[Pki-users] Problems with java11
Timo Aaltonen
tjaalton at ubuntu.com
Tue Jan 15 13:22:49 UTC 2019
On 14.1.2019 18.06, Alexander Scheel wrote:
>
>
> ----- Original Message -----
>> From: "Timo Aaltonen" <tjaalton at ubuntu.com>
>> To: pki-users at redhat.com
>> Sent: Friday, January 11, 2019 2:44:32 AM
>> Subject: [Pki-users] Problems with java11
>>
>>
>> Hi
>>
>> I've migrated Debian to use java11 in every component Dogtag needs, but while
>> the tomcat instance seems to get up (to be configured), it can't be properly
>> reached:
>>
>> 2019-01-10 18:00:30 pkispawn : INFO Checking server at
>> https://sid1.leon.tyrell:8443/ca
>> 2019-01-10 18:01:56 pkispawn : ERROR Server unreachable due to SSL
>> error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
>> 2019-01-10 18:01:56 configuration : ERROR Server failed to restart
>>
>>
>> and there's this on catalina.out:
>>
>> WARNING: The JSSE TLS 1.3 implementation does not support authentication
>> after the initial handshake and is there
>> fore incompatible with optional client authentication
>> SEVERE: Failed to initialize component
>> [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
>> org.apache.catalina.LifecycleException: Protocol handler initialization
>> failed
>> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
>> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
>> Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does
>> not identify a key entry
>> at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
>> at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
>> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
>> at
>> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
>> at
>> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
>> at
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
>> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
>> ... 13 more
>> Caused by: java.io.IOException: Alias name [sslserver] does not identify a
>> key entry
>> at
>> org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
>> at
>> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
>> ... 20 more
>>
>> how to fix that? If this is fixed, Dogtag might finally end up in a Debian
>> release :)
>>
>
> So my 2c. on this issue -- I don't have a reproducing setup at the moment
> but...
>
> TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It
> technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend for
> TLS auth in Tomcat vs. using JSS/NSS).
>
> So it appears that JSSE lacks support for optional client authentication
> as per the error message:
>
>> WARNING: The JSSE TLS 1.3 implementation does not support authentication
>> after the initial handshake and is therefore incompatible with optional
>> client authentication
>
> In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth
> parameter, so we use the default of "want":
>
> https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/server.xml#L151
> https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/util/net/jss/TomcatJSS.java#L72
>
>
> You'll probably want to ship clientAuth="true" as a work around on JDK 11+
> and document that clientAuth="want" will not work for the time being. On the
> other hand, this ~does~ require end users to set up client authentication to
> access the page...
Doing this (and fixing pki-migrate to not remove that setting) then resulted in this:
SEVERE: End event threw exception
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique.
at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
at org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
... 25 more
WARNING: Unable to load server configuration from [/var/lib/pki/pki-tomcat/conf/server.xml]
org.xml.sax.SAXParseException; systemId: file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 188; columnNumber: 25; Error at (188, 25) : Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique.
at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1862)
at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1894)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:947)
at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown Source)
at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown Source)
at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique.
at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
at org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
at org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
at org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
at org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
... 18 more
SEVERE: Cannot start server. Server instance is not configured.
and this is in server.xml:
182 <SSLHostConfig sslProtocol="SSL"
183 certificateVerification="optional"
184 trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
185 <Certificate certificateKeystoreType="pkcs11"
186 certificateKeystoreProvider="Mozilla-JSS"
187 certificateKeyAlias="sslserver"/>
188 </SSLHostConfig>
> Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be released,
> so this issue will be fixed as JSS/NSS should support this type of optional
> client authentication (but will need to be tested).
Any idea when that would be? Debian 10 will be frozen in a month.
--
t
More information about the Pki-users
mailing list