The certificate is renewed without errors but when starting the tomcat the tomcat fails when starting the NioSelectorPool protocol.
In order to continue operating we had to point to the pem files of the certificates from the previous renewal in the archive directory (we still have days left). It is an automatic renewal that always worked correctly and this time it started to give this error.
Error in catalina.out:
java.security.KeyStoreException: Cannot store non-PrivateKeys
StackTrace:
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:632)
at org.apache.catalina.startup.Catalina.load(Catalina.java:655)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:309)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:492)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:995)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
...12 more
Caused by: java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:115)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:86)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1087)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:265)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:68)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:993)
... 13 more
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:225)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:113)
...20 more
I ran this command: sudo certbot renew --force-renewal -d example.com (my domain)
It produced this output: java.security.KeyStoreException: Cannot store non-PrivateKeys
web server: Apache Tomcat/8.5.34
The operating system my web server runs on is (include version): Ubuntu 22.04.3 LTS
You need to provide your actual domain name before anyone can do that.
Please do not use that option. It doesn't magically fix any underlying problem and it often tends to create new problems with rate limiting.
Onve you provide your actual domain name we can confirm the status of your certificate. Then if anyone here is familiar with Tomcat, they may then be able offer further guidance.
You appear to have obtained three EC certificates and an RSA certificate for web.aulanexo.com today, as well as an RSA certificate yesterday and another RSA certificate the day before.
What shows when you run sudo certbot certificates? (Please use </> Preformatted text to preserve formatting and make it easier for us to read.)
I don't think the problem is Java KeyStore. It's a domain that has been around for a long time and has had many automatic renewals with letsencrypt and certboot. As a workaround, we reconfigured tomcat with the .pem files from the "archive" directory prior to the last renewal (they are valid for a few more days) and it works.
It works with the previous files and it doesn't work with the renew ones. The only thing that changes are the files that certboot installs in the renew.
You should refer Tomcat directly to the .../live/ folder instead. Those are symlinks to the most recent set of cert files in /archive. Pointing directly at the numbered set of files in /archive is not recommended.
Why is that only a work-around? Can't you just use the .pem files permanently?
I don't see any problem except about the Java KeyStore. I don't know enough about it to debug that. Maybe a different volunteer will know. Or, have you tried a KeyStore support forum?
Yeah, but you said you could point Tomcat directly to the .pem files in /archive and that worked. It was just that you were pointed to a soon-to-expire cert.
If you instead point Tomcat to the /live/ folder it will be the most recent cert. And, will always be the most recent cert. Why can't you just do that?
Can you check with e.g. openssl x509 -noout -text -in /path/to/cert.pem what the difference is between the working PEM file and the not working PEM file?
Hi,
I see the files are similar to each other. Maybe you can see something different.
This is a long-running production site that has this configuration without modifications. If Tomcat doesn't like ECDSA it shouldn't have worked before?
