Summary: | Unable to start SSL using SunMSCAPI | ||
---|---|---|---|
Product: | Tomcat 8 | Reporter: | Radek Němec <radek.nemec> |
Component: | Connectors | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | CC: | radek.nemec |
Priority: | P2 | ||
Version: | 8.5.20 | ||
Target Milestone: | ---- | ||
Hardware: | PC | ||
OS: | All | ||
Attachments: | Catalina log with SSL problem |
> In Tomcat 8.5.14 the site is functioning normally and certificate from
> LocalMachine (Windows-Root) is accessed and used.
I wanted to write CurrentUser (Windows-MY) instead of LocalMachine (Windows-Root).
Seems to be duplicate of https://bz.apache.org/bugzilla/show_bug.cgi?id=61451. Can someone prove this? |
Created attachment 35250 [details] Catalina log with SSL problem I have this Connector in server.xml: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true"> <SSLHostConfig truststoreProvider="SunMSCAPI" truststoreType="Windows-Root" protocols="+TLSv1.2,+TLSv1.1,+TLSv1"> <Certificate certificateKeystoreProvider="SunMSCAPI" certificateKeystoreFile="" certificateKeystoreType="Windows-MY" certificateKeyAlias="my-web-cz" type="RSA" /> </SSLHostConfig> </Connector> Tomcat is running as a service under account "ServiceAccount". In Tomcat 8.5.14 the site is functioning normally and certificate from LocalMachine (Windows-Root) is accessed and used. Setting certificateKeystoreFile="" is correct for SunMSCAPI, not an error, without it the "java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: C:\Users\ServiceAccount/.keystore" occurs. However after upgrading 8.5.14 to 8.5.20, this error appears in log (see attachment for full log): ... 17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.12] using APR version [1.5.2]. 17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. 17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true] 17-Aug-2017 16:41:46.633 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.0.2k 26 Jan 2017] 17-Aug-2017 16:41:46.836 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"] 17-Aug-2017 16:41:47.398 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"] java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982) at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66) at org.apache.catalina.connector.Connector.initInternal(Connector.java:997) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) ...