1:44 a.m.
Hi
I've migrated Debian to use java11 in every component Dogtag needs, but while the
tomcat instance seems to get up (to be configured), it can't be properly reached:
2019-01-10 18:00:30 pkispawn : INFO Checking server at
https://sid1.leon.tyrell:8443/ca
2019-01-10 18:01:56 pkispawn : ERROR Server unreachable due to SSL error:
("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
2019-01-10 18:01:56 configuration : ERROR Server failed to restart
and there's this on catalina.out:
WARNING: The JSSE TLS 1.3 implementation does not support authentication after the initial
handshake and is there
fore incompatible with optional client authentication
SEVERE: Failed to initialize component
[Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a
key entry
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
... 13 more
Caused by: java.io.IOException: Alias name [sslserver] does not identify a key entry
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
how to fix that? If this is fixed, Dogtag might finally end up in a Debian release :)
--
t
10:06 a.m.
----- Original Message -----
From: "Timo Aaltonen" <tjaalton(a)ubuntu.com>
To: pki-users(a)redhat.com
Sent: Friday, January 11, 2019 2:44:32 AM
Subject: [Pki-users] Problems with java11
Hi
I've migrated Debian to use java11 in every component Dogtag needs, but while
the tomcat instance seems to get up (to be configured), it can't be properly
reached:
2019-01-10 18:00:30 pkispawn : INFO Checking server at
https://sid1.leon.tyrell:8443/ca
2019-01-10 18:01:56 pkispawn : ERROR Server unreachable due to SSL
error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
2019-01-10 18:01:56 configuration : ERROR Server failed to restart
and there's this on catalina.out:
WARNING: The JSSE TLS 1.3 implementation does not support authentication
after the initial handshake and is there
fore incompatible with optional client authentication
SEVERE: Failed to initialize component
[Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does
not identify a key entry
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
... 13 more
Caused by: java.io.IOException: Alias name [sslserver] does not identify a
key entry
at
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
how to fix that? If this is fixed, Dogtag might finally end up in a Debian
release :)
So my 2c. on this issue -- I don't have a reproducing setup at the moment
but...
TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It
technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend for
TLS auth in Tomcat vs. using JSS/NSS).
So it appears that JSSE lacks support for optional client authentication
as per the error message:
WARNING: The JSSE TLS 1.3 implementation does not support
authentication
after the initial handshake and is therefore incompatible with optional
client authentication
In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth
parameter, so we use the default of "want":
https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/...
https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/...
You'll probably want to ship clientAuth="true" as a work around on JDK 11+
and document that clientAuth="want" will not work for the time being. On the
other hand, this ~does~ require end users to set up client authentication to
access the page...
(edewata mentioned that you can have two separate PKI servers, one for
the admin pages with clientAuth="true" and one for end entity services with
clientAuth="false").
Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be released,
so this issue will be fixed as JSS/NSS should support this type of optional
client authentication (but will need to be tested).
(It also isn't clear whether or not JDK8 supports TLS 1.3+).
-- Alex
--
t
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
7:22 a.m.
On 14.1.2019 18.06, Alexander Scheel wrote:
----- Original Message -----
> From: "Timo Aaltonen" <tjaalton(a)ubuntu.com>
> To: pki-users(a)redhat.com
> Sent: Friday, January 11, 2019 2:44:32 AM
> Subject: [Pki-users] Problems with java11
>
>
> Hi
>
> I've migrated Debian to use java11 in every component Dogtag needs, but while
> the tomcat instance seems to get up (to be configured), it can't be properly
> reached:
>
> 2019-01-10 18:00:30 pkispawn : INFO Checking server at
> https://sid1.leon.tyrell:8443/ca
> 2019-01-10 18:01:56 pkispawn : ERROR Server unreachable due to SSL
> error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
> 2019-01-10 18:01:56 configuration : ERROR Server failed to restart
>
>
> and there's this on catalina.out:
>
> WARNING: The JSSE TLS 1.3 implementation does not support authentication
> after the initial handshake and is there
> fore incompatible with optional client authentication
> SEVERE: Failed to initialize component
> [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
>
org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
>
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
>
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
>
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
> Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does
> not identify a key entry
> at
>
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
> at
>
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
> at
>
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
> at
>
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
> ... 13 more
> Caused by: java.io.IOException: Alias name [sslserver] does not identify a
> key entry
> at
> org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
> at
>
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
> ... 20 more
>
> how to fix that? If this is fixed, Dogtag might finally end up in a Debian
> release :)
>
So my 2c. on this issue -- I don't have a reproducing setup at the moment
but...
TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It
technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend for
TLS auth in Tomcat vs. using JSS/NSS).
So it appears that JSSE lacks support for optional client authentication
as per the error message:
> WARNING: The JSSE TLS 1.3 implementation does not support authentication
> after the initial handshake and is therefore incompatible with optional
> client authentication
In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth
parameter, so we use the default of "want":
https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/...
https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/...
You'll probably want to ship clientAuth="true" as a work around on JDK 11+
and document that clientAuth="want" will not work for the time being. On the
other hand, this ~does~ require end users to set up client authentication to
access the page...
Doing this (and fixing pki-migrate to not remove that setting) then resulted in this:
SEVERE: End event threw exception
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were
provided for the host name [_default_]. Host names must be unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
... 25 more
WARNING: Unable to load server configuration from
[/var/lib/pki/pki-tomcat/conf/server.xml]
org.xml.sax.SAXParseException; systemId: file:/var/lib/pki/pki-tomcat/conf/server.xml;
lineNumber: 188; columnNumber: 25; Error at (188, 25) : Multiple SSLHostConfig elements
were provided for the host name [_default_]. Host names must be unique.
at
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1862)
at
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1894)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:947)
at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were
provided for the host name [_default_]. Host names must be unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
... 18 more
SEVERE: Cannot start server. Server instance is not configured.
and this is in server.xml:
182 <SSLHostConfig sslProtocol="SSL"
183 certificateVerification="optional"
184
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
185 <Certificate certificateKeystoreType="pkcs11"
186 certificateKeystoreProvider="Mozilla-JSS"
187 certificateKeyAlias="sslserver"/>
188 </SSLHostConfig>
Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be
released,
so this issue will be fixed as JSS/NSS should support this type of optional
client authentication (but will need to be tested).
Any idea when that would be? Debian 10 will be frozen in a month.
--
t
8:46 a.m.
Hi,
The error message is not very helpful, but I think this error
happens because the clientAuth in Connector has been replaced
by certificateVerification in SSLHostConfig and they cannot be
specified at the same time. See the following page:
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
So try removing the clientAuth and set the certificateVerification
to "required". I have not tried this myself though.
--
Endi S. Dewata
----- Original Message -----
On 14.1.2019 18.06, Alexander Scheel wrote:
>
>
> ----- Original Message -----
>> From: "Timo Aaltonen" <tjaalton(a)ubuntu.com>
>> To: pki-users(a)redhat.com
>> Sent: Friday, January 11, 2019 2:44:32 AM
>> Subject: [Pki-users] Problems with java11
>>
>>
>> Hi
>>
>> I've migrated Debian to use java11 in every component Dogtag needs, but
>> while
>> the tomcat instance seems to get up (to be configured), it can't be
>> properly
>> reached:
>>
>> 2019-01-10 18:00:30 pkispawn : INFO Checking server at
>> https://sid1.leon.tyrell:8443/ca
>> 2019-01-10 18:01:56 pkispawn : ERROR Server unreachable due to SSL
>> error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
>> 2019-01-10 18:01:56 configuration : ERROR Server failed to restart
>>
>>
>> and there's this on catalina.out:
>>
>> WARNING: The JSSE TLS 1.3 implementation does not support authentication
>> after the initial handshake and is there
>> fore incompatible with optional client authentication
>> SEVERE: Failed to initialize component
>> [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
>> org.apache.catalina.LifecycleException: Protocol handler initialization
>> failed
>> at
>>
org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at
>>
org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at
>>
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>> at
>>
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at
>>
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
>> Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does
>> not identify a key entry
>> at
>>
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
>> at
>>
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
>> at
>> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
>> at
>>
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
>> at
>>
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
>> at
>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
>> at
>>
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
>> at
>>
org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
>> ... 13 more
>> Caused by: java.io.IOException: Alias name [sslserver] does not identify a
>> key entry
>> at
>>
org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
>> at
>>
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
>> ... 20 more
>>
>> how to fix that? If this is fixed, Dogtag might finally end up in a Debian
>> release :)
>>
>
> So my 2c. on this issue -- I don't have a reproducing setup at the moment
> but...
