We Keep Coding

tomcat 10 SSLHostConfig problem - protocol handler fails to start - attribute certificateFile must be defined

I have tomcat 10.0.18 on macOS (via homebrew)
In my server.xml I have
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true" defaultSSLHostConfigName="test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<hostName>test</hostName>
<protocols>TLSv1.2</protocols>
<certificateVerification>required</certificateVerification>
<Certificate>
<caCertificateFile>/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA.p12</caCertificateFile>
<certificateFile>/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaServerChassis.p12</certificateFile>
<certificateKeyPassword>egeria</certificateKeyPassword>
</Certificate>
</SSLHostConfig>
</Connector>
However when I start & connect I see an error:
30-Mar-2022 09:51:08.547 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-jsse-nio2-8443"] connector has been configured to
support negotiation to [h2] via ALPN
30-Mar-2022 09:51:08.547 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio2-8443"]
30-Mar-2022 09:51:21.162 WARNING [main] org.apache.tomcat.util.net.Nio2Endpoint.shutdownExecutor The executor associated with thread pool [https-jsse-nio2-8443] has not ful
ly shutdown. Some application threads may still be running.
30-Mar-2022 09:51:21.163 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Htt
p11Nio2Protocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1055)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:747)
at org.apache.catalina.startup.Catalina.load(Catalina.java:769)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:577)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:132)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1192)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1205)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:580)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1052)
... 11 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:310)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 18 more
30-Mar-2022 09:51:21.164 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [13255] milliseconds
Yes as best I can see, I do have the value assigned.
Background -- just testing some mutual SSL config for our open-source project with some self-signed certs I generated. We use springboot server-side, a variety of java, python, go, node etc client-side -- but for debugging/understanding I'm just trying base tomcat, with curl/httpie clients
The .p12 files above should contain the right combination of certs/keys, but this is the area I'm exploring. I can adapt, use individual PEMs, try a chain via a directory.. but this first issue seems more about the basics of defining a config and is what I'm trying to understand - being fairly new to tomcat.

I figured it out - so will answer my own question for the benefit of future readers.
The parsing issue was down to format. I'm so used to editing other XML files such as maven, where the above format I tried is typical. tomcat was new to me, so I realised it needs to be:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true" defaultSSLHostConfigName="test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="test" protocols="TLSv1.2" certificateVerification="required">
<Certificate
caCertificateFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA.p12"
certificateFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaServerChassis.p12"
certificateKeyPassword="egeria"
/>
</SSLHostConfig>
</Connector>
I now get other exceptions - but that is specific to the certs, something I'm debugging. I share this to answer the question specifically on why the properties could not be found.

Am facing following issue while working with openSSL

Am facing following issue while working with openSSL.
Below are the server details:
Tomcat : 8.5.43
Ubuntu: 18.
JVM: 1.8.0_221-b11
Apache Tomcat Native library: 1.2.23
APR Version: 1.7.0
Open SSL : 1.1.1
Below is our Connector configuration:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11AprProtocol"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
scheme="https"
secure="true"
SSLEnabled="true"
acceptCount="100"
connectionTimeout="20000"
SSLCertificateFile="certificate/server.crt"
SSLCertificateKeyFile="certificate/servercertkey.pem"
SSLVerifyClient="optional"
SSLProtocol="TLSv1+TLSv1.1+TLSv1.2"
SSLCipherSuite="RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5">
</Connector>
Am getting following error:
29-Jul-2019 12:56:48.856 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit> Failed getting cipher list
java.lang.Exception: Not implemented
at org.apache.tomcat.jni.SSL.newSSL(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.<clinit>(OpenSSLEngine.java:77)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(OpenSSLUtil.java:54)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:92)
at org.apache.tomcat.util.net.SSLUtilBase.<init>(SSLUtilBase.java:82)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.<init>(OpenSSLUtil.java:42)
at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:397)
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:368)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1118)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
29-Jul-2019 12:56:48.941 INFO [main] org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers The certificate [certificate/server.crt] or its private key [certificate/servercertkey.pem] could not be processed using a JSSE key manager and will be given directly to OpenSSL
29-Jul-2019 12:56:48.963 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 1037 ms
What am doing wrong? Any pointers would help.
Thank you in advance.

