https://bz.apache.org/bugzilla/show_bug.cgi?id=61445
Bug ID: 61445
Summary: Unable to start SSL using SunMSCAPI
Product: Tomcat 8
Version: 8.5.20
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: radek.ne...@solitea.cz
Target Milestone: ----
Created attachment 35250
--> https://bz.apache.org/bugzilla/attachment.cgi?id=35250&action=edit
Catalina log with SSL problem
I have this Connector in server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
<SSLHostConfig truststoreProvider="SunMSCAPI" truststoreType="Windows-Root"
protocols="+TLSv1.2,+TLSv1.1,+TLSv1">
<Certificate certificateKeystoreProvider="SunMSCAPI"
certificateKeystoreFile="" certificateKeystoreType="Windows-MY"
certificateKeyAlias="my-web-cz" type="RSA" />
</SSLHostConfig>
</Connector>
Tomcat is running as a service under account "ServiceAccount". In Tomcat 8.5.14
the site is functioning normally and certificate from LocalMachine
(Windows-Root) is accessed and used.
Setting certificateKeystoreFile="" is correct for SunMSCAPI, not an error,
without it the "java.lang.IllegalArgumentException: Illegal character in opaque
part at index 2: C:\Users\ServiceAccount/.keystore" occurs.
However after upgrading 8.5.14 to 8.5.20, this error appears in log (see
attachment for full log):
...
17-Aug-2017 16:41:45.976 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based
Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
17-Aug-2017 16:41:45.976 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities:
IPv6 [true], sendfile [true], accept filters [false], random [true].
17-Aug-2017 16:41:45.976 INFO [main]
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL
configuration: useAprConnector [false], useOpenSSL [true]
17-Aug-2017 16:41:46.633 INFO [main]
org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL
successfully initialized [OpenSSL 1.0.2k 26 Jan 2017]
17-Aug-2017 16:41:46.836 INFO [main] org.apache.coyote.AbstractProtocol.init
Initializing ProtocolHandler ["https-openssl-nio-8443"]
17-Aug-2017 16:41:47.398 SEVERE [main] org.apache.coyote.AbstractProtocol.init
Failed to initialize end point associated with ProtocolHandler
["https-openssl-nio-8443"]
java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot
get key bytes, not PKCS#8 encoded
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
...
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