>
> TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It
> technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend
> for
> TLS auth in Tomcat vs. using JSS/NSS).
>
> So it appears that JSSE lacks support for optional client authentication
> as per the error message:
>
>> WARNING: The JSSE TLS 1.3 implementation does not support authentication
>> after the initial handshake and is therefore incompatible with optional
>> client authentication
>
> In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth
> parameter, so we use the default of "want":
>
>
https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/...
>
https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/...
>
>
> You'll probably want to ship clientAuth="true" as a work around on JDK
11+
> and document that clientAuth="want" will not work for the time being. On
> the
> other hand, this ~does~ require end users to set up client authentication
> to
> access the page...
Doing this (and fixing pki-migrate to not remove that setting) then resulted
in this:
SEVERE: End event threw exception
java.lang.reflect.InvocationTargetException
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
at
org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements were provided for the host name [_default_]. Host names must be
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
... 25 more
WARNING: Unable to load server configuration from
[/var/lib/pki/pki-tomcat/conf/server.xml]
org.xml.sax.SAXParseException; systemId:
file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 188; columnNumber:
25; Error at (188, 25) : Multiple SSLHostConfig elements were provided for
the host name [_default_]. Host names must be unique.
at
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1862)
at
org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1894)
at
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:947)
at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
elements were provided for the host name [_default_]. Host names must be
unique.
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
at
org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
at
org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
at
org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at
org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
at
org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at
org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
... 18 more
SEVERE: Cannot start server. Server instance is not configured.
and this is in server.xml:
182 <SSLHostConfig sslProtocol="SSL"
183 certificateVerification="optional"
184
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
185 <Certificate certificateKeystoreType="pkcs11"
186 certificateKeystoreProvider="Mozilla-JSS"
187 certificateKeyAlias="sslserver"/>
188 </SSLHostConfig>
> Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be
> released,
> so this issue will be fixed as JSS/NSS should support this type of optional
> client authentication (but will need to be tested).
Any idea when that would be? Debian 10 will be frozen in a month.
--
t
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
10:43 a.m.
On 15.1.2019 16.46, Endi Sukma Dewata wrote:
Hi,
The error message is not very helpful, but I think this error
happens because the clientAuth in Connector has been replaced
by certificateVerification in SSLHostConfig and they cannot be
specified at the same time. See the following page:
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
So try removing the clientAuth and set the certificateVerification
to "required". I have not tried this myself though.
nope, still get the same
--
t
11:25 a.m.
----- Original Message -----
On 15.1.2019 16.46, Endi Sukma Dewata wrote:
> Hi,
>
> The error message is not very helpful, but I think this error
> happens because the clientAuth in Connector has been replaced
> by certificateVerification in SSLHostConfig and they cannot be
> specified at the same time. See the following page:
> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>
> So try removing the clientAuth and set the certificateVerification
> to "required". I have not tried this myself though.
nope, still get the same
--
t
Could you show me the entire Connector element and its children?
Make sure all attributes replaced by SSLHostConfig have been
deleted from the Connector element (see the above link).
--
Endi S. Dewata
11:40 a.m.
On 15.1.2019 19.25, Endi Sukma Dewata wrote:
----- Original Message -----
> On 15.1.2019 16.46, Endi Sukma Dewata wrote:
>> Hi,
>>
>> The error message is not very helpful, but I think this error
>> happens because the clientAuth in Connector has been replaced
>> by certificateVerification in SSLHostConfig and they cannot be
>> specified at the same time. See the following page:
>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>
>> So try removing the clientAuth and set the certificateVerification
>> to "required". I have not tried this myself though.
>
> nope, still get the same
>
>
> --
> t
>
Could you show me the entire Connector element and its children?
Make sure all attributes replaced by SSLHostConfig have been
deleted from the Connector element (see the above link).
