Menu
I have a file tomcat (2).keystore file which I have placed in /opt/tomcat/conf directory. The directory permissions are set as below:
root@xxxxxxxxxx:/opt/tomcat# ls -l
total 112
drwxr-x--- 2 root tomcat 4096 Sep 10 03:04 bin
drwxr-x--- 2 root tomcat 4096 Sep 28 05:12 conf
drwxr-x--- 2 root tomcat 4096 Sep 10 03:04 lib
-rw-r----- 1 root tomcat 57092 Aug 2 21:36 LICENSE
drwxr-x--- 2 tomcat tomcat 4096 Sep 28 05:15 logs
-rw-r----- 1 root tomcat 1723 Aug 2 21:36 NOTICE
-rw-r----- 1 root tomcat 7064 Aug 2 21:36 RELEASE-NOTES
-rw-r----- 1 root tomcat 15946 Aug 2 21:36 RUNNING.txt
drwxr-x--- 2 tomcat tomcat 4096 Sep 28 05:15 temp
drwxr-x--- 8 tomcat tomcat 4096 Sep 28 03:52 webapps
drwxr-x--- 3 tomcat tomcat 4096 Sep 10 03:19 work
And the server.xml has the following connector:
<Connector
port="8080"
maxThreads="1000"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192"
emptySessionPath="true"
connectionTimeout="20000"
minSpareThreads="20"
acceptCount="100"
disableUploadTimeout="true"
enableLookups="false"
tcpNoDelay="true"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/opt/tomcat/conf/tomcat (2).keystore"
keystorePass="xxxxxx"
clientAuth="false"
sslProtocol="TLS"
maxPostSize="97589953"
URIEncoding="UTF-8"/>
I have also commented out the following:
<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
However, I keep getting the following error in catalina.out:
java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
Can someone help please? Is there any other thing I need to remove from the server.xml?
EDIT:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Dec 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): xxxx
tomcat, Dec 19, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): xxxx
intermed, Dec 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): xxxxx
I get the above when I run ./keytool -list -keystore "/opt/tomcat/conf/tomcat (2).keystore"
681
It's bit late, but I encountered the similar issue after migrating to tomcat 8.5.20. After some more research, I figured out a separate, reasonable solution. Many cases, certificates are not in our hand in production environment, and it is not advisable to tamper with it. Actually looking at the implementation, it looks like tomcat tries to use first key mentioned in the key storefile, unless we provide key alias. So, in this case, if we provide key alias name in the connector, it will work just fine.
{ keyAlias="tomcat" }
179
I finally managed to figure out the issue. As the Exception suggests, there's some issue with the tomcat (2).keystore itself. So I checked the certificates in the keystore with $JAVA_HOME/bin/keytool -list -keystore tomcat (2).keystore output of which is:
Keystore type: JKS Keystore provider: SUN
Your keystore contains 3 entries
root, Dec 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): xxxx
tomcat, Dec 19, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): xxxx
intermed, Dec 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): xxxxx
Since the exception suggests that any key other than private keys are offending, I removed the trustedCertEntry using:
$JAVA_HOME/bin/keytool -delete -noprompt -alias intermed -keystore tomcat\ \(2\).keystore -storepass xxxxxx
$JAVA_HOME/bin/keytool -delete -noprompt -alias root -keystore tomcat\ \(2\).keystore -storepass xxxxx
and restarted tomcat. This resolved the issue. Thanks @Gautam and @EJP for assistance.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With