Bug 59911 - Using certificate from pem file does not work
Summary: Using certificate from pem file does not work
Status: RESOLVED INVALID
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 9.0.0.M9
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-07-29 10:23 UTC by jm009
Modified: 2016-08-03 19:51 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description jm009 2016-07-29 10:23:35 UTC
Im trying to use tomcat 9.0.0.M9 with certificates from PEM files.
I do not want to use openssl and APR based Apache Tomcat Native library to be not affected by security holes in native code.
So I installed a virtual server with no tomcat native library and no openssl.


Relevant part from server.xml:

  <Service name="Catalina">

    <!-- Connector port="8080" protocol="HTTP/1.1"... -->
    <Connector port="8080" protocol="org.apache.coyote.http11.Http11NioProtocol"
               connectionTimeout="20000" redirectPort="8443" />
    
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               defaultSSLHostConfigName="abcde.xyz-informatik.de">
        <SSLHostConfig hostName="abcde.xyz-informatik.de">
            <!-- Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
                         type="RSA" /-->
            <Certificate certificateFile="conf/ssl/abcde.xyz-informatik.de/domain.crt"
                         certificateChainFile="conf/ssl/abcde.xyz-informatik.de/chain.crt"
                         certificateKeyFile="conf/ssl/abcde.xyz-informatik.de/domain.key"
                         certificateKeyPassword=""
                         type="RSA" />
        </SSLHostConfig>
    </Connector>




Gives exception at startup (if .keystore exists):

29-Jul-2016 12:14:36.217 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"]
29-Jul-2016 12:14:36.620 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-8443"]
 java.lang.IllegalArgumentException: java.io.IOException: Alias name tomcat does not identify a key entry
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:102)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:80)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.io.IOException: Alias name tomcat does not identify a key entry
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:213)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
	... 19 more

29-Jul-2016 12:14:36.623 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	... 12 more
Caused by: java.lang.IllegalArgumentException: java.io.IOException: Alias name tomcat does not identify a key entry
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:102)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:80)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
	... 13 more
Caused by: java.io.IOException: Alias name tomcat does not identify a key entry
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:213)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
	... 19 more





Gives exception at startup (if .keystore does not exist):



29-Jul-2016 12:18:19.366 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"]
29-Jul-2016 12:18:19.821 SEVERE [main] org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore type [JKS] with path [/opt/tomcat9//.keystore] due to [/opt/tomcat9/.keystore (No such file or directory)]
 java.io.FileNotFoundException: /opt/tomcat9/.keystore (No such file or directory)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(FileInputStream.java:195)
	at java.io.FileInputStream.<init>(FileInputStream.java:138)
	at java.io.FileInputStream.<init>(FileInputStream.java:93)
	at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
	at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
	at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:96)
	at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:129)
	at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:189)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:80)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)

29-Jul-2016 12:18:19.824 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-jsse-nio-8443"]
 java.lang.IllegalArgumentException: java.io.FileNotFoundException: /opt/tomcat9/.keystore (No such file or directory)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:102)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:80)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.io.FileNotFoundException: /opt/tomcat9/.keystore (No such file or directory)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(FileInputStream.java:195)
	at java.io.FileInputStream.<init>(FileInputStream.java:138)
	at java.io.FileInputStream.<init>(FileInputStream.java:93)
	at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
	at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
	at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:96)
	at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:129)
	at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:189)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
	... 19 more

29-Jul-2016 12:18:19.827 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:873)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
	at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	... 12 more
Caused by: java.lang.IllegalArgumentException: java.io.FileNotFoundException: /opt/tomcat9/.keystore (No such file or directory)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:102)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:80)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:866)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
	... 13 more
Caused by: java.io.FileNotFoundException: /opt/tomcat9/.keystore (No such file or directory)
	at java.io.FileInputStream.open0(Native Method)
	at java.io.FileInputStream.open(FileInputStream.java:195)
	at java.io.FileInputStream.<init>(FileInputStream.java:138)
	at java.io.FileInputStream.<init>(FileInputStream.java:93)
	at sun.net.www.protocol.file.FileURLConnection.connect(FileURLConnection.java:90)
	at sun.net.www.protocol.file.FileURLConnection.getInputStream(FileURLConnection.java:188)
	at org.apache.tomcat.util.file.ConfigFileLoader.getInputStream(ConfigFileLoader.java:96)
	at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:129)
	at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
	at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:189)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
	... 19 more



I found this: #59910
Comment 1 Remy Maucherat 2016-08-02 14:44:51 UTC
Please don't file duplicates on purpose.

*** This bug has been marked as a duplicate of bug 59904 ***
Comment 2 Remy Maucherat 2016-08-02 14:46:39 UTC
Wrong BZ.
Comment 3 Remy Maucherat 2016-08-02 15:05:43 UTC
Although the exception is confusing, this is supposed to work (see BZ 59344) and I've verified it works for me. There's probably some issue with your PEM key which isn't valid and thus it says there's no "tomcat" key in the (virtual) keystore [that's the default key alias for now, see BZ 59910]. Please investigate on the user list.
Comment 4 jm009 2016-08-03 19:37:13 UTC
> There's probably some issue with your PEM key

If there was a problem with the PEM key, I would expect Tomcat to throw an exception and stop. It would be a security problem, if Tomcat would use another key than the configured one.

By the way: I can display key, certificate and certificate chain with openssl without problem.


> Please don't file duplicates on purpose

#59910 is not a duplicate of what I have described. I just thought, that maybe #59910 could be a hint, that the certificate selection code in 9.0.0.M9 may have some shortcomings.

Thank you for your help and confirmation, that it works for you.
I'll do some more tests, as soon as I find some time for it.
I don't have openssl and I don't have the tomcat native library installed, so that will be the first thing I am going to test.
Comment 5 Remy Maucherat 2016-08-03 19:51:18 UTC
> > Please don't file duplicates on purpose
> 
> #59910 is not a duplicate of what I have described.

The duplicate thing was a mistake, please ignore it.

> I just thought, that
> maybe #59910 could be a hint, that the certificate selection code in
> 9.0.0.M9 may have some shortcomings.

There's no certificate selection code, Tomcat uses a virtual keystore with a single key created from your pems. The key alias is "tomcat", hence the error message.
BZ 59344 is where to look.

> Thank you for your help and confirmation, that it works for you.
> I'll do some more tests, as soon as I find some time for it.
> I don't have openssl and I don't have the tomcat native library installed,
> so that will be the first thing I am going to test.

Please investigate in the user list.