I have an application running in Eclipse, works fine, connect and get a response from webservice that needs a certificate.
But when I deploy and run in Tomcat, I got a error of valid certification:
java.lang.Exception
Message
; nested exception is: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
In my tomcat:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="8443" keystoreFile="webapps/.keystore" keystorePass="123456"
protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
secure="true" sslProtocol="TLS" />
and in my application, I have another keystore to webservice:
System.setProperty("javax.net.ssl.keyStore", SIC.jks);
System.setProperty("javax.net.ssl.keyStore", keyStore);
System.setProperty("javax.net.ssl.keyStorePassword", keyStorePassword);
System.setProperty("javax.net.ssl.trustStore", trustStore);
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePassword);
I tried import certificate to cacerts from keytool and nothing...
I don't have any one idea and my time is over in my job...What can I do to resolve that?
I tried everything I guess...works at Eclipse but on deploy tomcat, I got that error above.
Two suggestions
1. Specify the entire path for the keystoreFile. Eg /opt/webapps/.keystore
2. Do not use special characters "#" in the password.
Related
I have tomcat 10.0.18 on macOS (via homebrew)
In my server.xml I have
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true" defaultSSLHostConfigName="test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<hostName>test</hostName>
<protocols>TLSv1.2</protocols>
<certificateVerification>required</certificateVerification>
<Certificate>
<caCertificateFile>/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA.p12</caCertificateFile>
<certificateFile>/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaServerChassis.p12</certificateFile>
<certificateKeyPassword>egeria</certificateKeyPassword>
</Certificate>
</SSLHostConfig>
</Connector>
However when I start & connect I see an error:
30-Mar-2022 09:51:08.547 INFO [main] org.apache.coyote.http11.AbstractHttp11Protocol.configureUpgradeProtocol The ["https-jsse-nio2-8443"] connector has been configured to
support negotiation to [h2] via ALPN
30-Mar-2022 09:51:08.547 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio2-8443"]
30-Mar-2022 09:51:21.162 WARNING [main] org.apache.tomcat.util.net.Nio2Endpoint.shutdownExecutor The executor associated with thread pool [https-jsse-nio2-8443] has not ful
ly shutdown. Some application threads may still be running.
30-Mar-2022 09:51:21.163 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[org.apache.coyote.http11.Htt
p11Nio2Protocol-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1055)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1042)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:747)
at org.apache.catalina.startup.Catalina.load(Catalina.java:769)
at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
at java.base/java.lang.reflect.Method.invoke(Method.java:577)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:305)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:475)
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:132)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1192)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1205)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:580)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:82)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1052)
... 11 more
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:310)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 18 more
30-Mar-2022 09:51:21.164 INFO [main] org.apache.catalina.startup.Catalina.load Server initialization in [13255] milliseconds
Yes as best I can see, I do have the value assigned.
Background -- just testing some mutual SSL config for our open-source project with some self-signed certs I generated. We use springboot server-side, a variety of java, python, go, node etc client-side -- but for debugging/understanding I'm just trying base tomcat, with curl/httpie clients
The .p12 files above should contain the right combination of certs/keys, but this is the area I'm exploring. I can adapt, use individual PEMs, try a chain via a directory.. but this first issue seems more about the basics of defining a config and is what I'm trying to understand - being fairly new to tomcat.
I figured it out - so will answer my own question for the benefit of future readers.
The parsing issue was down to format. I'm so used to editing other XML files such as maven, where the above format I tried is typical. tomcat was new to me, so I realised it needs to be:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="20" SSLEnabled="true" scheme="https" secure="true" clientAuth="true" defaultSSLHostConfigName="test">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="test" protocols="TLSv1.2" certificateVerification="required">
<Certificate
caCertificateFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaRootCA.p12"
certificateFile="/Users/jonesn/src/egeria/master/open-metadata-resources/open-metadata-deployment/certificates/EgeriaServerChassis.p12"
certificateKeyPassword="egeria"
/>
</SSLHostConfig>
</Connector>
I now get other exceptions - but that is specific to the certs, something I'm debugging. I share this to answer the question specifically on why the properties could not be found.
I am working with an SSL certificate in Apache tomcat. I have created CSR and got a JKS file. Then when I have given the CSR to certificate authority, then they have given me the certificate. When I have tested the JKS certificate using the following command,
keytool -list -keystore ava_bankasia-bd_com.jks
I have got the following output:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
tomcat, Jun 22, 2021, trustedCertEntry,
Certificate fingerprint (SHA-256): 7F:F3:C5:60:D1:E6:E5:04:2A:E8:2E:D1:D7:1A:92:DE:39:47:75:BD:06:25:0D:D0:CB:C0:55:BA:D6:2B:28:E9
Then I have configured the tomcat with the following code:
<Connector port="443"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="/u01/csr_certificate/ava_bankasia-bd_com.jks"
keystorePass="-------"
keyAlias="tomcat" />
I have imported them all into the Keystore ok (but obviously not!) but the error I'm getting from Tomcat is: 'java.io.IOException Alias name does not identify a key entry. The full error is as follows:
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1076)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:846)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)
Caused by: java.lang.IllegalArgumentException: Alias name [tomcat] does not identify a key entry
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:247)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1143)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1074)
... 13 more
Caused by: java.io.IOException: Alias name [tomcat] does not identify a key entry
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:336)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:245)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
... 20 more
Any ideas? This is the first time I've done this so maybe I've messed up something blindingly obvious?
