Background:
We are switching from a JSSE connector to APR/native connector to resolve some PCI vulnerabilities without needing to update
Java and
Tomcat. (Those are on the to-do list for later)
The problem server is running Windows 2008 R2 (64-bit), Tomcat 5.5.26 and Java 1.5.0_15
Since I could not find the private key that existed for the current keystore, I generated a new CSR and re-keyed the cert.
I was able to get this to work on another server, but the 2nd server I'm trying to get this working on is giving the following error in the Catalina log:
Nov 5, 2014 12:23:16 PM org.apache.coyote.http11.Http11AprProtocol init
SEVERE: Error initializing endpoint
java.lang.Exception: Unable to load certificate key C:\Tomcat 5.5\conf\newcerts\serverpriv.key (error:02001003:system library:fopen:No such process)
at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:653)
at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:116)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:578)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:782)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
Here is the connector info from my server.xml:
<!-- Define a SSL HTTP/1.1 Connector on port 443 -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
ciphers="
SSL_RSA_WITH_3DES_EDE_CBC_SHA,
SSL_RSA_WITH_RC4_128_MD5,
SSL_RSA_WITH_RC4_128_SHA,
TLS_RSA_WITH_AES_128_CBC_SHA,
TLS_RSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
"
clientAuth="false"
sslProtocol="TLS"
SSLEngine="on"
SSLEnabled="true"
SSLPassword="**********"
SSLCertificateFile="C:\Tomcat 5.5\conf\newcerts\server.crt"
SSLCertificateKeyFile="C:\Tomcat 5.5\conf\newcerts\serverpriv.key"
SSLCACertificateFile="C:\Tomcat 5.5\conf\newcerts\gdig2.crt"
SSLCertificateChainFile="C:\Tomcat 5.5\conf\newcerts\gd_bundle-g2-g1.crt" />
Searching around on Google, I found a suggestion to remove the line:
SSLengine = "on"
But when I did this, I got other strange errors.
I did not need to do this for the first server.
Also, checking the key with OpenSSL works fine.
openssl rsa -in serverpriv.key -check
Enter pass phrase for serverpriv.key:
RSA key ok
writing RSA key
...etc...
Any ideas?
P.S. I will be removing the RC4 ciphers soon...
Thanks in advance.