<Connector name="Secure"
port="8443"
protocol="org.dogtagpki.tomcat.Http11NioProtocol"
SSLEnabled="true"
scheme="https"
secure="true"
connectionTimeout="80000"
keepAliveTimeout="300000"
maxHttpHeaderSize="8192"
acceptCount="100"
maxThreads="150"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
enableOCSP="false"
ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"
ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
ocspCacheSize="1000"
ocspMinCacheEntryDuration="7200"
ocspMaxCacheEntryDuration="14400"
ocspTimeout="10"
strictCiphers="true"
sslVersionRangeStream="tls1_1:tls1_2"
sslVersionRangeDatagram="tls1_1:tls1_2"
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
certdbDir="/var/lib/pki/pki-tomcat/alias">
<SSLHostConfig sslProtocol="SSL"
certificateVerification="required"
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
<Certificate certificateKeystoreType="pkcs11"
certificateKeystoreProvider="Mozilla-JSS"
certificateKeyAlias="sslserver"/>
</SSLHostConfig>
</Connector>
I don't see what should be dropped from Connector..
--
t
1:03 p.m.
----- Original Message -----
>>> The error message is not very helpful, but I think this
error
>>> happens because the clientAuth in Connector has been replaced
>>> by certificateVerification in SSLHostConfig and they cannot be
>>> specified at the same time. See the following page:
>>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>
>>> So try removing the clientAuth and set the certificateVerification
>>> to "required". I have not tried this myself though.
>>
>> nope, still get the same
>
> Could you show me the entire Connector element and its children?
> Make sure all attributes replaced by SSLHostConfig have been
> deleted from the Connector element (see the above link).
<Connector name="Secure"
port="8443"
protocol="org.dogtagpki.tomcat.Http11NioProtocol"
SSLEnabled="true"
scheme="https"
secure="true"
connectionTimeout="80000"
keepAliveTimeout="300000"
maxHttpHeaderSize="8192"
acceptCount="100"
maxThreads="150"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
enableOCSP="false"
ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"
ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
ocspCacheSize="1000"
ocspMinCacheEntryDuration="7200"
ocspMaxCacheEntryDuration="14400"
ocspTimeout="10"
strictCiphers="true"
sslVersionRangeStream="tls1_1:tls1_2"
sslVersionRangeDatagram="tls1_1:tls1_2"
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
certdbDir="/var/lib/pki/pki-tomcat/alias">
<SSLHostConfig sslProtocol="SSL"
certificateVerification="required"
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
<Certificate certificateKeystoreType="pkcs11"
certificateKeystoreProvider="Mozilla-JSS"
certificateKeyAlias="sslserver"/>
</SSLHostConfig>
</Connector>
I don't see what should be dropped from Connector..
Are you getting this error:
java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a key
entry
or this error?
java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided
for the host name [_default_]. Host names must be unique.
If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore) cannot
find the SSL server certificate. We may not have a solution since we do not support
Java 11 yet.
If it's the second one, that message is coming from Tomcat when validating the
server.xml. Is certificateVerification the only thing you change in that file? You
might want to try adding defaultSSLHostConfigName to Connector and hostName to
SSLHostConfig, but I'm really not sure what's going on.
See also this page:
https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multip...
If you put any of these deprecated attributes in the Connector directive, tomcat
assumes you are using the old way and auto creates a SSLHostConfig itself, which
then conflicts with the one you are creating.
--
Endi S. Dewata
1:49 p.m.
On 15.1.2019 21.03, Endi Sukma Dewata wrote:
----- Original Message -----
>>>> The error message is not very helpful, but I think this error
>>>> happens because the clientAuth in Connector has been replaced
>>>> by certificateVerification in SSLHostConfig and they cannot be
>>>> specified at the same time. See the following page:
>>>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>>
>>>> So try removing the clientAuth and set the certificateVerification
>>>> to "required". I have not tried this myself though.
>>>
>>> nope, still get the same
>>
>> Could you show me the entire Connector element and its children?
>> Make sure all attributes replaced by SSLHostConfig have been
>> deleted from the Connector element (see the above link).
