You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kevin Huntly <km...@gmail.com> on 2023/03/18 18:15:13 UTC
SSL issue
Hello Everyone,
I'm having an issue with my SSL connector:
<stacktrace>
18-Mar-2023 14:12:46.996 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component
[Connector[org.apache.coyote.http11.Http11Nio2Protocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at
org.apache.catalina.startup.Catalina.load(Catalina.java:746)
at
java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at
java.base/java.lang.reflect.Method.invoke(Method.java:578)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
Caused by: java.lang.IllegalArgumentException: Get Key failed:
Given final block not properly padded. Such issues can arise if a bad key
is used during decryption.
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at
org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1302)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1315)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
... 11 more
Caused by: java.security.UnrecoverableKeyException: Get Key failed:
Given final block not properly padded. Such issues can arise if a bad key
is used during decryption.
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:454)
at
java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91)
at
java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 18 more
Caused by: javax.crypto.BadPaddingException: Given final block not
properly padded. Such issues can arise if a bad key is used during
decryption.
at
java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
at
java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941)
at
java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
at
java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:310)
at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:370)
at
java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
at
java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
... 23 more
</stacktrace>
And my SSL config:
<code>
<Connector executor="tomcatThreadPool"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" enableLookups="false"
acceptCount="100" connectionTimeout="20000"
disableUploadTimeout="true" compression="on"
compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
SSLEnabled="true" scheme="https">
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="appsrv.lan" protocols="TLSv1.2">
<Certificate
certificateKeystoreFile="/home/appsrv/etc/tomcat.p12"
certificateKeystoreType="PKCS12" certificateKeystorePassword="password" />
</SSLHostConfig>
</Connector>
</code>
So, what am I doing wrong here?
________________________________________________
Kevin Huntly
Email: kmhuntly@gmail.com
________________________________________________
-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------
Re: SSL issue
Posted by "John Dale (DB2DOM)" <jc...@gmail.com>.
What kind of key are you using?
I generate my certs with certbot.
The result needs to be converted thusly to be used:
openssl pkcs12 -export -out mykey-bundle.pfx -inkey myprivkey.pem -in
cert.pem -certfile chain.pem -password
pass:superdupersecretnoteventhealiensknow
Is this a possible source of the issue?
On 3/18/23, Kevin Huntly <km...@gmail.com> wrote:
> Hello Everyone,
>
> I'm having an issue with my SSL connector:
>
> <stacktrace>
> 18-Mar-2023 14:12:46.996 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component
> [Connector[org.apache.coyote.http11.Http11Nio2Protocol-8443]]
> org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> at
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
> at
> java.base/java.lang.reflect.Method.invoke(Method.java:578)
> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> Caused by: java.lang.IllegalArgumentException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key
> is used during decryption.
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
> at
> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1302)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1315)
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
> ... 11 more
> Caused by: java.security.UnrecoverableKeyException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key
> is used during decryption.
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:454)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:91)
> at
> java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
> ... 18 more
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during
> decryption.
> at
> java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> at
> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:941)
> at
> java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> at
> java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:310)
> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:370)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:257)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:361)
> ... 23 more
> </stacktrace>
>
> And my SSL config:
>
> <code>
> <Connector executor="tomcatThreadPool"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" enableLookups="false"
> acceptCount="100" connectionTimeout="20000"
> disableUploadTimeout="true" compression="on"
> compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
> SSLEnabled="true" scheme="https">
> <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig hostName="appsrv.lan" protocols="TLSv1.2">
> <Certificate
> certificateKeystoreFile="/home/appsrv/etc/tomcat.p12"
> certificateKeystoreType="PKCS12" certificateKeystorePassword="password" />
> </SSLHostConfig>
> </Connector>
> </code>
>
> So, what am I doing wrong here?
> ________________________________________________
>
> Kevin Huntly
> Email: kmhuntly@gmail.com
> ________________________________________________
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> G++ e(+) h--- r+++ y+++*
> ------END GEEK CODE BLOCK------
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: SSL issue
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Kevin,
That's why I also suggest to use PEM format.
