Bug 61445 - Unable to start SSL using SunMSCAPI
Summary: Unable to start SSL using SunMSCAPI
Status: RESOLVED DUPLICATE of bug 61451
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Connectors (show other bugs)
Version: 8.5.20
Hardware: PC All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-08-18 07:03 UTC by Radek Němec
Modified: 2017-08-31 19:35 UTC (History)
1 user (show)



Attachments
Catalina log with SSL problem (11.12 KB, text/plain)
2017-08-18 07:03 UTC, Radek Němec
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Radek Němec 2017-08-18 07:03:55 UTC
Created attachment 35250 [details]
Catalina log with SSL problem

I have this Connector in server.xml:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true">
    <SSLHostConfig truststoreProvider="SunMSCAPI" truststoreType="Windows-Root" protocols="+TLSv1.2,+TLSv1.1,+TLSv1">
        <Certificate certificateKeystoreProvider="SunMSCAPI" certificateKeystoreFile="" certificateKeystoreType="Windows-MY" certificateKeyAlias="my-web-cz" type="RSA" />
    </SSLHostConfig>
</Connector>

Tomcat is running as a service under account "ServiceAccount". In Tomcat 8.5.14 the site is functioning normally and certificate from LocalMachine (Windows-Root) is accessed and used.
Setting certificateKeystoreFile="" is correct for SunMSCAPI, not an error, without it the "java.lang.IllegalArgumentException: Illegal character in opaque part at index 2: C:\Users\ServiceAccount/.keystore" occurs.

However after upgrading 8.5.14 to 8.5.20, this error appears in log (see attachment for full log):

...
17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent Loaded APR based Apache Tomcat Native library [1.2.12] using APR version [1.5.2].
17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true].
17-Aug-2017 16:41:45.976 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent APR/OpenSSL configuration: useAprConnector [false], useOpenSSL [true]
17-Aug-2017 16:41:46.633 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL OpenSSL successfully initialized [OpenSSL 1.0.2k  26 Jan 2017]
17-Aug-2017 16:41:46.836 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
17-Aug-2017 16:41:47.398 SEVERE [main] org.apache.coyote.AbstractProtocol.init Failed to initialize end point associated with ProtocolHandler ["https-openssl-nio-8443"]
 java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot get key bytes, not PKCS#8 encoded
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
	at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
	at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
	at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
	at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
	at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
	at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
	at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
	at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
...
Comment 1 Radek Němec 2017-08-18 07:11:06 UTC
> In Tomcat 8.5.14 the site is functioning normally and certificate from
> LocalMachine (Windows-Root) is accessed and used.

I wanted to write CurrentUser (Windows-MY) instead of LocalMachine (Windows-Root).
Comment 2 Radek Němec 2017-08-28 21:41:43 UTC
Seems to be duplicate of https://bz.apache.org/bugzilla/show_bug.cgi?id=61451. Can someone prove this?
Comment 3 Mark Thomas 2017-08-31 19:35:43 UTC
Confirmed. This is a duplicate.

*** This bug has been marked as a duplicate of bug 61451 ***