[Pki-users] Problems with java11
Endi Sukma Dewata
edewata at redhat.com
Tue Jan 15 14:46:01 UTC 2019
Hi,
The error message is not very helpful, but I think this error
happens because the clientAuth in Connector has been replaced
by certificateVerification in SSLHostConfig and they cannot be
specified at the same time. See the following page:
https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
So try removing the clientAuth and set the certificateVerification
to "required". I have not tried this myself though.
--
Endi S. Dewata
----- Original Message -----
> On 14.1.2019 18.06, Alexander Scheel wrote:
> >
> >
> > ----- Original Message -----
> >> From: "Timo Aaltonen" <tjaalton at ubuntu.com>
> >> To: pki-users at redhat.com
> >> Sent: Friday, January 11, 2019 2:44:32 AM
> >> Subject: [Pki-users] Problems with java11
> >>
> >>
> >> Hi
> >>
> >> I've migrated Debian to use java11 in every component Dogtag needs, but
> >> while
> >> the tomcat instance seems to get up (to be configured), it can't be
> >> properly
> >> reached:
> >>
> >> 2019-01-10 18:00:30 pkispawn : INFO Checking server at
> >> https://sid1.leon.tyrell:8443/ca
> >> 2019-01-10 18:01:56 pkispawn : ERROR Server unreachable due to SSL
> >> error: ("bad handshake: SysCallError(-1, 'Unexpected EOF')",)
> >> 2019-01-10 18:01:56 configuration : ERROR Server failed to restart
> >>
> >>
> >> and there's this on catalina.out:
> >>
> >> WARNING: The JSSE TLS 1.3 implementation does not support authentication
> >> after the initial handshake and is there
> >> fore incompatible with optional client authentication
> >> SEVERE: Failed to initialize component
> >> [Connector[org.dogtagpki.tomcat.Http11NioProtocol-8443]]
> >> org.apache.catalina.LifecycleException: Protocol handler initialization
> >> failed
> >> at
> >> org.apache.catalina.connector.Connector.initInternal(Connector.java:979)
> >> at
> >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >> at
> >> org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
> >> at
> >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >> at
> >> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1060)
> >> at
> >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >> at org.apache.catalina.startup.Catalina.load(Catalina.java:588)
> >> at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
> >> at
> >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> >> Method)
> >> at
> >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> >> at
> >> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> >> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> >> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
> >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
> >> Caused by: java.lang.IllegalArgumentException: Alias name [sslserver] does
> >> not identify a key entry
> >> at
> >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
> >> at
> >> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
> >> at
> >> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
> >> at
> >> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1085)
> >> at
> >> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1098)
> >> at
> >> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
> >> at
> >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
> >> at
> >> org.apache.catalina.connector.Connector.initInternal(Connector.java:976)
> >> ... 13 more
> >> Caused by: java.io.IOException: Alias name [sslserver] does not identify a
> >> key entry
> >> at
> >> org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:248)
> >> at
> >> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
> >> ... 20 more
> >>
> >> how to fix that? If this is fixed, Dogtag might finally end up in a Debian
> >> release :)
> >>
> >
> > So my 2c. on this issue -- I don't have a reproducing setup at the moment
> > but...
> >
> > TomcatJSS for Tomcat versions greater than 8.5 are... misnamed? :) It
> > technically is TomcatJSSE (i.e., using Java's JSSE as the crypto backend
> > for
> > TLS auth in Tomcat vs. using JSS/NSS).
> >
> > So it appears that JSSE lacks support for optional client authentication
> > as per the error message:
> >
> >> WARNING: The JSSE TLS 1.3 implementation does not support authentication
> >> after the initial handshake and is therefore incompatible with optional
> >> client authentication
> >
> > In PKI's server.xml for tomcat 8.5+, we don't currently set the clientAuth
> > parameter, so we use the default of "want":
> >
> > https://github.com/dogtagpki/pki/blob/master/base/server/tomcat-8.5/conf/server.xml#L151
> > https://github.com/dogtagpki/tomcatjss/blob/master/src/org/apache/tomcat/util/net/jss/TomcatJSS.java#L72
> >
> >
> > You'll probably want to ship clientAuth="true" as a work around on JDK 11+
> > and document that clientAuth="want" will not work for the time being. On
> > the
> > other hand, this ~does~ require end users to set up client authentication
> > to
> > access the page...
>
> Doing this (and fixing pki-migrate to not remove that setting) then resulted
> in this:
>
> SEVERE: End event threw exception
> java.lang.reflect.InvocationTargetException
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
> at
> org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
> at
> org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
> at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
> Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
> at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
> Source)
> at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
> Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
> elements were provided for the host name [_default_]. Host names must be
> unique.
> at
> org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
> at
> org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
> ... 25 more
>
> WARNING: Unable to load server configuration from
> [/var/lib/pki/pki-tomcat/conf/server.xml]
> org.xml.sax.SAXParseException; systemId:
> file:/var/lib/pki/pki-tomcat/conf/server.xml; lineNumber: 188; columnNumber:
> 25; Error at (188, 25) : Multiple SSLHostConfig elements were provided for
> the host name [_default_]. Host names must be unique.
> at
> org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1862)
> at
> org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1894)
> at
> org.apache.tomcat.util.digester.Digester.endElement(Digester.java:947)
> at org.apache.xerces.parsers.AbstractSAXParser.endElement(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanEndElement(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
> Source)
> at
> org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
> Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XML11Configuration.parse(Unknown Source)
> at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
> at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source)
> at org.apache.xerces.jaxp.SAXParserImpl$JAXPSAXParser.parse(Unknown
> Source)
> at org.apache.tomcat.util.digester.Digester.parse(Digester.java:1439)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:566)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:611)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
> Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig
> elements were provided for the host name [_default_]. Host names must be
> unique.
> at
> org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:248)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:203)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:542)
> at
> org.apache.catalina.connector.Connector.addSslHostConfig(Connector.java:834)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.apache.tomcat.util.IntrospectionUtils.callMethod1(IntrospectionUtils.java:373)
> at
> org.apache.tomcat.util.digester.SetNextRule.end(SetNextRule.java:145)
> at
> org.apache.tomcat.util.digester.Digester.endElement(Digester.java:944)
> ... 18 more
>
> SEVERE: Cannot start server. Server instance is not configured.
>
>
> and this is in server.xml:
>
> 182 <SSLHostConfig sslProtocol="SSL"
> 183 certificateVerification="optional"
> 184
> trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
> 185 <Certificate certificateKeystoreType="pkcs11"
> 186 certificateKeystoreProvider="Mozilla-JSS"
> 187 certificateKeyAlias="sslserver"/>
> 188 </SSLHostConfig>
>
> > Eventually a new TomcatJSS with JSS support in Tomcat 8.5+ will be
> > released,
> > so this issue will be fixed as JSS/NSS should support this type of optional
> > client authentication (but will need to be tested).
>
> Any idea when that would be? Debian 10 will be frozen in a month.
>
>
> --
> t
>
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
>
More information about the Pki-users
mailing list