2

I have a VPS running tomcat9, and I cannot manage to install the certificate. I got a certificate using certbot (let's encrypt entity), now I have the files:

/etc/letsencrypt/live/mydomain.org/fullchain.pem
/etc/letsencrypt/live/mydomain.org/privkey.pem

I don't know what to do with them. I followed a lot of different tutorials, blogs, documentation pages including this one https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html and it never works.

Currently, I created a JKS keystore and imported my certificate

keytool -importcert -alias root -file /etc/letsencrypt/live/mydomain.org/fullchain.pem -keystore mydomain.jks

In server.xml I have

<Connector port="80" protocol="HTTP/1.1"
        connectionTimeout="20000"
        redirectPort="8443" />
<Connector port="443" protocol="HTTP/1.1"
        connectionTimeout="20000"
        redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
        maxThreads="150" SSLEnabled="true" URIEncoding="UTF-8" >
    <SSLHostConfig>
        <Certificate certificateKeystoreFile="/home/tomcat/files/mydomain.jks"
            keystoreType="JKS" 
            keystorePass="mypassword"/>
    </SSLHostConfig>
</Connector>

But when I restart my tomcat9 service I have the following in the logs:

SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
        org.apache.catalina.LifecycleException: Protocol handler initialization failed
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
        Caused by: java.lang.IllegalArgumentException: Keystore was tampered with, or password was incorrect
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
                at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
                at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
                at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
                at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
                at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
                ... 13 more
        Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect
                at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:792)
                at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:57)
                at sun.security.provider.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:224)
                at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(JavaKeyStore.java:71)
                at java.security.KeyStore.load(KeyStore.java:1445)
                at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:69)
                at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
                at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:206)
                at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
                at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
                at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
                ... 20 more
        Caused by: java.security.UnrecoverableKeyException: Password verification failed
                at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:790)
                ... 31 more

I changed the password and I still have the issue, so I think the error comes from somewhere else. Could anyone give me a step by step procedure to install this certificate?

Thanks

lolo
  • 706
  • 6
  • 19
  • Does this answer your question? [Enabling SSL on tomcat using pem file](https://stackoverflow.com/questions/49386683/enabling-ssl-on-tomcat-using-pem-file) – Piotr P. Karwasz Feb 15 '22 at 18:46

1 Answers1

0

The correct key for the password is

certificateKeystorePassword

(Credits to Marquinio.)

Skippy le Grand Gourou
  • 6,976
  • 4
  • 60
  • 76