The site works fine on port 80.
Would LOVE to hear some suggestions :)
My web application and Web Services are running in the same tomcat container. If I am not using HTTPS, everything is working fine.
When I am running the web application and web services both on HTTPS, I am getting SSLHandshakeException when web application is trying to call webservices.
CASE 1
I have created a local self-signed certificate file using below command
%JAVA_HOME%\bin\keytool -genkeypair -alias test1 -keyalg RSA -keystore c:/apps/test1.crt
A certificate file named test1.crt has been created in folder C:\apps.
Now, I want to import this certificate in the Java keystore, with the below command
%JAVA_HOME%\bin\keytool -import -alias test1 -file c:/apps/test1.crt-keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
I am getting below error -
Key tool error: java.lang.Exception: The entry is not an X.509 certificate
When I am using this certificate file in Tomcat, with below setting
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
SSLEnabled="true"
URIEncoding="UTF-8"
keystorePass="changeit"
keystoreFile="C:/apps/test2.crt" />
I am not getting any error at server startup. When I call webservices from the application, I am getting SSLHandshakeException
CASE 2
I have added a local self signed certificate in the Java keystore, with below command
%JAVA_HOME%/bin/keytool -genkeypair -alias test2 -keyalg RSA -validity 1000 -keysize 2048 -keystore %JAVA_HOME%/jre/lib/security/cacerts
A certificate has been added, which I have verfied with below command
JAVA_HOME%\bin\keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts -storepass changeit
Now, I have exported a certificate file from the Java keystore, with below command
%JAVA_HOME%/bin/keytool -export -alias test2 -keystore %JAVA_HOME%/jre/lib/security/cacerts -rfc -file C:/apps/test2.crt
A certificate file named test2.crt has been created in folder C:\apps.
When I am using this certificate file in Tomcat, with below setting
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
SSLEnabled="true"
URIEncoding="UTF-8"
keystorePass="changeit"
keystoreFile="C:/apps/test2.crt" />
I am getting the below error
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Invalid keystore format
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1044)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
... 13 more
Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:663)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:70)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:160)
Although server started and I am able to use my application. But when I am trying to call web services, I am getting
Here is the log of SSLHandshakeException
nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Error: (org.apache.axis.AxisFault) --> [; nested exception is:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
AxisFault
faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException
faultSubcode:
faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
faultActor:
faultNode:
faultDetail:
{http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I think for Tomcat the keystoreFile is "%JAVA_HOME%/jre/lib/security/cacerts" and rather you don't have to indicate any keystore becouse you added a keypair to the jre common keystore but it's exactly incorrect to use "C:/apps/test2.crt".
Also try to add the server certificate to the truststore file:
JAVA_HOME%\bin\keytool -import -v -trustcacerts -alias test2 -file C:/apps/test2.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts -keypass changeit -storepass changeit
I am getting following Exception when HTTPS Request is sent from Grails Web Application deployed in Tomcat Server(8):
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Here is When I make HTTPS Call(On which Point I get this Exception):
String URL = "https://**.**.**.**:8440/*****";
PostMethod postMethod = new PostMethod(URL);
client.executeMethod(postMethod);
I have created the keystore file using keytool command:
keytool -genkey -alias tomcat -keyalg RSA
and changed the server.xml file too of Tomcat but still getting this exception. Here is my Server.XML File:
<Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25"
port="443" keystoreFile="/keystore/keystore.jks" keystorePass="password" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
I have gone through the following possible fixes for this but no luck:
http://java.dzone.com/articles/setting-ssl-tomcat-5-minutes
https://tomcat.apache.org/tomcat-3.3-doc/tomcat-ssl-howto.html
http://tomcat.apache.org/tomcat-4.1-doc/ssl-howto.html
P.S. I simply want tomcat to allow my application to hit HTTPS request for the URL:
String URL = "https://**.**.**.**:8440/*****";
I am rolling my head on this but unfortunately not getting through. Please guide me that what could be the fix for this ? Or I am doing anything wrong ?
Thanks for Your Time :)
I have created a certificate in my system using this command:
keytool -export -file test.cert -keystore test -storepass 123456 -alias sriram
Ans: Certificate stored in file <test.cert>.
I have imported this certificate in cacerts of new system using the command :
keytool -importcert -trustcacerts -file "path-to-public-cert" -keystore JAVA_HOME/jre/lib/security/cacerts".
The output is something like this:Trust this certificate? [no]: yes Certificate was added to keystore.
But still I am getting the link error when I run my jar file in new system...Where I went wrong??
Try to read the Apache Tomcat SSL Configuration How-To.
In Edit the Tomcat Configuration File paragraph it explain that you can had the keystoreFile attribute to the connector configuration.
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>