2

I'm installing JKS certificate on my ubuntu tomcat server. I've searched but still can't solve it. Browser can connect to tomcat 8080 but it's not transmitted by HTTPS. I use command keytool -importkeystore -srckeystore **.pfx -destkeystore **.jks -srcstoretype PKCS12 -deststoretype JKS to convert PFX to JKS format.

conf/server.xml is :

<Connector port="8443" protocol="HTTP/1.1"
    maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
    keystoreFile="/home/hel/key/my.jks" 
    keystorePass="***"
    keyAlias="***" 
    clientAuth="false" sslProtocol="TLS" />

Added:
 In the same time, I tried another configuration(but output same exceptions):

<Connector port="8443" protocol="HTTP/1.1"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="/home/hel/key/***.pfx"
               keystoreType="PKCS12"
               keystorePass="***"
               keyAlias="***" 
               clientAuth="false" sslProtocol="TLS" />

There are four files in directory /home/hel/key: .key,.pem,.pfx,.jks.

Added: I've changed certificateKeyAlias="***" with keyAlias="***", and exceptions disappear.But Port 8443 still can't be connected and 8080 is not transmitted in HTTPS. How can I check it? netstat shows port 8080 and 8443 are really listening.

localhost.log

INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log SessionListener: contextDestroyed() INFO [localhost-startStop-2] org.apache.catalina.core.ApplicationContext.log ContextListener: contextDestroyed() INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log ContextListener: contextInitialized() INFO [localhost-startStop-1] org.apache.catalina.core.ApplicationContext.log SessionListener: contextInitialized()

localhost_access_log.txt

"GET /Beer-v1/ HTTP/1.1" 304 -
"GET /Beer-v1/css/a.css HTTP/1.1" 304 -

catalina.log

NG tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server/Service/Engine/Realm} Setting property 'digest' to 'MD5' did not find a matching property.
NG tomcat.util.digester.Digester.endElement No rules found matching 'Server/Service/Engine/Resource'.

Added
I download a clean copy of tomcat 9 and add code in the original conf/server.xml. In catalina.out java.security.UnrecoverableKeyException: Cannot recover key happens.

<Connector
    port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    connectionTimeout="20000"
    redirectPort="8443"
    scheme="https" 
    secure="true" 
    SSLEnabled="true"
    sslProtocol="TLS"
    keystoreFile="conf/***.jks"
    keystorePass="***" 
    keystoreType="JKS"
    clientAuth="false"
    />
user7328234
  • 393
  • 7
  • 23

2 Answers2

1

Seems tomcat is not finding the private key of the certificate in the Keystore.

Since you have not specified attribute keyAlias in Connector, tomcat will try to load the first key found in Keystore. See documentation of certificateKeyAlias (

The alias used for the server key and certificate in the keystore. If not specified, the first key read from the keystore will be used. The order in which keys are read from the keystore is implementation dependent. It may not be the case that keys are read from the keystore in the same order as they were added. If more than one key is present in the keystore it is strongly recommended that a keyAlias is configured to ensure that the correct key is used.

Check the Keystore to see if private key is present and its alias. You can list entries with 

 keytool -list -v -keystore keystore.jks

Note: you can use directly the pkcs12 file setting

 keystoreType = "PKCS12"

UPDATED: Tomcat SSL configuration

This is the minimum configuration of tomcat for a SSL connector (deprecated attributes) in conf/server.xml, using a selfsigned certificate issued for 127.0.0.1 and copied in /conf

<Connector
    port="8443"
    protocol="org.apache.coyote.http11.Http11NioProtocol"
    connectionTimeout="20000"
    redirectPort="8443"
    scheme="https" 
    secure="true" 
    SSLEnabled="true"
    sslProtocol="TLS"
    keystoreFile="conf/keystore.jks"
    keystorePass="a1b2c3d4e5" 
    keystoreType="JKS"
    clientAuth="false"
    />

I have tested it with a clean copy of tomcat 9 and JRE 1.8, with URL https://127.0.0.1:8443

pedrofb
  • 37,271
  • 5
  • 94
  • 142
  • See https://httpstatuses.com/304. Could you clean tomcat work directory and browser cache(CTRL F5) ? Please post also the info of chrome debugger – pedrofb Dec 26 '16 at 14:34
  • I've removed my application directory and now hostname:8443 shows apache homepage. Cookie has been cleaned. How to see chrome debugger. Do you mean the page console outputs?Page console shows:**Failed to load resource: net::ERR_EMPTY_RESPONSE http://hostname:8443/:1 GET http://hostname.cc:8443/ net::ERR_EMPTY_RESPONSE** – user7328234 Dec 26 '16 at 14:51
  • The last comment is Error: and now hostname:8080 shows apache homepage. Not 8443. Port 8443 still can't be connected. – user7328234 Dec 26 '16 at 15:00
  • I'm really overshadowed by your setup. There must be some point that I do not see and that does not work. I have downloaded a clean copy of tomcat 9 and configured a self-signed certificate. You have the instructions and the certificate in the answer. I suggest you to do the same, configure tomcat from scratch and add your own configuration step by step – pedrofb Dec 26 '16 at 18:06
  • Do you mean don't change anything in the original server.xml? Just add a new ``? – user7328234 Dec 27 '16 at 02:37
  • Just add the new ` – pedrofb Dec 27 '16 at 07:31
0

This link helps me: java.security.UnrecoverableKeyException: Cannot recover key.

When converting PFX to JKS with command keytool -importkeystore -srckeystore **.pfx -destkeystore **.jks -srcstoretype PKCS12 -deststoretype JKS, set destination keystore password the same as keypasswd. And remember to put .jks file in the right path. I think it was in the wrong place.As for selfsigned certificate, I find it needn't to set keystore password the same as keypasswd.

Thanks to pedrofb. You help me so much.

Community
  • 1
  • 1
user7328234
  • 393
  • 7
  • 23