tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Richard Tearle <richard.tea...@northgateps.com>
Subject Re: Connection closed error and certificateVerification="required"
Date Tue, 20 Mar 2018 14:49:57 GMT
Hello

On 20 March 2018 at 11:29, Mark Thomas <markt@apache.org> wrote:
>
> On 20/03/18 07:52, Richard Tearle wrote:
> > Hello
> >
> > We have 4 applications built on the same architecture with a web UI
> > and camel based ESB running in separate Tomcat's, using REST/XML to
> > communicate between the two. This is all deployed within separate
> > Docker containers but on the same VM (at least for test), either on
> > Centos Linux or Oracle Linux. This all works on Tomcat 8.0.x. We've
> > been upgrading to Tomcat 8.5.x since November last year, but this has
> > been hampered by what looks to be random connection closed errors when
> > our UI communicates to the ESB. We have a series of Selenium based
> > autotests which will fail in different places, but with the same
> > error:
>
> <snip/>
>
> There are rather too many factors at play here. It would be good to try
> and eliminate some of them.
>
> What are the known working 8.0.x versions?
>
> I looks like you are using JSSE with 8.0.x. It should be possible to use
> the exact same configuration with 8.5.x. No need to use the native
> library and no need to switch to the new configuration style.
>
> Lets try and get 8.5.x working with JSSE. That should help narrow down
> the root cause. What happens when you transfer the working 8.0.x config
> to 8.5.x?

On startup we get:

20-Mar-2018 14:43:18.908 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed
to initialize component [Connector[HTTP/1.1-4001]]
 org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:935)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:530)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:852)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:633)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:656)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: java.lang.IllegalArgumentException: the trustAnchors
parameter must be non-empty
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:216)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1043)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:540)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:932)
        ... 13 more
Caused by: java.security.InvalidAlgorithmParameterException: the
trustAnchors parameter must be non-empty
        at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157)
        at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130)
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:389)
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:313)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
        ... 19 more

> Also, anything you can do to reduce the complexity of the test
> application (ideally reducing it to simple Servlets/JSPs) would make it
> easier for others to reproduce the issue.

I can ZIP my code and drop it somewhere if that will help.

> Hmm. That looks like a controlled shutdown. Random thought, does setting
> disableSessionTickets="true" help at all when using OpenSSL?
>

I'm afraid that didn't work, but thanks for the suggestion.

> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


-- 

Richard

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1442 768445 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NW.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered address of 2nd Floor, Ballard House, Adi 
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message