• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Tomcat 5.5 + APR connector - not working with new cert

 
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Background:
We are switching from a JSSE connector to APR/native connector to resolve some PCI vulnerabilities without needing to update Java and Tomcat. (Those are on the to-do list for later)
The problem server is running Windows 2008 R2 (64-bit), Tomcat 5.5.26 and Java 1.5.0_15
Since I could not find the private key that existed for the current keystore, I generated a new CSR and re-keyed the cert.

I was able to get this to work on another server, but the 2nd server I'm trying to get this working on is giving the following error in the Catalina log:

Nov 5, 2014 12:23:16 PM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: Unable to load certificate key C:\Tomcat 5.5\conf\newcerts\serverpriv.key (error:02001003:system library:fopen:No such process)
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:653)
at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:116)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

Here is the connector info from my server.xml:

<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
ciphers="
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
"
clientAuth="false"
sslProtocol="TLS"
SSLEngine="on"
SSLEnabled="true"
SSLPassword="**********"
SSLCertificateFile="C:\Tomcat 5.5\conf\newcerts\server.crt"
SSLCertificateKeyFile="C:\Tomcat 5.5\conf\newcerts\serverpriv.key"
SSLCACertificateFile="C:\Tomcat 5.5\conf\newcerts\gdig2.crt"
SSLCertificateChainFile="C:\Tomcat 5.5\conf\newcerts\gd_bundle-g2-g1.crt" />

Searching around on Google, I found a suggestion to remove the line:
SSLengine = "on"
But when I did this, I got other strange errors.
I did not need to do this for the first server.

Also, checking the key with OpenSSL works fine.
openssl rsa -in serverpriv.key -check
Enter pass phrase for serverpriv.key:
RSA key ok
writing RSA key
...etc...

Any ideas?

P.S. I will be removing the RC4 ciphers soon...

Thanks in advance.
 
Saloon Keeper
Posts: 27764
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You are aware, I hope, that Tomcat 5 and Java 5 are no longer supported by their respective suppliers? I wouldn't put upgrading off for later, especially since the way you're choosing to dodge the issue is problematical at the best of times.

The message you're getting is rather strange, since it refers to a file open and a process as though they were the same thing, but I'd check to make sure that the serverpriv.key does exist and that it's readable by the Tomcat user.
 
Peter Bollwerk
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
They key definitely exists and is definitely readable by the account that Tomcat runs under.
Weird.
 
Peter Bollwerk
Greenhorn
Posts: 28
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I'm dumb.

It was a typo on the file path in the server.xml.
Was just missing a hyphen.

Sorry for the confusion.
 
Don't get me started about those stupid light bulbs.
reply
    Bookmark Topic Watch Topic
  • New Topic