[Pki-users] Problems with java11
Timo Aaltonen
tjaalton at ubuntu.com
Tue Jan 15 19:49:50 UTC 2019
On 15.1.2019 21.03, Endi Sukma Dewata wrote:
> ----- Original Message -----
>>>>> The error message is not very helpful, but I think this error
>>>>> happens because the clientAuth in Connector has been replaced
>>>>> by certificateVerification in SSLHostConfig and they cannot be
>>>>> specified at the same time. See the following page:
>>>>> https://tomcat.apache.org/tomcat-8.5-doc/config/http.html
>>>>>
>>>>> So try removing the clientAuth and set the certificateVerification
>>>>> to "required". I have not tried this myself though.
>>>>
>>>> nope, still get the same
>>>
>>> Could you show me the entire Connector element and its children?
>>> Make sure all attributes replaced by SSLHostConfig have been
>>> deleted from the Connector element (see the above link).
>>
>> <Connector name="Secure"
>> port="8443"
>> protocol="org.dogtagpki.tomcat.Http11NioProtocol"
>> SSLEnabled="true"
>> scheme="https"
>> secure="true"
>> connectionTimeout="80000"
>> keepAliveTimeout="300000"
>> maxHttpHeaderSize="8192"
>> acceptCount="100"
>> maxThreads="150"
>> minSpareThreads="25"
>> enableLookups="false"
>> disableUploadTimeout="true"
>> enableOCSP="false"
>> ocspResponderURL="http://sid1.leon.tyrell:8080/ca/ocsp"
>> ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
>> ocspCacheSize="1000"
>> ocspMinCacheEntryDuration="7200"
>> ocspMaxCacheEntryDuration="14400"
>> ocspTimeout="10"
>> strictCiphers="true"
>> sslVersionRangeStream="tls1_1:tls1_2"
>> sslVersionRangeDatagram="tls1_1:tls1_2"
>> sslRangeCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,+TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,+TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_RSA_WITH_AES_128_CBC_SHA,-TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,+TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,-TLS_RSA_WITH_AES_256_GCM_SHA384"
>> serverCertNickFile="/var/lib/pki/pki-tomcat/conf/serverCertNick.conf"
>> passwordFile="/var/lib/pki/pki-tomcat/conf/password.conf"
>> passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
>> certdbDir="/var/lib/pki/pki-tomcat/alias">
>>
>> <SSLHostConfig sslProtocol="SSL"
>> certificateVerification="required"
>> trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
>> <Certificate certificateKeystoreType="pkcs11"
>> certificateKeystoreProvider="Mozilla-JSS"
>> certificateKeyAlias="sslserver"/>
>> </SSLHostConfig>
>>
>> </Connector>
>>
>>
>> I don't see what should be dropped from Connector..
>
> Are you getting this error:
>
> java.lang.IllegalArgumentException: Alias name [sslserver] does not identify a key
> entry
>
> or this error?
>
> java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided
> for the host name [_default_]. Host names must be unique.
>
> If it's the first one, that means the PKCS #11 keystore (i.e. JSS keystore) cannot
> find the SSL server certificate. We may not have a solution since we do not support
> Java 11 yet.
But I've patched Dogtag to support the new keystore, and am using JSS
4.5.1, I thought they did support Java 11.. so something is missing
still then..
> If it's the second one, that message is coming from Tomcat when validating the
> server.xml. Is certificateVerification the only thing you change in that file? You
> might want to try adding defaultSSLHostConfigName to Connector and hostName to
> SSLHostConfig, but I'm really not sure what's going on.
>
> See also this page:
> https://stackoverflow.com/questions/42135892/tomcat-8-5-server-xml-multiple-sslhostconfig-elements-were-provided-for-the-ho
>
> If you put any of these deprecated attributes in the Connector directive, tomcat
> assumes you are using the old way and auto creates a SSLHostConfig itself, which
> then conflicts with the one you are creating.
>
> --
> Endi S. Dewata
>
--
t
More information about the Pki-users
mailing list