certificateFile exception when certificateKeystoreFile is configured

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

certificateFile exception when certificateKeystoreFile is configured

Trudeau, Rick (Nokia - CA/Ottawa)

Tomcat version: 8.5.34

Hello,
I’m wondering if anyone has any theories about an SSL config related exception that we hit periodically on Tomcat startup that prevents the system from initializing properly.
I’ll emphasize “periodically” here, because we only trigger this rarely and have no reliable way of triggering the problem.
The exception seems to indicate that the certificateFile is missing, which is strange given that the certificateKeystoreFile is provided and available on the filesystem.
My understanding is that a certificateFile would is not required when using a certificateKeystoreFile.
Any idea why there could be a certifificateFile related exception when the certificateKeystoreFile is configured?

The stack trace is:

2021.02.28 21:19:48 890 +0000 SEVERE org.apache.catalina.core.StandardService Failed to initialize connector [Connector[HTTP/1.1-8544]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8544]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        ... 12 more
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
        ... 13 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
        ... 20 more

Our connector is defined as follows:

    <Connector port="8544"
               protocol="HTTP/1.1"
               compression="on"
               compressibleMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
               compressionMinSize="2048"
               connectionTimeout="60000"
               maxHttpHeaderSize="65536"
               scheme="https"
               secure="true"
               relaxedQueryChars="[]"
               SSLEnabled="true">
              <SSLHostConfig sslProtocol="TLS"
                       protocols=" TLSv1.2"
                       certificateVerification="optional"
                       honorCipherOrder="true"
                       ciphers="${server.cipher.suites.List}">
                        <Certificate certificateKeystoreFile="/opt/nsp/os/ssl/nsp.keystore"
                               certificateKeystorePassword="secret"
                               type="RSA"
                               certificateKeyPassword="secret" />
              </SSLHostConfig>
    </Connector>
Reply | Threaded
Open this post in threaded view
|

Re: certificateFile exception when certificateKeystoreFile is configured

Christopher Schultz-2
Rick,

On 3/3/21 09:23, Trudeau, Rick (Nokia - CA/Ottawa) wrote:

>
> Tomcat version: 8.5.34
>
> Hello,
> I’m wondering if anyone has any theories about an SSL config related exception that we hit periodically on Tomcat startup that prevents the system from initializing properly.
> I’ll emphasize “periodically” here, because we only trigger this rarely and have no reliable way of triggering the problem.
> The exception seems to indicate that the certificateFile is missing, which is strange given that the certificateKeystoreFile is provided and available on the filesystem.
> My understanding is that a certificateFile would is not required when using a certificateKeystoreFile.
> Any idea why there could be a certifificateFile related exception when the certificateKeystoreFile is configured?
>
> The stack trace is:
>
> 2021.02.28 21:19:48 890 +0000 SEVERE org.apache.catalina.core.StandardService Failed to initialize connector [Connector[HTTP/1.1-8544]]
> org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8544]]
>          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
>          at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
>          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>          at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
>          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>          at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
>          at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
>          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>          at java.lang.reflect.Method.invoke(Method.java:498)
>          at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
>          at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
>          at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
>          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>          ... 12 more
> Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
>          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
>          at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
>          at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
>          at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
>          at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
>          at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
>          at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
>          at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
>          ... 13 more
> Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
>          at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
>          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
>          ... 20 more
>
> Our connector is defined as follows:
>
>      <Connector port="8544"
>                 protocol="HTTP/1.1"
>                 compression="on"
>                 compressibleMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
>                 compressionMinSize="2048"
>                 connectionTimeout="60000"
>                 maxHttpHeaderSize="65536"
>                 scheme="https"
>                 secure="true"
>                 relaxedQueryChars="[]"
>                 SSLEnabled="true">
>                <SSLHostConfig sslProtocol="TLS"
>                         protocols=" TLSv1.2"
>                         certificateVerification="optional"
>                         honorCipherOrder="true"
>                         ciphers="${server.cipher.suites.List}">
>                          <Certificate certificateKeystoreFile="/opt/nsp/os/ssl/nsp.keystore"
>                                 certificateKeystorePassword="secret"
>                                 type="RSA"
>                                 certificateKeyPassword="secret" />
>                </SSLHostConfig>
>      </Connector>

