[Bug 63524] New: Private key must be accompanied by certificate chain

[bugzilla]

https://bz.apache.org/bugzilla/show_bug.cgi?id=63524

            Bug ID: 63524
           Summary: Private key must be accompanied by certificate chain
           Product: Tomcat 8
           Version: 8.5.40
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: dev@tomcat.apache.org
          Reporter: arnaud.kleinv...@gmail.com
  Target Milestone: ----

Upgrade to 8.5.40 broke the SSL connector. Connecting at port 8443 causes a
connection time out. Catalina.out is reporting that is fails to initialise the
connector at port 8443 as follows:

<snip>
Caused by: org.apache.catalina.LifecycleException: Protocol handler
initialization failed
        at
org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        ... 12 more
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied
by certificate chain
        at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:404)
        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:368)
        at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1105)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
        at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
        at
org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
        ... 13 more
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied
by certificate chain
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1136)
        at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:313)
        at
org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:105)
        at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
        at
org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:402)
        ... 18 more

Tomcat is configured to serve two domain names on two connectors each on a
different ip address with the following configuration:

    <Connector port="8443" address="172.30.0.186"
protocol="org.apache.coyote.http11.Http11AprProtocol" 
               maxThreads="200" SSLEnabled="true" 
               scheme="https" secure="true" SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
               SSLCertificateFile="/etc/pki/tls/certs/domain1.crt"
               SSLCACertificateFile="/etc/pki/tls/certs/comodo-ca-bundle.crt"
               SSLCertificateKeyFile="/etc/pki/tls/private/domain1.key" />

    <Connector port="8443" address="172.30.0.94"
protocol="org.apache.coyote.http11.Http11AprProtocol" 
               maxThreads="200" SSLEnabled="true" 
               scheme="https" secure="true" SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
               SSLCertificateFile="/etc/pki/tls/certs/domain2.crt"
              
SSLCACertificateFile="/etc/pki/tls/certs/lets-encrypt-x1-cross-signed.pem"
               SSLCertificateKeyFile="/etc/pki/tls/private/domain2.key" />

The above configuration was working fine until Tomcat upgrade to the latest AWS
provided version which is 8.5.40 built May 2 2019 18:02:51 UTC

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org