You don’t have to deal with two passwords and the files can be open in a normal editor.
Copy & paste also works easily in PEM format.
Glad it works now.
Greetings, Thomas
> -----Ursprüngliche Nachricht-----
> Von: Kevin Huntly <km...@gmail.com>
> Gesendet: Samstag, 18. März 2023 20:30
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: Re: SSL issue
>
> I was able to read the keystore with both openssl and keytool, but for some
> reason the private key within the pkcs#12 file had a different password than the
> keystone password. I ended up just rebuilding the cert and the keystore, and it's
> working now. Thanks !
> ________________________________________________
>
> Kevin Huntly
> Email: kmhuntly@gmail.com
> Cell: 716/424-3311
> ________________________________________________
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> G++ e(+) h--- r+++ y+++*
> ------END GEEK CODE BLOCK------
>
>
> On Sat, Mar 18, 2023 at 3:27 PM Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.invalid> wrote:
>
> > Hello,
> >
> > the relevant error is:
> > Caused by: javax.crypto.BadPaddingException: Given final block not
> > properly padded. Such issues can arise if a bad key is used during
> > decryption.
> >
> > It seems there is something wrong with your keystore.
> > Are both, private and public key in the p12 file?
> > Can you check the contents with keytool?
> > Alternatively, you can also use pem files, they are more readable than p12.
> >
> > Greetings, Thomas
> >
> > > -----Ursprüngliche Nachricht-----
> > > Von: Kevin Huntly <km...@gmail.com>
> > > Gesendet: Samstag, 18. März 2023 19:15
> > > An: users@tomcat.apache.org
> > > Betreff: SSL issue
> > >
> > > Hello Everyone,
> > >
> > > I'm having an issue with my SSL connector:
> > >
> > > <stacktrace>
> > > 18-Mar-2023 14:12:46.996 SEVERE [main]
> > > org.apache.catalina.util.LifecycleBase.handleSubClassException
> > > Failed to initialize component
> > [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
> > > 8443]]
> > > org.apache.catalina.LifecycleException: Protocol handler
> > initialization
> > > failed
> > > at
> > > org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > >
> > org.apache.catalina.core.StandardService.initInternal(StandardService.
> > java:549
> > > )
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > >
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> > va:1032)
> > > at
> > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > > at
> > > org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> > > at
> > > org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> > > at
> > >
> > java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(Direc
> > tMeth
> > > odHandleAccessor.java:104)
> > > at
> > > java.base/java.lang.reflect.Method.invoke(Method.java:578)
> > > at
> > > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> > > at
> > > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> > > Caused by: java.lang.IllegalArgumentException: Get Key failed:
> > > Given final block not properly padded. Such issues can arise if a
> > > bad
> > key is used
> > > during decryption.
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.createSSLContext(AbstractJsse
> > > Endpoint.java:107)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> > > nt.java:71)
> > > at
> > > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractEndpoint.bindWithCleanup(AbstractEndpoin
> > > t.java:1302)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractEndpoint.init(AbstractEndpoint.java:1315)
> > > at
> > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
> > > at
> > >
> > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
> > tocol.j
> > > ava:75)
> > > at
> > > org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
> > > ... 11 more
> > > Caused by: java.security.UnrecoverableKeyException: Get Key
> > failed:
> > > Given final block not properly padded. Such issues can arise if a
> > > bad
> > key is used
> > > during decryption.
> > > at
> > >
> > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeySto
> > re.j
> > > ava:454)
> > > at
> > >
> > java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDel
> > egator
> > > .java:91)
> > > at
> > > java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
> > > at
> > > org.apache.tomcat.util.net
> > .SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
> > > at
> > > org.apache.tomcat.util.net
> > .SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
> > > at
> > > org.apache.tomcat.util.net
> > .AbstractJsseEndpoint.createSSLContext(AbstractJsse
> > > Endpoint.java:105)
> > > ... 18 more
> > > Caused by: javax.crypto.BadPaddingException: Given final
> > > block
> > not
> > > properly padded. Such issues can arise if a bad key is used during
> > decryption.