SSLHandshakeException - Calling webservice from web application using self signed certificate

My web application and Web Services are running in the same tomcat container. If I am not using HTTPS, everything is working fine.
When I am running the web application and web services both on HTTPS, I am getting SSLHandshakeException when web application is trying to call webservices.
CASE 1
I have created a local self-signed certificate file using below command
%JAVA_HOME%\bin\keytool -genkeypair -alias test1 -keyalg RSA -keystore c:/apps/test1.crt
A certificate file named test1.crt has been created in folder C:\apps.
Now, I want to import this certificate in the Java keystore, with the below command
%JAVA_HOME%\bin\keytool -import -alias test1 -file c:/apps/test1.crt-keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
I am getting below error -
Key tool error: java.lang.Exception: The entry is not an X.509 certificate
When I am using this certificate file in Tomcat, with below setting
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
SSLEnabled="true"
URIEncoding="UTF-8"
keystorePass="changeit"
keystoreFile="C:/apps/test2.crt" />
I am not getting any error at server startup. When I call webservices from the application, I am getting SSLHandshakeException
CASE 2
I have added a local self signed certificate in the Java keystore, with below command
%JAVA_HOME%/bin/keytool -genkeypair -alias test2 -keyalg RSA -validity 1000 -keysize 2048 -keystore %JAVA_HOME%/jre/lib/security/cacerts
A certificate has been added, which I have verfied with below command
JAVA_HOME%\bin\keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
Now, I have exported a certificate file from the Java keystore, with below command
%JAVA_HOME%/bin/keytool -export -alias test2 -keystore %JAVA_HOME%/jre/lib/security/cacerts -rfc -file C:/apps/test2.crt
A certificate file named test2.crt has been created in folder C:\apps.
When I am using this certificate file in Tomcat, with below setting
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
SSLEnabled="true"
URIEncoding="UTF-8"
keystorePass="changeit"
keystoreFile="C:/apps/test2.crt" />
I am getting the below error
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Invalid keystore format
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1044)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:160)
Although server started and I am able to use my application. But when I am trying to call web services, I am getting
Here is the log of SSLHandshakeException
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Error: (org.apache.axis.AxisFault) --> [; nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I think for Tomcat the keystoreFile is "%JAVA_HOME%/jre/lib/security/cacerts" and rather you don't have to indicate any keystore becouse you added a keypair to the jre common keystore but it's exactly incorrect to use "C:/apps/test2.crt".
Also try to add the server certificate to the truststore file:
JAVA_HOME%\bin\keytool -import -v -trustcacerts -alias test2 -file C:/apps/test2.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts -keypass changeit -storepass changeit

Tomcat 8: Invalid keystore format

I try to configure SSL into my new project. I do it for the first time and i got some problems.
Some items to the projects:
A part of my server.xml:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/PATHTO/src/main/resources/keystore.p12"
keystorePass="STOREPASS" clientAuth="false" sslProtocol="TLS" />
A part of my application.properties:
spring.profiles.active=https
server.port=8443
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-store-password=STOREPASS
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=tomcat
The command that i use to generate the keystore:
keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
And the keystore.p12 is in the same folder like the application.properties.
The error of the console:
java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:650)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:437)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:336)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:594)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:534)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:363)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:732)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:457)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:120)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:567)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:576)
at org.apache.catalina.startup.Catalina.load(Catalina.java:599)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Has someone any ideas?
Thanks.
Cheers.

To elaborate on EJP's answer and detail to Mick Mnemonic that this is not entirely correct.
OP did not set that in the server.xml rather the application.properties
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/PATHTO/src/main/resources/keystore.p12"
keystorePass="STOREPASS" clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS12" />
You will note that on the last line of the "Connector" element I have added keystoreType="PKCS12" to allow the connector to correctly load the file.
Your stack trace is a dead give away on this one.

You need to specify keyStoreType, as the format is PKCS12, not JKS.

Not able to configure SSL with Tomcat 7

I am trying to configure SSL with Tomcat 7 but not able to do so. Please guide.
Command for generating SSL certificate:
C:\Java\jdk1.7.0_40\bin>keytool -genkeypair -alias tomcat-keystore -keyalg RSA -keystore C:\my.keystore
server.xml
<Connector port="8443" maxThreads="150" scheme="https" secure="true" SSLEnabled="true"
keystoreFile="C:\my.keystore" keystorePass="abc"
clientAuth="false" keyAlias="tomcat-keystore" sslProtocol="TLS"/>
The problem is that if I put https://wwww.secdevapp.net:8443 the browser says "The webpage is not available" and I see the error in the catalina.log file (mentioned below) but http://www.secdevapp.net:8080 works fine.
Tomcat Error Log:
Mar 26, 2014 11:22:04 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:813)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
at org.apache.catalina.startup.Catalina.load(Catalina.java:638)
at org.apache.catalina.startup.Catalina.load(Catalina.java:663)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:280)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:454)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
... 12 more
Caused by: java.lang.Exception: Connector attribute SSLCertificateFile must be defined when using SSL with APR
at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:467)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:640)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
... 13 more

Commenting out the APR listener in server.xml line:27 does the trick in Windows OS.
Found the solution from http://java.dzone.com/articles/ssl-your-tomcat-7
The APR is a native library that you may install during Tomcat installation. It does tie your Tomcat to your OS but "provide superior scalability and performance". This is a good thing to do for your production environment. In other environments, I don't see the point.

Check the port on your server. Is tomcat/java actually listening on
port 8443?
Check the tomcat logs, usually in tomcat/logs directory. What does
the access log say?
Did you restart tomcat after using that Connector? What does
catalina.log say?