Are you using tcnative and/or the APR connector? Your <Connector>
doesn't choose, so the selection of the connector type will depend upon
other configuration and/or the presence of the libtcnatire library.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: certificateFile exception when certificateKeystoreFile is configured

Trudeau, Rick (Nokia - CA/Ottawa)
Chris,

On 2021-03-04, 12:07 PM, "Christopher Schultz" <[hidden email]> wrote:

    Rick,

    On 3/3/21 09:23, Trudeau, Rick (Nokia - CA/Ottawa) wrote:
    >
    > Tomcat version: 8.5.34
    >
    > Hello,
    > I’m wondering if anyone has any theories about an SSL config related exception that we hit periodically on Tomcat startup that prevents the system from initializing properly.
    > I’ll emphasize “periodically” here, because we only trigger this rarely and have no reliable way of triggering the problem.
    > The exception seems to indicate that the certificateFile is missing, which is strange given that the certificateKeystoreFile is provided and available on the filesystem.
    > My understanding is that a certificateFile would is not required when using a certificateKeystoreFile.
    > Any idea why there could be a certifificateFile related exception when the certificateKeystoreFile is configured?
    >
    > The stack trace is:
    >
    > 2021.02.28 21:19:48 890 +0000 SEVERE org.apache.catalina.core.StandardService Failed to initialize connector [Connector[HTTP/1.1-8544]]
    > org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8544]]
    >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
    >          at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
    >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    >          at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    >          at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
    >          at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
    >          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    >          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    >          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    >          at java.lang.reflect.Method.invoke(Method.java:498)
    >          at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
    >          at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
    > Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    >          at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
    >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    >          ... 12 more
    > Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
    >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
    >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
    >          at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
    >          at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
    >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
    >          at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
    >          at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
    >          at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
    >          ... 13 more
    > Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
    >          at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
    >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
    >          ... 20 more
    >
    > Our connector is defined as follows:
    >
    >      <Connector port="8544"
    >                 protocol="HTTP/1.1"
    >                 compression="on"
    >                 compressibleMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
    >                 compressionMinSize="2048"
    >                 connectionTimeout="60000"
    >                 maxHttpHeaderSize="65536"
    >                 scheme="https"
    >                 secure="true"
    >                 relaxedQueryChars="[]"
    >                 SSLEnabled="true">
    >                <SSLHostConfig sslProtocol="TLS"
    >                         protocols=" TLSv1.2"
    >                         certificateVerification="optional"
    >                         honorCipherOrder="true"
    >                         ciphers="${server.cipher.suites.List}">
    >                          <Certificate certificateKeystoreFile="/opt/nsp/os/ssl/nsp.keystore"
    >                                 certificateKeystorePassword="secret"
    >                                 type="RSA"
    >                                 certificateKeyPassword="secret" />
    >                </SSLHostConfig>
    >      </Connector>

>    Are you using tcnative and/or the APR connector? Your <Connector>
>   doesn't choose, so the selection of the connector type will depend upon
>    other configuration and/or the presence of the libtcnatire library.

>    -chris


Thanks for the reply Chris.
Our deployment isn't using tcnative or the APR connector.

/rt.