> > > at
> > > java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> > > at
> > >
> > java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCo
> > re.jav
> > > a:941)
> > > at
> > >
> java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> > > at
> > >
> > java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.ja
> > va:3
> > > 10)
> > > at
> > java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
> > > at
> > > java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(P
> > > KCS1
> > > 2KeyStore.java:370)
> > > at
> > >
> > java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12K
> > eySt
> > > ore.java:257)
> > > at
> > >
> > java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeySto
> > re.j
> > > ava:361)
> > > ... 23 more
> > > </stacktrace>
> > >
> > > And my SSL config:
> > >
> > > <code>
> > > <Connector executor="tomcatThreadPool"
> > > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> > >
> >
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> > > address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> > > maxThreads="150" minSpareThreads="25" enableLookups="false"
> > > acceptCount="100" connectionTimeout="20000"
> > > disableUploadTimeout="true" compression="on"
> > > compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
> > > SSLEnabled="true" scheme="https">
> > > <UpgradeProtocol
> > > className="org.apache.coyote.http2.Http2Protocol" />
> > > <SSLHostConfig hostName="appsrv.lan" protocols="TLSv1.2">
> > > <Certificate
> > > certificateKeystoreFile="/home/appsrv/etc/tomcat.p12"
> > > certificateKeystoreType="PKCS12" certificateKeystorePassword="password"
> > />
> > > </SSLHostConfig>
> > > </Connector>
> > > </code>
> > >
> > > So, what am I doing wrong here?
> > > ________________________________________________
> > >
> > > Kevin Huntly
> > > Email: kmhuntly@gmail.com
> > > ________________________________________________
> > >
> > > -----BEGIN GEEK CODE BLOCK-----
> > > Version: 1.0
> > > GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> > > W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> > > PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> > > G++ e(+) h--- r+++ y+++*
> > > ------END GEEK CODE BLOCK------
> >
Re: SSL issue
Posted by "John Dale (DB2DOM)" <jc...@gmail.com>.
Noted - excellent!
On 3/18/23, Kevin Huntly <km...@gmail.com> wrote:
> I was able to read the keystore with both openssl and keytool, but for some
> reason the private key within the pkcs#12 file had a different password
> than the keystone password. I ended up just rebuilding the cert and the
> keystore, and it's working now. Thanks !
> ________________________________________________
>
> Kevin Huntly
> Email: kmhuntly@gmail.com
> Cell: 716/424-3311
> ________________________________________________
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> G++ e(+) h--- r+++ y+++*
> ------END GEEK CODE BLOCK------
>
>
> On Sat, Mar 18, 2023 at 3:27 PM Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.invalid> wrote:
>
>> Hello,
>>
>> the relevant error is:
>> Caused by: javax.crypto.BadPaddingException: Given final block not
>> properly padded. Such issues can arise if a bad key is used during
>> decryption.
>>
>> It seems there is something wrong with your keystore.
>> Are both, private and public key in the p12 file?
>> Can you check the contents with keytool?
>> Alternatively, you can also use pem files, they are more readable than
>> p12.
