Tested with 9.0.82-dev, but I guess this happens on all versions Created one certificate: openssl req -x509 -newkey rsa:4096 -keyout key.crt -out cert.crt -sha256 -days 5 -passout file:key-password openssl pkcs12 -export -in cert.crt -inkey key.crt -out keystore.p12 -name "localhost" -passin file:key-password -passout file:keystore-password Declared in server.xml: <Listener className="org.apache.catalina.security.TLSCertificateReloadListener" checkPeriod="120" daysBefore="360" /> and <Connector port="20001" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig> <Certificate certificateKeyFile="conf/certs-localhost/key.crt" certificateFile="conf/certs-localhost/cert.crt" certificateChainFile="conf/cacerts.crt" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="20002" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/certs-localhost/keystore.p12" certificateKeyAlias="localhost" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="20003" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"> <SSLHostConfig> <Certificate certificateKeyFile="conf/certs-localhost/key.crt" certificateFile="conf/certs-localhost/cert.crt" certificateChainFile="conf/cacerts.crt" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="20004" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000" sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/certs-localhost/keystore.p12" certificateKeyAlias="localhost" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="30001" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000"> <SSLHostConfig> <Certificate certificateKeyFile="conf/certs-localhost/key.crt" certificateFile="conf/certs-localhost/cert.crt" certificateChainFile="conf/cacerts.crt" type="RSA" /> </SSLHostConfig> </Connector> <Connector port="30002" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true" maxParameterCount="1000"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/certs-localhost/keystore.p12" certificateKeyAlias="localhost" type="RSA" /> </SSLHostConfig> </Connector> Starting Tomcat: 10-Oct-2023 20:21:25.310 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-20001"] 10-Oct-2023 20:21:25.802 SCHWERWIEGEND [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector["https-jsse-nio-20001"]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:1011) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:554) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1039) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:127) at org.apache.catalina.startup.Catalina.load(Catalina.java:724) at org.apache.catalina.startup.Catalina.load(Catalina.java:746) at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.base/java.lang.reflect.Method.invoke(Method.java:578) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:307) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:477) Caused by: java.lang.IllegalArgumentException: PBE parameter parsing error: expecting the object identifier for AES cipher at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:236) at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1326) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1339) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:654) at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:75) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1009) ... 11 more Caused by: java.io.IOException: PBE parameter parsing error: expecting the object identifier for AES cipher at java.base/com.sun.crypto.provider.PBES2Parameters.parseES(PBES2Parameters.java:324) at java.base/com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:240) at java.base/java.security.AlgorithmParameters.init(AlgorithmParameters.java:311) at java.base/sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:149) at java.base/sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:131) at java.base/sun.security.x509.AlgorithmId.parse(AlgorithmId.java:416) at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:105) at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:245) at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:178) at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:107) at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:355) at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:268) at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105) ... 18 more 10-Oct-2023 20:21:25.806 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-20002"] 10-Oct-2023 20:21:25.953 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-jsse-nio-20002], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:21:25.986 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-20003"] 10-Oct-2023 20:21:26.013 INFORMATION [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [conf/certs-localhost/cert.crt] or its private key [conf/certs-localhost/key.crt] could not be processed using a JSSE key manager and will be given directly to OpenSSL 10-Oct-2023 20:21:26.117 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-20003], TLS virtual host [_default_], certificate type [RSA] configured from key [conf/certs-localhost/key.crt], certificate [conf/certs-localhost/cert.crt] and certificate chain [conf/cacerts.crt] with trust store [null] 10-Oct-2023 20:21:26.119 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-20004"] 10-Oct-2023 20:21:26.141 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-20004], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:21:26.143 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-apr-30001"] 10-Oct-2023 20:21:26.157 INFORMATION [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [conf/certs-localhost/cert.crt] or its private key [conf/certs-localhost/key.crt] could not be processed using a JSSE