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: certificateFile exception when certificateKeystoreFile is configured

Trudeau, Rick (Nokia - CA/Ottawa)


On 2021-03-04, 2:45 PM, "Trudeau, Rick (Nokia - CA/Ottawa)" <[hidden email]> wrote:

    Chris,

    On 2021-03-04, 12:07 PM, "Christopher Schultz" <[hidden email]> wrote:

        Rick,

        On 3/3/21 09:23, Trudeau, Rick (Nokia - CA/Ottawa) wrote:
        >
        > Tomcat version: 8.5.34
        >
        > Hello,
        > I’m wondering if anyone has any theories about an SSL config related exception that we hit periodically on Tomcat startup that prevents the system from initializing properly.
        > I’ll emphasize “periodically” here, because we only trigger this rarely and have no reliable way of triggering the problem.
        > The exception seems to indicate that the certificateFile is missing, which is strange given that the certificateKeystoreFile is provided and available on the filesystem.
        > My understanding is that a certificateFile would is not required when using a certificateKeystoreFile.
        > Any idea why there could be a certifificateFile related exception when the certificateKeystoreFile is configured?
        >
        > The stack trace is:
        >
        > 2021.02.28 21:19:48 890 +0000 SEVERE org.apache.catalina.core.StandardService Failed to initialize connector [Connector[HTTP/1.1-8544]]
        > org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8544]]
        >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
        >          at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
        >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        >          at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        >          at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
        >          at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
        >          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        >          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        >          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        >          at java.lang.reflect.Method.invoke(Method.java:498)
        >          at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        >          at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
        > Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
        >          at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
        >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        >          ... 12 more
        > Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
        >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
        >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
        >          at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
        >          at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
        >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
        >          at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
        >          at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
        >          at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
        >          ... 13 more
        > Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
        >          at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
        >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
        >          ... 20 more
        >
        > Our connector is defined as follows:
        >
        >      <Connector port="8544"
        >                 protocol="HTTP/1.1"
        >                 compression="on"
        >                 compressibleMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
        >                 compressionMinSize="2048"
        >                 connectionTimeout="60000"
        >                 maxHttpHeaderSize="65536"
        >                 scheme="https"
        >                 secure="true"
        >                 relaxedQueryChars="[]"
        >                 SSLEnabled="true">
        >                <SSLHostConfig sslProtocol="TLS"
        >                         protocols=" TLSv1.2"
        >                         certificateVerification="optional"
        >                         honorCipherOrder="true"
        >                         ciphers="${server.cipher.suites.List}">
        >                          <Certificate certificateKeystoreFile="/opt/nsp/os/ssl/nsp.keystore"
        >                                 certificateKeystorePassword="secret"
        >                                 type="RSA"
        >                                 certificateKeyPassword="secret" />
        >                </SSLHostConfig>
        >      </Connector>

    >    Are you using tcnative and/or the APR connector? Your <Connector>
    >   doesn't choose, so the selection of the connector type will depend upon
    >    other configuration and/or the presence of the libtcnatire library.

    >    -chris


    Thanks for the reply Chris.
    Our deployment isn't using tcnative or the APR connector.

    /rt.



Hi Chris,
Any clues/theories on this one?  Googling this error signature isn't leading to many findings.
Would it possible to trigger this stack trace if there is a problem with the certs in the configured keystore, or something else related to the keystore?

Thanks.
/rt.


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: certificateFile exception when certificateKeystoreFile is configured

Christopher Schultz-2
Rick,

Any chance you can try-out 8.5.latest? Your version is super old. It's
possible it's a bug that was fixed in the (distant?) past.

-chris

On 3/16/21 09:33, Trudeau, Rick (Nokia - CA/Ottawa) wrote:

>
>
> On 2021-03-04, 2:45 PM, "Trudeau, Rick (Nokia - CA/Ottawa)" <[hidden email]> wrote:
>
>      Chris,
>
>      On 2021-03-04, 12:07 PM, "Christopher Schultz" <[hidden email]> wrote:
>
>          Rick,
>
>          On 3/3/21 09:23, Trudeau, Rick (Nokia - CA/Ottawa) wrote:
>          >
>          > Tomcat version: 8.5.34
>          >
>          > Hello,
>          > I’m wondering if anyone has any theories about an SSL config related exception that we hit periodically on Tomcat startup that prevents the system from initializing properly.
>          > I’ll emphasize “periodically” here, because we only trigger this rarely and have no reliable way of triggering the problem.
>          > The exception seems to indicate that the certificateFile is missing, which is strange given that the certificateKeystoreFile is provided and available on the filesystem.
>          > My understanding is that a certificateFile would is not required when using a certificateKeystoreFile.
>          > Any idea why there could be a certifificateFile related exception when the certificateKeystoreFile is configured?
>          >
>          > The stack trace is:
>          >
>          > 2021.02.28 21:19:48 890 +0000 SEVERE org.apache.catalina.core.StandardService Failed to initialize connector [Connector[HTTP/1.1-8544]]
>          > org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8544]]
>          >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
>          >          at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
>          >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>          >          at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
>          >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>          >          at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
>          >          at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
>          >          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>          >          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>          >          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>          >          at java.lang.reflect.Method.invoke(Method.java:498)
>          >          at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
>          >          at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
>          > Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
>          >          at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
>          >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>          >          ... 12 more
>          > Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
>          >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
>          >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
>          >          at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
>          >          at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
>          >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
>          >          at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
>          >          at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
>          >          at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
>          >          ... 13 more
>          > Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
>          >          at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
>          >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
>          >          ... 20 more
>          >
>          > Our connector is defined as follows:
>          >
>          >      <Connector port="8544"
>          >                 protocol="HTTP/1.1"
>          >                 compression="on"
>          >                 compressibleMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
>          >                 compressionMinSize="2048"
>          >                 connectionTimeout="60000"
>          >                 maxHttpHeaderSize="65536"
>          >                 scheme="https"
>          >                 secure="true"
>          >                 relaxedQueryChars="[]"
>          >                 SSLEnabled="true">
>          >                <SSLHostConfig sslProtocol="TLS"
>          >                         protocols=" TLSv1.2"
>          >                         certificateVerification="optional"
>          >                         honorCipherOrder="true"
>          >                         ciphers="${server.cipher.suites.List}">
>          >                          <Certificate certificateKeystoreFile="/opt/nsp/os/ssl/nsp.keystore"
>          >                                 certificateKeystorePassword="secret"
>          >                                 type="RSA"
>          >                                 certificateKeyPassword="secret" />
>          >                </SSLHostConfig>
>          >      </Connector>
>
>      >    Are you using tcnative and/or the APR connector? Your <Connector>
>      >   doesn't choose, so the selection of the connector type will depend upon
>      >    other configuration and/or the presence of the libtcnatire library.
>
>      >    -chris
>
>
>      Thanks for the reply Chris.
>      Our deployment isn't using tcnative or the APR connector.
>
>      /rt.
>
>
>
> Hi Chris,
> Any clues/theories on this one?  Googling this error signature isn't leading to many findings.
> Would it possible to trigger this stack trace if there is a problem with the certs in the configured keystore, or something else related to the keystore?
>
> Thanks.
> /rt.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: certificateFile exception when certificateKeystoreFile is configured

Trudeau, Rick (Nokia - CA/Ottawa)
Thanks Chris, for sure we've got an upgrade on the roadmap for the next quarter so we'll give the latest 8.5 a try.
Cheers.
/rt.

On 2021-03-16, 9:39 AM, "Christopher Schultz" <[hidden email]> wrote:

    Rick,

    Any chance you can try-out 8.5.latest? Your version is super old. It's
    possible it's a bug that was fixed in the (distant?) past.