>>
>> Greetings, Thomas
>>
>> > -----Ursprüngliche Nachricht-----
>> > Von: Kevin Huntly <km...@gmail.com>
>> > Gesendet: Samstag, 18. März 2023 19:15
>> > An: users@tomcat.apache.org
>> > Betreff: SSL issue
>> >
>> > Hello Everyone,
>> >
>> > I'm having an issue with my SSL connector:
>> >
>> > <stacktrace>
>> > 18-Mar-2023 14:12:46.996 SEVERE [main]
>> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
>> > to
>> > initialize component
>> [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
>> > 8443]]
>> > org.apache.catalina.LifecycleException: Protocol handler
>> initialization
>> > failed
>> > at
>> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
>> > at
>> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> > at
>> >
>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549
>> > )
>> > at
>> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> > at
>> >
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
>> > at
>> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> > at
>> > org.apache.catalina.startup.Catalina.load(Catalina.java:724)
>> > at
>> > org.apache.catalina.startup.Catalina.load(Catalina.java:746)
>> > at
>> >
>> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMeth
>> > odHandleAccessor.java:104)
>> > at
>> > java.base/java.lang.reflect.Method.invoke(Method.java:578)
>> > at
>> > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
>> > at
>> > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
>> > Caused by: java.lang.IllegalArgumentException: Get Key failed:
>> > Given final block not properly padded. Such issues can arise if a bad
>> key is used
>> > during decryption.
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractJsseEndpoint.createSSLContext(AbstractJsse
>> > Endpoint.java:107)
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
>> > nt.java:71)
>> > at
>> > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractEndpoint.bindWithCleanup(AbstractEndpoin
>> > t.java:1302)
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractEndpoint.init(AbstractEndpoint.java:1315)
>> > at
>> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
>> > at
>> >
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.j
>> > ava:75)
>> > at
>> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
>> > ... 11 more
>> > Caused by: java.security.UnrecoverableKeyException: Get Key
>> failed:
>> > Given final block not properly padded. Such issues can arise if a bad
>> key is used
>> > during decryption.
>> > at
>> >
>> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
>> > ava:454)
>> > at
>> >
>> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator
>> > .java:91)
>> > at
>> > java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
>> > at
>> > org.apache.tomcat.util.net
>> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
>> > at
>> > org.apache.tomcat.util.net
>> .SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
>> > at
>> > org.apache.tomcat.util.net
>> .AbstractJsseEndpoint.createSSLContext(AbstractJsse
>> > Endpoint.java:105)
>> > ... 18 more
>> > Caused by: javax.crypto.BadPaddingException: Given final block
>> not
>> > properly padded. Such issues can arise if a bad key is used during
>> decryption.
>> > at
>> > java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
>> > at
>> >
>> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.jav
>> > a:941)
>> > at
>> > java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
>> > at
>> >
>> java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:3
>> > 10)
>> > at
>> java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
>> > at
>> > java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS1
>> > 2KeyStore.java:370)
>> > at
>> >
>> java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeySt
>> > ore.java:257)
>> > at
>> >
>> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
>> > ava:361)
>> > ... 23 more
>> > </stacktrace>
>> >
>> > And my SSL config:
>> >
>> > <code>
>> > <Connector executor="tomcatThreadPool"
>> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>> >
>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
>> > address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
>> > maxThreads="150" minSpareThreads="25" enableLookups="false"
>> > acceptCount="100" connectionTimeout="20000"
>> > disableUploadTimeout="true" compression="on"
>> > compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
>> > SSLEnabled="true" scheme="https">
>> > <UpgradeProtocol
>> > className="org.apache.coyote.http2.Http2Protocol" />
>> > <SSLHostConfig hostName="appsrv.lan" protocols="TLSv1.2">
>> > <Certificate
>> > certificateKeystoreFile="/home/appsrv/etc/tomcat.p12"
>> > certificateKeystoreType="PKCS12" certificateKeystorePassword="password"
>> />
>> > </SSLHostConfig>
>> > </Connector>
>> > </code>
>> >
>> > So, what am I doing wrong here?
>> > ________________________________________________
>> >
>> > Kevin Huntly
>> > Email: kmhuntly@gmail.com
>> > ________________________________________________
>> >
>> > -----BEGIN GEEK CODE BLOCK-----
>> > Version: 1.0
>> > GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
>> > W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
>> > PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
>> > G++ e(+) h--- r+++ y+++*
>> > ------END GEEK CODE BLOCK------
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL issue
Posted by Kevin Huntly <km...@gmail.com>.
