
>
>     <Connector port="8443" protocol="org.apache.coyote.ht
> tp11.Http11NioProtocol"
>                 address="10.0.0.62"
>                maxThreads="150" SSLEnabled="true">
>         <SSLHostConfig>
>            <Certificate certificateKeyFile="conf/key.pem"
>                          certificateFile="conf/certificate.pem"
>                          type="RSA" />
>         </SSLHostConfig>
>     </Connector>
>
> I've verified the tomcat user can read the two files, and I've su'd to
> user tomcat and used:
>
> openssl rsa -in key.pem -text
>
> and the private key was dumped as expected. The key is not encrypted. The
> cert is self-signed and was generated by OpenSSL using CA.sh.
>
> I'm kind of at a loss here. The example server.xml entries show naming PEM
> files directly, and the connector docs seem to imply that pem files are
> supported.
>
> Can anyone give me a pointer on what to do here?
>
> --
> George S.
> *MH Software, Inc.*
> Voice: 303 438 9585
> http://www.mhsoftware.com
>


Are you using the Tomcat Native Library? I think that's required when using
PEM encoded certificates.

-- 

*Richard Tearle BSc(Hons) MCP*

Senior Consultant

*Northgate Public Services (NPS)*

Mobile: +44 (0)7738 888315

Email: richard.tearle@northgateps.com

Web: www.n <http://www.northgate-is.com/>orthgatepublicservices.co.uk

Please consider the environment before printing this e-mail

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1442 768445 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NW.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered address of 2nd Floor, Ballard House, Adi 
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.