----- Original Message -----
>>>> The error message is not very helpful, but I think this error
>>>> happens because the clientAuth in Connector has been replaced
>>>> by certificateVerification in SSLHostConfig and they cannot be
>>>> specified at the same time. See the following page:
>>>>
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>>
>>>> So try removing the clientAuth and set the certificateVerification
>>>> to "required". I have not tried this myself though.
>>>
>>> nope, still get the same
>>
>> Could you show me the entire Connector element and its children?
>> Make sure all attributes replaced by SSLHostConfig have been
>> deleted from the Connector element (see the above link).
>
> <Connector name="Secure"
> port="8443"
> protocol="org.dogtagpki.tomcat.Http11NioProtocol"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> connectionTimeout="80000"
> keepAliveTimeout="300000"
> maxHttpHeaderSize="8192"
> acceptCount="100"
> maxThreads="150"
> minSpareThreads="25"
> enableLookups="false"
> disableUploadTimeout="true"
> enableOCSP="false"
> ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"
> ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
> ocspCacheSize="1000"
> ocspMinCacheEntryDuration="7200"
> ocspMaxCacheEntryDuration="14400"
> ocspTimeout="10"
> strictCiphers="true"
> sslVersionRangeStream="tls1_1:tls1_2"
> sslVersionRangeDatagram="tls1_1:tls1_2"
>
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
>
serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
> passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
>
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
> certdbDir="/var/lib/pki/pki-tomcat/alias">
>
> <SSLHostConfig sslProtocol="SSL"
> certificateVerification="required"
>
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
> <Certificate certificateKeystoreType="pkcs11"
> certificateKeystoreProvider="Mozilla-JSS"
> certificateKeyAlias="sslserver"/>
> </SSLHostConfig>
>
> </Connector>
>
>
> I don't see what should be dropped from Connector..
Are you getting this error:
java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a key
entry
or this error?
java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided
for the host name [_default_]. Host names must be unique.
If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore) cannot
find the SSL server certificate. We may not have a solution since we do not support
Java 11 yet.
But I've patched Dogtag to support the new keystore, and am using JSS
4.5.1, I thought they did support Java 11.. so something is missing
still then..
If it's the second one, that message is coming from Tomcat when
validating the
server.xml. Is certificateVerification the only thing you change in that file? You
might want to try adding defaultSSLHostConfigName to Connector and hostName to
SSLHostConfig, but I'm really not sure what's going on.
See also this page:
https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multip...
If you put any of these deprecated attributes in the Connector directive, tomcat
assumes you are using the old way and auto creates a SSLHostConfig itself, which
then conflicts with the one you are creating.
--
Endi S. Dewata