I was able to read the keystore with both openssl and keytool, but for some
reason the private key within the pkcs#12 file had a different password
than the keystone password. I ended up just rebuilding the cert and the
keystore, and it's working now. Thanks !
________________________________________________
Kevin Huntly
Email: kmhuntly@gmail.com
Cell: 716/424-3311
________________________________________________
-----BEGIN GEEK CODE BLOCK-----
Version: 1.0
GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
G++ e(+) h--- r+++ y+++*
------END GEEK CODE BLOCK------
On Sat, Mar 18, 2023 at 3:27 PM Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.invalid> wrote:
> Hello,
>
> the relevant error is:
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during
> decryption.
>
> It seems there is something wrong with your keystore.
> Are both, private and public key in the p12 file?
> Can you check the contents with keytool?
> Alternatively, you can also use pem files, they are more readable than p12.
>
> Greetings, Thomas
>
> > -----Ursprüngliche Nachricht-----
> > Von: Kevin Huntly <km...@gmail.com>
> > Gesendet: Samstag, 18. März 2023 19:15
> > An: users@tomcat.apache.org
> > Betreff: SSL issue
> >
> > Hello Everyone,
> >
> > I'm having an issue with my SSL connector:
> >
> > <stacktrace>
> > 18-Mar-2023 14:12:46.996 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> > initialize component
> [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
> > 8443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> initialization
> > failed
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549
> > )
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> >
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> > org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> > at
> > org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> > at
> >
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMeth
> > odHandleAccessor.java:104)
> > at
> > java.base/java.lang.reflect.Method.invoke(Method.java:578)
> > at
> > org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> > at
> > org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> > Caused by: java.lang.IllegalArgumentException: Get Key failed:
> > Given final block not properly padded. Such issues can arise if a bad
> key is used
> > during decryption.
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsse
> > Endpoint.java:107)
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> > nt.java:71)
> > at
> > org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.bindWithCleanup(AbstractEndpoin
> > t.java:1302)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.init(AbstractEndpoint.java:1315)
> > at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.j
> > ava:75)
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
> > ... 11 more
> > Caused by: java.security.UnrecoverableKeyException: Get Key
> failed:
> > Given final block not properly padded. Such issues can arise if a bad
> key is used
> > during decryption.
> > at
> >
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
> > ava:454)
> > at
> >
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator
> > .java:91)
> > at
> > java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
> > at
> > org.apache.tomcat.util.net
> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
> > at
> > org.apache.tomcat.util.net
> .SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsse
> > Endpoint.java:105)
> > ... 18 more
> > Caused by: javax.crypto.BadPaddingException: Given final block
> not
> > properly padded. Such issues can arise if a bad key is used during
> decryption.
> > at
> > java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> > at
> >
> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.jav
> > a:941)
> > at
> > java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> > at
> >
> java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:3
> > 10)
> > at
> java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
> > at
> > java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS1
> > 2KeyStore.java:370)
> > at
> >
> java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeySt
> > ore.java:257)
> > at
> >
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
> > ava:361)
> > ... 23 more
> > </stacktrace>
> >
> > And my SSL config:
> >
> > <code>
> > <Connector executor="tomcatThreadPool"
> > protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> >
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> > address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> > maxThreads="150" minSpareThreads="25" enableLookups="false"
> > acceptCount="100" connectionTimeout="20000"
> > disableUploadTimeout="true" compression="on"
> > compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
> > SSLEnabled="true" scheme="https">
> > <UpgradeProtocol
> > className="org.apache.coyote.http2.Http2Protocol" />
> > <SSLHostConfig hostName="appsrv.lan" protocols="TLSv1.2">
> > <Certificate
> > certificateKeystoreFile="/home/appsrv/etc/tomcat.p12"
> > certificateKeystoreType="PKCS12" certificateKeystorePassword="password"
> />
> > </SSLHostConfig>
> > </Connector>
> > </code>
> >
> > So, what am I doing wrong here?
