You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2021/08/16 14:32:28 UTC
Error loading PKCS12 keystore, java.io.IOException:
DerInputStream.getLength(): lengthTag=109, too big.
All,
Anyone ever seen this before?
I'm using an older Tomcat (7.0.x) on an older Java (1.7.0_80) along with
a certificate from Let's Encrypt. This was the server I used to
initially develop my "Let's Encrypt Apache Tomcat" presentation and
scripts, so I am familiar with the process and everything that needs to
happen.
I was updating the script to use the new snap-based certbot instead of
the older one which is fraught with dependency issues, etc. and I'm able
to renew the certificate just fine, but after assembling the PKCS12
keystore, I'm getting this error when Tomcat attempts to start the HTTPS
connector.
My old script first converted from raw PEM files to PKCS12 using the
"openssl pkcs12" command, then converted to JKS using Java's "keytool".
I decided to cut-out the middle-man and use PKCS12 files directly this time.
Here is my (sanitized) <Connector> configuration:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystoreFile="${catalina.base}/keystore.p12"
keystoreType="PKCS12"
keystorePass="changeit"
keyPass="changeit"
truststoreType="PKCS12"
URIEncoding="UTF-8"
sslProtocol="SSL"
SSLEnabled="true"
scheme="https"
secure="true"
bindOnInit="false"
ciphers="
TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA
"
sslEnabledProtocols="TLSv1.2" />
I added the "truststoreType" just in case Tomcat was using the
keystoreType as the truststoreType, and defaulting to using the keystore
as the truststore. None of those things are true, but I left it in the
configuration.
When using "keytool" on the command-line to dump the certs, I get no
errors and the keystore contains the expected data.
Here is the command I use to assemble the pkcs12 file:
openssl pkcs12 -export -in "${LE_BASE}/cert.pem" -inkey
"${LE_BASE}/privkey.pem" \
-certfile "${LE_BASE}/fullchain.pem" \
-out "${CATALINA_BASE}/${HOSTNAME}.p12" -name tomcat \
-passout "pass:changeit"
Here is the complete stack trace of the error:
Aug 16, 2021 10:22:23 AM org.apache.coyote.AbstractProtocol start
SEVERE: Failed to start end point associated with ProtocolHandler
["http-nio-8443"]
java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
at
sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
at sun.security.util.DerValue.init(DerValue.java:365)
at sun.security.util.DerValue.<init>(DerValue.java:320)
at
sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1233)
at java.security.KeyStore.load(KeyStore.java:1226)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:343)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:599)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:511)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
at
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:647)
at
org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:449)
at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1007)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:731)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:689)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Aug 16, 2021 10:22:23 AM org.apache.catalina.core.StandardService
startInternal
SEVERE: Failed to start connector
[Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
org.apache.catalina.LifecycleException: Failed to start component
[Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
at
org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:731)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at org.apache.catalina.startup.Catalina.start(Catalina.java:689)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
Caused by: org.apache.catalina.LifecycleException: service.getName():
"Catalina"; Protocol handler start failed
at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1014)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
... 11 more
Caused by: java.io.IOException: DerInputStream.getLength():
lengthTag=109, too big.
at
sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
at sun.security.util.DerValue.init(DerValue.java:365)
at sun.security.util.DerValue.<init>(DerValue.java:320)
at
sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1233)
at java.security.KeyStore.load(KeyStore.java:1226)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:343)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:599)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:511)
at
org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
at
org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:647)
at
org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:449)
at
org.apache.catalina.connector.Connector.startInternal(Connector.java:1007)
... 12 more
Any help would be appreciated.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Error loading PKCS12 keystore, java.io.IOException:
DerInputStream.getLength(): lengthTag=109, too big.
Posted by Christopher Schultz <ch...@christopherschultz.net>.
All,
On 8/16/21 10:32, Christopher Schultz wrote:
> All,
>
> Anyone ever seen this before?
>
> I'm using an older Tomcat (7.0.x) on an older Java (1.7.0_80) along with
> a certificate from Let's Encrypt. This was the server I used to
> initially develop my "Let's Encrypt Apache Tomcat" presentation and
> scripts, so I am familiar with the process and everything that needs to
> happen.