    -chris

    On 3/16/21 09:33, Trudeau, Rick (Nokia - CA/Ottawa) wrote:
    >
    >
    > On 2021-03-04, 2:45 PM, "Trudeau, Rick (Nokia - CA/Ottawa)" <[hidden email]> wrote:
    >
    >      Chris,
    >
    >      On 2021-03-04, 12:07 PM, "Christopher Schultz" <[hidden email]> wrote:
    >
    >          Rick,
    >
    >          On 3/3/21 09:23, Trudeau, Rick (Nokia - CA/Ottawa) wrote:
    >          >
    >          > Tomcat version: 8.5.34
    >          >
    >          > Hello,
    >          > I’m wondering if anyone has any theories about an SSL config related exception that we hit periodically on Tomcat startup that prevents the system from initializing properly.
    >          > I’ll emphasize “periodically” here, because we only trigger this rarely and have no reliable way of triggering the problem.
    >          > The exception seems to indicate that the certificateFile is missing, which is strange given that the certificateKeystoreFile is provided and available on the filesystem.
    >          > My understanding is that a certificateFile would is not required when using a certificateKeystoreFile.
    >          > Any idea why there could be a certifificateFile related exception when the certificateKeystoreFile is configured?
    >          >
    >          > The stack trace is:
    >          >
    >          > 2021.02.28 21:19:48 890 +0000 SEVERE org.apache.catalina.core.StandardService Failed to initialize connector [Connector[HTTP/1.1-8544]]
    >          > org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8544]]
    >          >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
    >          >          at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
    >          >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    >          >          at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    >          >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    >          >          at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
    >          >          at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
    >          >          at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    >          >          at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    >          >          at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    >          >          at java.lang.reflect.Method.invoke(Method.java:498)
    >          >          at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
    >          >          at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
    >          > Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    >          >          at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
    >          >          at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    >          >          ... 12 more
    >          > Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
    >          >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
    >          >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
    >          >          at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
    >          >          at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
    >          >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
    >          >          at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
    >          >          at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
    >          >          at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
    >          >          ... 13 more
    >          > Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
    >          >          at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:203)
    >          >          at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
    >          >          ... 20 more
    >          >
    >          > Our connector is defined as follows:
    >          >
    >          >      <Connector port="8544"
    >          >                 protocol="HTTP/1.1"
    >          >                 compression="on"
    >          >                 compressibleMimeType="text/html,text/xml,text/plain,text/css,application/javascript,application/json"
    >          >                 compressionMinSize="2048"
    >          >                 connectionTimeout="60000"
    >          >                 maxHttpHeaderSize="65536"
    >          >                 scheme="https"
    >          >                 secure="true"
    >          >                 relaxedQueryChars="[]"
    >          >                 SSLEnabled="true">
    >          >                <SSLHostConfig sslProtocol="TLS"
    >          >                         protocols=" TLSv1.2"
    >          >                         certificateVerification="optional"
    >          >                         honorCipherOrder="true"
    >          >                         ciphers="${server.cipher.suites.List}">
    >          >                          <Certificate certificateKeystoreFile="/opt/nsp/os/ssl/nsp.keystore"
    >          >                                 certificateKeystorePassword="secret"
    >          >                                 type="RSA"
    >          >                                 certificateKeyPassword="secret" />
    >          >                </SSLHostConfig>
    >          >      </Connector>
    >
    >      >    Are you using tcnative and/or the APR connector? Your <Connector>
    >      >   doesn't choose, so the selection of the connector type will depend upon
    >      >    other configuration and/or the presence of the libtcnatire library.
    >
    >      >    -chris
    >
    >
    >      Thanks for the reply Chris.
    >      Our deployment isn't using tcnative or the APR connector.
    >
    >      /rt.
    >
    >
    >
    > Hi Chris,
    > Any clues/theories on this one?  Googling this error signature isn't leading to many findings.
    > Would it possible to trigger this stack trace if there is a problem with the certs in the configured keystore, or something else related to the keystore?
    >
    > Thanks.
    > /rt.
    >
    >
    > ---------------------------------------------------------------------
    > To unsubscribe, e-mail: [hidden email]
    > For additional commands, e-mail: [hidden email]
    >

    ---------------------------------------------------------------------
    To unsubscribe, e-mail: [hidden email]
    For additional commands, e-mail: [hidden email]



---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]