> > ________________________________________________
> >
> > Kevin Huntly
> > Email: kmhuntly@gmail.com
> > ________________________________________________
> >
> > -----BEGIN GEEK CODE BLOCK-----
> > Version: 1.0
> > GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> > W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> > PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> > G++ e(+) h--- r+++ y+++*
> > ------END GEEK CODE BLOCK------
>
AW: SSL issue
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello,
the relevant error is:
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
It seems there is something wrong with your keystore.
Are both, private and public key in the p12 file?
Can you check the contents with keytool?
Alternatively, you can also use pem files, they are more readable than p12.
Greetings, Thomas
> -----Ursprüngliche Nachricht-----
> Von: Kevin Huntly <km...@gmail.com>
> Gesendet: Samstag, 18. März 2023 19:15
> An: users@tomcat.apache.org
> Betreff: SSL issue
>
> Hello Everyone,
>
> I'm having an issue with my SSL connector:
>
> <stacktrace>
> 18-Mar-2023 14:12:46.996 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector[org.apache.coyote.http11.Http11Nio2Protocol-
> 8443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1014)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549
> )
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1032)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:724)
> at
> org.apache.catalina.startup.Catalina.load(Catalina.java:746)
> at
> java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMeth
> odHandleAccessor.java:104)
> at
> java.base/java.lang.reflect.Method.invoke(Method.java:578)
> at
> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307)
> at
> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477)
> Caused by: java.lang.IllegalArgumentException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key is used
> during decryption.
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
> Endpoint.java:107)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoi
> nt.java:71)
> at
> org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:146)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoin
> t.java:1302)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1315)
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:652)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.j
> ava:75)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1012)
> ... 11 more
> Caused by: java.security.UnrecoverableKeyException: Get Key failed:
> Given final block not properly padded. Such issues can arise if a bad key is used
> during decryption.
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
> ava:454)
> at
> java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator
> .java:91)
> at
> java.base/java.security.KeyStore.getKey(KeyStore.java:1077)
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:353)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsse
> Endpoint.java:105)
> ... 18 more
> Caused by: javax.crypto.BadPaddingException: Given final block not
> properly padded. Such issues can arise if a bad key is used during decryption.
> at
> java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:861)
> at
> java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.jav
> a:941)
> at
> java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:734)
> at
> java.base/com.sun.crypto.provider.PBES2Core.engineDoFinal(PBES2Core.java:3
> 10)
> at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2207)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS1
> 2KeyStore.java:370)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeySt
> ore.java:257)
> at
> java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.j
> ava:361)
> ... 23 more
> </stacktrace>
>
> And my SSL config:
>
> <code>
> <Connector executor="tomcatThreadPool"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> address="0.0.0.0" port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" enableLookups="false"
> acceptCount="100" connectionTimeout="20000"
> disableUploadTimeout="true" compression="on"
> compressionMinSize="2048" noCompressionUserAgents="gozilla, traviata"
> SSLEnabled="true" scheme="https">
> <UpgradeProtocol
> className="org.apache.coyote.http2.Http2Protocol" />
> <SSLHostConfig hostName="appsrv.lan" protocols="TLSv1.2">
> <Certificate
> certificateKeystoreFile="/home/appsrv/etc/tomcat.p12"
> certificateKeystoreType="PKCS12" certificateKeystorePassword="password" />
> </SSLHostConfig>
> </Connector>
> </code>
>
> So, what am I doing wrong here?
> ________________________________________________
>
> Kevin Huntly
> Email: kmhuntly@gmail.com
> ________________________________________________
>
> -----BEGIN GEEK CODE BLOCK-----
> Version: 1.0
> GCS/IT d+ s a C++ UL+++$ P+(++) L+++ E---
> W+++ N+ o K(+) w--- O- M-- V-- PS+ PE Y(+)
> PGP++(+++) t+ 5-- X-- R+ tv+ b++ DI++ D++
> G++ e(+) h--- r+++ y+++*
> ------END GEEK CODE BLOCK------