[Pki-users] Problems with java11

Endi Sukma Dewata edewata at redhat.com
Tue Jan 15 19:03:22 UTC 2019 

----- Original Message -----
> >>> The error message is not very helpful, but I think this error
> >>> happens because the clientAuth in Connector has been replaced
> >>> by certificateVerification in SSLHostConfig and they cannot be
> >>> specified at the same time. See the following page:
> >>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
> >>>
> >>> So try removing the clientAuth and set the certificateVerification
> >>> to "required". I have not tried this myself though.
> >>
> >> nope, still get the same
> > 
> > Could you show me the entire Connector element and its children?
> > Make sure all attributes replaced by SSLHostConfig have been
> > deleted from the Connector element (see the above link).
> 
>     <Connector name="Secure"
>                port="8443"
>                protocol="org.dogtagpki.tomcat.Http11NioProtocol"
>                SSLEnabled="true"
>                scheme="https"
>                secure="true"
>                connectionTimeout="80000"
>                keepAliveTimeout="300000"
>                maxHttpHeaderSize="8192"
>                acceptCount="100"
>                maxThreads="150"
>                minSpareThreads="25"
>                enableLookups="false"
>                disableUploadTimeout="true"
>                enableOCSP="false"
>                ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"
>                ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
>                ocspCacheSize="1000"
>                ocspMinCacheEntryDuration="7200"
>                ocspMaxCacheEntryDuration="14400"
>                ocspTimeout="10"
>                strictCiphers="true"
>                sslVersionRangeStream="tls1_1:tls1_2"
>                sslVersionRangeDatagram="tls1_1:tls1_2"
>                sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
>                serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
>                passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
>                passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
>                certdbDir="/var/lib/pki/pki-tomcat/alias">
> 
>         <SSLHostConfig sslProtocol="SSL"
>                        certificateVerification="required"
>                        trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
>             <Certificate certificateKeystoreType="pkcs11"
>                          certificateKeystoreProvider="Mozilla-JSS"
>                          certificateKeyAlias="sslserver"/>
>         </SSLHostConfig>
> 
>     </Connector>
> 
> 
> I don't see what should be dropped from Connector..

Are you getting this error:

 java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a key
 entry

or this error?

 java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided
 for the host name [_default_]. Host names must be unique.

If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore) cannot
find the SSL server certificate. We may not have a solution since we do not support
Java 11 yet.

If it's the second one, that message is coming from Tomcat when validating the
server.xml. Is certificateVerification the only thing you change in that file? You
might want to try adding defaultSSLHostConfigName to Connector and hostName to
SSLHostConfig, but I'm really not sure what's going on.

See also this page:
https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multiple-sslhostconfig-elements-were-provided-for-the-ho

 If you put any of these deprecated attributes in the Connector directive, tomcat
 assumes you are using the old way and auto creates a SSLHostConfig itself, which
 then conflicts with the one you are creating.

--
Endi S. Dewata

More information about the Pki-users mailing list