key manager and will be given directly to OpenSSL 10-Oct-2023 20:21:26.209 INFORMATION [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [conf/certs-localhost/cert.crt] or its private key [conf/certs-localhost/key.crt] could not be processed using a JSSE key manager and will be given directly to OpenSSL 10-Oct-2023 20:21:26.210 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-30001], TLS virtual host [_default_], certificate type [RSA] configured from key [conf/certs-localhost/key.crt], certificate [conf/certs-localhost/cert.crt] and certificate chain [conf/cacerts.crt] with trust store [null] 10-Oct-2023 20:21:26.212 INFORMATION [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-apr-30002"] 10-Oct-2023 20:21:26.248 INFORMATION [main] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-30002], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:21:26.250 INFORMATION [main] org.apache.catalina.startup.Catalina.load Server initialization in [2178] milliseconds We will ignore 20001 for now because Java does not support DES-encrypted private keys, only AES. Waiting for the listener: 10-Oct-2023 20:35:11.441 INFORMATION [Catalina-utility-1] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-jsse-nio-20002], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:35:11.442 INFORMATION [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-jsse-nio-20002"]], TLS virtual host [_default_] reloaded TLS configuration 10-Oct-2023 20:35:11.442 WARNUNG [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-jsse-nio-20002"]], TLS virtual host [_default_] with name [CN=localhost, OU=IN IT IN, O=Siemens, L=Berlin, ST=Berlin, C=DE] that expires on [2023-10-15T17:20:55Z] is overdue for renewal 10-Oct-2023 20:35:11.456 INFORMATION [Catalina-utility-1] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-20004], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:35:11.457 INFORMATION [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-openssl-nio-20004"]], TLS virtual host [_default_] reloaded TLS configuration 10-Oct-2023 20:35:11.457 WARNUNG [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-openssl-nio-20004"]], TLS virtual host [_default_] with name [CN=localhost, OU=IN IT IN, O=Siemens, L=Berlin, ST=Berlin, C=DE] that expires on [2023-10-15T17:20:55Z] is overdue for renewal 10-Oct-2023 20:35:11.476 INFORMATION [Catalina-utility-1] org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-apr-30002], TLS virtual host [_default_], certificate type [RSA] configured from keystore [conf/certs-localhost/keystore.p12] using alias [localhost] with trust store [null] 10-Oct-2023 20:35:11.476 INFORMATION [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-openssl-apr-30002"]], TLS virtual host [_default_] reloaded TLS configuration 10-Oct-2023 20:35:11.477 WARNUNG [Catalina-utility-1] org.apache.catalina.security.TLSCertificateReloadListener.checkCertificatesForRenewal [Connector["https-openssl-apr-30002"]], TLS virtual host [_default_] with name [CN=localhost, OU=IN IT IN, O=Siemens, L=Berlin, ST=Berlin, C=DE] that expires on [2023-10-15T17:20:55Z] is overdue for renewal Connectors for ports 20003 and 30001 do not appear because they use at some point "X509KeyManager x509KeyManager = certificate.getCertificateKeyManager();" returns null, thus "X509Certificate[] certificates = sslContext.getCertificateChain(alias);" is null and certificatesExpiringBefore() returns an empty set. I assume that the code needs refinement, I guess that renew bots will create OpenSSL-style cert and key this listener won't be usable for people at the moment.
Before reload: $ for port in 20001 20002 20003 20004 30001 30002 ; do echo $port; echo -n Q | openssl s_client -connect localhost:$port 2>/dev/null | openssl x509 -noout -dates; done 20001 notBefore=Oct 11 07:32:31 2023 GMT notAfter=Oct 16 07:32:31 2023 GMT 20002 notBefore=Oct 11 07:32:31 2023 GMT notAfter=Oct 16 07:32:31 2023 GMT 20003 notBefore=Oct 11 07:32:31 2023 GMT notAfter=Oct 16 07:32:31 2023 GMT 20004 notBefore=Oct 11 07:32:31 2023 GMT notAfter=Oct 16 07:32:31 2023 GMT 30001 notBefore=Oct 11 07:32:31 2023 GMT notAfter=Oct 16 07:32:31 2023 GMT 30002 notBefore=Oct 11 07:32:31 2023 GMT notAfter=Oct 16 07:32:31 2023 GMT After reload: osipovmi@md2pcvtc MINGW64 ~ $ for port in 20001 20002 20003 20004 30001 30002 ; do echo $port; echo -n Q | openssl s_client -connect localhost:$port 2>/dev/null | openssl x509 -noout -dates; done 20001 notBefore=Oct 11 08:17:18 2023 GMT notAfter=Oct 10 08:17:18 2024 GMT 20002 notBefore=Oct 11 08:17:18 2023 GMT notAfter=Oct 10 08:17:18 2024 GMT 20003 notBefore=Oct 11 07:32:31 2023 GMT notAfter=Oct 16 07:32:31 2023 GMT 20004 notBefore=Oct 11 08:17:18 2023 GMT notAfter=Oct 10 08:17:18 2024 GMT 30001 notBefore=Oct 11 08:17:18 2023 GMT notAfter=Oct 10 08:17:18 2024 GMT 30002 notBefore=Oct 11 08:17:18 2023 GMT notAfter=Oct 10 08:17:18 2024 GMT Very weird...I certain this needs more testing/anaylsis...
The fix for BZ 67667 addressed most of the errors. The remaining issue has been fixed. Reloading isn't going to work for PEM files that are passed directly to OpenSSL although with BZ 67667 those should be few and far between. And we should be able to add handling for them once the PEM format (primarily the KDF and cipher) are known. When reloading isn't going to work, a warning will be logged as there are a few management/monitoring features that won't work. Fixed in: - main for 11.0.0-M13 and onwards - 10.1.x for 10.1.16 and onwards - 9.0.x for 9.0.83 and onwards - 8.5.x for 8.5.96 and onwards
Sorry, wrong bug reference. It was bug 67675.
Just build Tomcat from bec7a51d7fc3fb913c755b258169d1816b77bea5. I can confirm that is works now.