>
> <Connector name="Secure"
> port="8443"
> protocol="org.dogtagpki.tomcat.Http11NioProtocol"
> SSLEnabled="true"
> scheme="https"
> secure="true"
> connectionTimeout="80000"
> keepAliveTimeout="300000"
> maxHttpHeaderSize="8192"
> acceptCount="100"
> maxThreads="150"
> minSpareThreads="25"
> enableLookups="false"
> disableUploadTimeout="true"
> enableOCSP="false"
> ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"
> ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
> ocspCacheSize="1000"
> ocspMinCacheEntryDuration="7200"
> ocspMaxCacheEntryDuration="14400"
> ocspTimeout="10"
> strictCiphers="true"
> sslVersionRangeStream="tls1_1:tls1_2"
> sslVersionRangeDatagram="tls1_1:tls1_2"
>
sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
>
serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
> passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
>
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
> certdbDir="/var/lib/pki/pki-tomcat/alias">
>
> <SSLHostConfig sslProtocol="SSL"
> certificateVerification="required"
>
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
> <Certificate certificateKeystoreType="pkcs11"
> certificateKeystoreProvider="Mozilla-JSS"
> certificateKeyAlias="sslserver"/>
> </SSLHostConfig>
>
> </Connector>
>
>
> I don't see what should be dropped from Connector..
Are you getting this error:
java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a key
entry
or this error?
java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided
for the host name [_default_]. Host names must be unique.
If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore) cannot
find the SSL server certificate. We may not have a solution since we do not support
Java 11 yet.
But I've patched Dogtag to support the new keystore, and am using JSS
4.5.1, I thought they did support Java 11.. so something is missing
still then..
If it's the second one, that message is coming from Tomcat when
validating the
server.xml. Is certificateVerification the only thing you change in that file? You
might want to try adding defaultSSLHostConfigName to Connector and hostName to
SSLHostConfig, but I'm really not sure what's going on.
See also this page:
https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multip...
If you put any of these deprecated attributes in the Connector directive, tomcat
assumes you are using the old way and auto creates a SSLHostConfig itself, which
then conflicts with the one you are creating.
--
Endi S. Dewata
--
t
2:39 p.m.
----- Original Message -----
> Are you getting this error:
>
> java.lang.IllegalArgumentException: Alias name [sslserver] does not
> identify a key
> entry
>
> or this error?
>
> java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were
> provided
> for the host name [_default_]. Host names must be unique.
>
> If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore)
> cannot
> find the SSL server certificate. We may not have a solution since we do not
> support
> Java 11 yet.
But I've patched Dogtag to support the new keystore, and am using JSS
4.5.1, I thought they did support Java 11.. so something is missing
still then..
IIUC JSS was updated so it can build with Java 11, but I don't think it
has been thoroughly tested yet. The only user of JSS keystore (that I'm aware
of) is Dogtag and Dogtag is still using Java 8 on Fedora.
> If it's the second one, that message is coming from Tomcat
when validating
> the
> server.xml. Is certificateVerification the only thing you change in that
> file? You
> might want to try adding defaultSSLHostConfigName to Connector and hostName
> to
> SSLHostConfig, but I'm really not sure what's going on.
>
> See also this page:
>
https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multip...
>
> If you put any of these deprecated attributes in the Connector directive,
> tomcat
> assumes you are using the old way and auto creates a SSLHostConfig itself,
> which
> then conflicts with the one you are creating.
--
Endi S. Dewata
4:01 p.m.
On 15.1.2019 22.39, Endi Sukma Dewata wrote:
----- Original Message -----
>> Are you getting this error:
>>
>> java.lang.IllegalArgumentException: Alias name [sslserver] does not
>> identify a key
>> entry
>>
>> or this error?
>>
>> java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were
>> provided
>> for the host name [_default_]. Host names must be unique.
>>
>> If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore)
>> cannot
>> find the SSL server certificate. We may not have a solution since we do not
>> support
>> Java 11 yet.
>
> But I've patched Dogtag to support the new keystore, and am using JSS
> 4.5.1, I thought they did support Java 11.. so something is missing
> still then..
IIUC JSS was updated so it can build with Java 11, but I don't think it
has been thoroughly tested yet. The only user of JSS keystore (that I'm aware
of) is Dogtag and Dogtag is still using Java 8 on Fedora.
Right, here's hoping it's something simple and will be fixed soonish ;)
--
t
2167
days inactive
2171
days old
10 comments
3 participants
participants (3)
-
Alexander Scheel -
Endi Sukma Dewata -
Timo Aaltonen