https://bz.apache.org/bugzilla/show_bug.cgi?id=63524
Bug ID: 63524
Summary: Private key must be accompanied by certificate chain
Product: Tomcat 8
Version: 8.5.40
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: arnaud.kleinv...@gmail.com
Target Milestone: ----
Upgrade to 8.5.40 broke the SSL connector. Connecting at port 8443 causes a
connection time out. Catalina.out is reporting that is fails to initialise the
connector at port 8443 as follows:
<snip>
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied
by certificate chain
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:404)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:368)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied
by certificate chain
at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:105)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:402)
... 18 more
Tomcat is configured to serve two domain names on two connectors each on a
different ip address with the following configuration:
<Connector port="8443" address="172.30.0.186"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLCertificateFile="/etc/pki/tls/certs/domain1.crt"
SSLCACertificateFile="/etc/pki/tls/certs/comodo-ca-bundle.crt"
SSLCertificateKeyFile="/etc/pki/tls/private/domain1.key" />
<Connector port="8443" address="172.30.0.94"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxThreads="200" SSLEnabled="true"
scheme="https" secure="true" SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLCertificateFile="/etc/pki/tls/certs/domain2.crt"
SSLCACertificateFile="/etc/pki/tls/certs/lets-encrypt-x1-cross-signed.pem"
SSLCertificateKeyFile="/etc/pki/tls/private/domain2.key" />
The above configuration was working fine until Tomcat upgrade to the latest AWS
provided version which is 8.5.40 built May 2 2019 18:02:51 UTC
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