>
> I was updating the script to use the new snap-based certbot instead of
> the older one which is fraught with dependency issues, etc. and I'm able
> to renew the certificate just fine, but after assembling the PKCS12
> keystore, I'm getting this error when Tomcat attempts to start the HTTPS
> connector.
>
> My old script first converted from raw PEM files to PKCS12 using the
> "openssl pkcs12" command, then converted to JKS using Java's "keytool".
> I decided to cut-out the middle-man and use PKCS12 files directly this
> time.
>
> Here is my (sanitized) <Connector> configuration:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> keystoreFile="${catalina.base}/keystore.p12"
> keystoreType="PKCS12"
> keystorePass="changeit"
> keyPass="changeit"
> truststoreType="PKCS12"
> URIEncoding="UTF-8"
> sslProtocol="SSL"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> bindOnInit="false"
> ciphers="
> TLS_EMPTY_RENEGOTIATION_INFO_SCSV,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,
> TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
> TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
> TLS_RSA_WITH_AES_256_CBC_SHA256,
> TLS_RSA_WITH_AES_256_CBC_SHA,
> TLS_RSA_WITH_AES_128_CBC_SHA256,
> TLS_RSA_WITH_AES_128_CBC_SHA
> "
> sslEnabledProtocols="TLSv1.2" />
>
> I added the "truststoreType" just in case Tomcat was using the
> keystoreType as the truststoreType, and defaulting to using the keystore
> as the truststore. None of those things are true, but I left it in the
> configuration.
>
> When using "keytool" on the command-line to dump the certs, I get no
> errors and the keystore contains the expected data.
>
> Here is the command I use to assemble the pkcs12 file:
>
> openssl pkcs12 -export -in "${LE_BASE}/cert.pem" -inkey
> "${LE_BASE}/privkey.pem" \
> -certfile "${LE_BASE}/fullchain.pem" \
> -out "${CATALINA_BASE}/${HOSTNAME}.p12" -name tomcat \
> -passout "pass:changeit"
>
>
> Here is the complete stack trace of the error:
>
> Aug 16, 2021 10:22:23 AM org.apache.coyote.AbstractProtocol start
> SEVERE: Failed to start end point associated with ProtocolHandler
> ["http-nio-8443"]
> java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
> at
> sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
> at sun.security.util.DerValue.init(DerValue.java:365)
> at sun.security.util.DerValue.<init>(DerValue.java:320)
> at
> sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1233)
> at java.security.KeyStore.load(KeyStore.java:1226)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:343)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:599)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:511)
>
> at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:647)
>
> at
> org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:449)
> at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1007)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
>
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:731)
>
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:689)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
>
> Aug 16, 2021 10:22:23 AM org.apache.catalina.core.StandardService
> startInternal
> SEVERE: Failed to start connector
> [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
> org.apache.catalina.LifecycleException: Failed to start component
> [Connector[org.apache.coyote.http11.Http11NioProtocol-8443]]
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:154)
> at
> org.apache.catalina.core.StandardService.startInternal(StandardService.java:459)
>
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at
> org.apache.catalina.core.StandardServer.startInternal(StandardServer.java:731)
>
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:689)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>
> at java.lang.reflect.Method.invoke(Method.java:606)
> at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:321)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:455)
> Caused by: org.apache.catalina.LifecycleException: service.getName():
> "Catalina"; Protocol handler start failed
> at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1014)
> at
> org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
> ... 11 more
> Caused by: java.io.IOException: DerInputStream.getLength():
> lengthTag=109, too big.
> at
> sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
> at sun.security.util.DerValue.init(DerValue.java:365)
> at sun.security.util.DerValue.<init>(DerValue.java:320)
> at
> sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1233)
> at java.security.KeyStore.load(KeyStore.java:1226)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:392)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore(JSSESocketFactory.java:343)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:599)
>
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers(JSSESocketFactory.java:511)
>
> at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:493)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:647)
>
> at
> org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:449)
> at
> org.apache.catalina.connector.Connector.startInternal(Connector.java:1007)
> ... 12 more
>
>
> Any help would be appreciated.
Swiching-back to JKS keystore type worked, but *only* after removing this:
truststoreType="PKCS12"
That's pretty surprising to me; the truststoreType should be irrelevant
when not using a trust store. Somehow, the trust store type ends up
affecting the key store type?
This is 7.0.53, so its pretty old. I will read the changelog for 7.0.x
and probably upgrade and try again.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org