Exceptions happen when installing certificate on tomcat9

2
votes

I'm installing JKS certificate on my ubuntu tomcat server. I've searched but still can't solve it. Browser can connect to tomcat 8080 but it's not transmitted by HTTPS. I use command keytool -importkeystore -srckeystore **.pfx -destkeystore **.jks -srcstoretype PKCS12 -deststoretype JKS to convert PFX to JKS format.

conf/server.xml is :

<Connector port="8443" protocol="HTTP/1.1"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    keystoreFile="/home/hel/key/my.jks" 
    keystorePass="***"
    keyAlias="***" 
    clientAuth="false" sslProtocol="TLS" />

Added:
 In the same time, I tried another configuration(but output same exceptions):

<Connector port="8443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="/home/hel/key/***.pfx"
               keystoreType="PKCS12"
               keystorePass="***"
               keyAlias="***" 
               clientAuth="false" sslProtocol="TLS" />

There are four files in directory /home/hel/key: .key,.pem,.pfx,.jks.

Added: I've changed certificateKeyAlias="***" with keyAlias="***", and exceptions disappear.But Port 8443 still can't be connected and 8080 is not transmitted in HTTPS. How can I check it? netstat shows port 8080 and 8443 are really listening.

localhost.log

INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log SessionListener: contextDestroyed() INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log ContextListener: contextDestroyed() INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log ContextListener: contextInitialized() INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log SessionListener: contextInitialized()

localhost_access_log.txt

"GET /Beer-v1/ HTTP/1.1" 304 -
"GET /Beer-v1/css/a.css HTTP/1.1" 304 -

catalina.log

NG tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server/Service/Engine/Realm} Setting property 'digest' to 'MD5' did not find a matching property.
NG tomcat.util.digester.Digester.endElement No rules found matching 'Server/Service/Engine/Resource'.

Added
I download a clean copy of tomcat 9 and add code in the original conf/server.xml. In catalina.out java.security.UnrecoverableKeyException: Cannot recover key happens.

<Connector
    port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    connectionTimeout="20000"
    redirectPort="8443"
    scheme="https" 
    secure="true" 
    SSLEnabled="true"
    sslProtocol="TLS"
    keystoreFile="conf/***.jks"
    keystorePass="***" 
    keystoreType="JKS"
    clientAuth="false"
    />
2
javatomcathttps
Can you post more of the stack trace? The actual error is in a caused by section somewhere.Christopher Schultz

2 Answers

1
votes

Seems tomcat is not finding the private key of the certificate in the Keystore.

Since you have not specified attribute keyAlias in Connector, tomcat will try to load the first key found in Keystore. See documentation of certificateKeyAlias (

The alias used for the server key and certificate in the keystore. If not specified, the first key read from the keystore will be used. The order in which keys are read from the keystore is implementation dependent. It may not be the case that keys are read from the keystore in the same order as they were added. If more than one key is present in the keystore it is strongly recommended that a keyAlias is configured to ensure that the correct key is used.

Check the Keystore to see if private key is present and its alias. You can list entries with 

 keytool -list -v -keystore keystore.jks

Note: you can use directly the pkcs12 file setting

 keystoreType = "PKCS12"

UPDATED: Tomcat SSL configuration

This is the minimum configuration of tomcat for a SSL connector (deprecated attributes) in conf/server.xml, using a selfsigned certificate issued for 127.0.0.1 and copied in /conf

<Connector
    port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    connectionTimeout="20000"
    redirectPort="8443"
    scheme="https" 
    secure="true" 
    SSLEnabled="true"
    sslProtocol="TLS"
    keystoreFile="conf/keystore.jks"
    keystorePass="a1b2c3d4e5" 
    keystoreType="JKS"
    clientAuth="false"
    />

I have tested it with a clean copy of tomcat 9 and JRE 1.8, with URL https://127.0.0.1:8443

0
votes

This link helps me: java.security.UnrecoverableKeyException: Cannot recover key.

When converting PFX to JKS with command keytool -importkeystore -srckeystore **.pfx -destkeystore **.jks -srcstoretype PKCS12 -deststoretype JKS, set destination keystore password the same as keypasswd. And remember to put .jks file in the right path. I think it was in the wrong place.As for selfsigned certificate, I find it needn't to set keystore password the same as keypasswd.

Thanks to pedrofb. You help me so much.