Old .pem file
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:a7:7b:a9:9b:e9:ba:85:4c:d4:9c:58:a4:37:6b:f2:54:27
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R11
Validity
Not Before: Nov 12 03:03:40 2024 GMT
Not After : Feb 10 03:03:39 2025 GMT
Subject: CN=web.aulanexo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d5:a3:5b:fa:b6:a1:0d:04:1c:3f:e1:90:55:00:
b4:9f:d1:e0:3f:86:b3:5c:da:b2:24:c8:6b:a1:22:
1b:43:88:19:b7:94:c0:bb:0a:2a:18:b6:36:55:e4:
7c:80:dc:5a:6c:17:31:8d:45:95:05:ff:13:71:74:
72:51:f4:ca:93:64:0f:1f:04:64:aa:49:d2:d9:75:
d8:bc:ec:01:89:60:e9:d2:b9:f2:7b:f2:31:09:a4:
c7:9a:91:bc:b7:bf:12:f8:8d:6c:6f:98:be:86:3a:
d3:b8:c5:bc:9a:98:9a:8d:e8:6c:3c:5d:1f:2e:7d:
99:84:17:ec:1b:ce:3f:79:61:3a:8c:f9:53:98:a3:
68:98:dd:39:5a:ca:29:3b:a4:db:f0:8f:cd:c0:04:
26:a2:bf:c7:96:1e:eb:91:5f:3b:5c:db:29:7c:85:
a5:e8:e7:c5:57:82:83:5e:03:a0:2f:db:25:c4:78:
1e:19:09:56:a8:1d:8c:6d:ea:b0:c5:55:e4:0f:dc:
9a:fd:97:c4:8c:07:47:b9:09:be:07:7d:f9:5c:01:
a9:20:82:12:ae:fd:05:3d:de:5b:fb:1f:b9:3c:9c:
de:cc:fb:8b:eb:ba:30:fe:22:23:4e:e1:bd:ca:dd:
b4:8a:e8:75:ad:b6:bb:89:a0:2b:55:1a:29:ae:68:
31:29
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
7E:DD:B7:3C:06:C1:BA:F3:0B:01:17:FA:30:AA:6F:FE:15:9B:DB:E4
X509v3 Authority Key Identifier:
keyid:C5:CF:46:A4:EA:F4:C3:C0:7A:6C:95:C4:2D:B0:5E:92:2F:26:E3:B9
Authority Information Access:
OCSP - URI:http://r11.o.lencr.org
CA Issuers - URI:http://r11.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:web.aulanexo.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 7D:59:1E:12:E1:78:2A:7B:1C:61:67:7C:5E:FD:F8:D0:
87:5C:14:A0:4E:95:9E:B9:03:2F:D9:0E:8C:2E:79:B8
Timestamp : Nov 12 04:02:10.275 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:A1:8E:3E:C8:A9:97:B2:7E:E8:66:35:
17:3B:F1:BB:43:71:6C:43:FB:EB:F8:B1:21:29:BA:83:
9E:B0:AA:A4:93:02:21:00:C0:5C:AF:B2:73:AD:D0:99:
52:50:B4:2D:0F:7C:42:30:EB:97:6E:77:8A:F9:93:D6:
E0:6F:D2:0B:51:AA:FC:42
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 13:4A:DF:1A:B5:98:42:09:78:0C:6F:EF:4C:7A:91:A4:
16:B7:23:49:CE:58:57:6A:DF:AE:DA:A7:C2:AB:E0:22
Timestamp : Nov 12 04:02:10.523 2024 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:21:00:DB:7B:A8:A7:43:5A:F8:FC:81:05:1E:
3A:B3:3F:FA:5B:7C:98:B6:BA:6C:44:BD:1F:91:8E:24:
AA:07:23:99:00:02:20:30:10:6B:18:7A:AD:A0:5F:3E:
5D:66:60:F4:49:F1:B8:74:E0:70:74:A9:B6:AF:12:9B:
2B:D8:0F:1A:3A:20:BB
Signature Algorithm: sha256WithRSAEncryption
a2:dd:be:81:60:d8:68:56:8f:52:f9:a6:e1:5b:32:a6:9b:07:
dc:ed:0b:7d:1d:75:24:68:34:5c:3a:7e:a2:ab:8b:3d:29:a7:
f5:7c:d0:cc:30:27:46:33:40:4f:7f:e7:f2:f5:08:2e:4a:cb:
0b:47:d6:0d:80:54:be:19:9f:0c:a2:10:34:94:4e:26:a1:37:
53:58:ef:9f:8b:a9:3a:7b:5e:b7:4c:04:84:50:fd:95:28:3c:
16:69:66:e9:08:71:5f:ac:03:32:9b:22:59:d8:2c:a8:c9:8f:
58:ec:36:3e:12:64:16:98:5c:f2:9e:39:ce:e9:f6:27:a4:68:
10:f2:5e:19:dc:42:48:a2:f7:95:df:fd:54:55:d3:9b:e0:bc:
4a:a0:8c:ae:fc:56:ef:9d:47:31:f0:9f:64:61:0d:14:b3:22:
b6:0e:e7:45:08:1d:3a:35:16:32:f8:3c:ee:cd:92:9d:ef:b9:
c0:69:9a:eb:bb:d4:c6:2c:79:6b:78:16:72:bb:ee:32:fc:d0:
47:18:b2:0b:67:66:4e:5a:30:18:f2:99:e6:31:83:55:0f:e1:
52:9a:ac:dc:2e:c7:da:ca:76:c6:9c:26:15:0b:43:b1:65:18:
e7:71:6d:dc:27:83:a0:00:75:26:af:0b:42:bb:d9:a3:48:9d:
c2:0d:e1:aa
Renew .pem file
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
03:e1:02:bf:8a:4f:35:41:11:21:ab:fa:78:b2:cf:73:6c:89
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=R11
Validity
Not Before: Jan 13 16:41:55 2025 GMT
Not After : Apr 13 16:41:54 2025 GMT
Subject: CN=web.aulanexo.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:94:31:f3:54:60:03:9a:bf:8c:58:6d:27:31:a4:
9d:63:5a:53:40:ba:9a:f2:82:b3:71:79:41:57:7a:
98:a1:01:80:f3:9c:9a:a3:96:3c:ca:31:ee:03:fa:
69:8e:4b:08:fa:14:03:dc:67:89:ec:c7:e8:71:3e:
9b:16:31:91:71:f3:28:8e:39:44:cb:4c:5a:04:a3:
99:03:90:fe:83:93:54:75:6f:99:02:82:62:bc:32:
26:4e:c1:98:4a:78:3a:94:26:13:2d:71:16:7c:b2:
83:bb:71:2b:81:5e:be:bd:93:b7:a0:1c:37:92:22:
b5:a7:aa:7d:b1:17:e4:e9:a5:26:e3:a4:36:0f:3b:
93:30:bf:8e:38:ff:b5:df:6a:13:21:ab:f9:96:b2:
a9:0b:c6:4f:39:25:19:69:5a:48:36:d0:1c:38:76:
57:75:6c:65:7a:f6:3b:42:c0:53:ef:7f:4b:5c:5b:
04:c0:ee:37:77:b7:16:45:f6:a5:bd:53:c7:00:1e:
e4:39:94:b5:69:d4:18:a9:4f:bc:93:65:b5:52:0a:
99:70:b3:78:8d:d6:6c:d3:80:90:e8:da:4e:b7:b1:
46:b6:2a:31:fe:22:da:83:69:ab:0d:71:e2:bd:21:
58:a5:d1:c6:57:fb:aa:4b:95:a3:fe:2f:f8:48:36:
55:a9
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
61:06:1D:B9:9F:80:1B:44:5E:D5:55:43:CE:D2:49:48:D2:D8:BF:36
X509v3 Authority Key Identifier:
keyid:C5:CF:46:A4:EA:F4:C3:C0:7A:6C:95:C4:2D:B0:5E:92:2F:26:E3:B9
Authority Information Access:
OCSP - URI:http://r11.o.lencr.org
CA Issuers - URI:http://r11.i.lencr.org/
X509v3 Subject Alternative Name:
DNS:web.aulanexo.com
X509v3 Certificate Policies:
Policy: 2.23.140.1.2.1
CT Precertificate SCTs:
Signed Certificate Timestamp:
Version : v1(0)
Log ID : 73:20:22:0F:08:16:8A:F9:F3:C4:A6:8B:0A:B2:6A:9A:
4A:00:EE:F5:77:85:8A:08:4D:05:00:D4:A5:42:44:59
Timestamp : Jan 13 17:40:25.173 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:45:02:20:51:00:1E:BA:86:7C:DD:5C:72:67:38:CD:
B0:90:3B:26:29:EF:48:2F:60:EE:79:CE:2D:11:3D:82:
E8:94:F4:63:02:21:00:B2:BA:D0:F9:B4:24:63:AA:10:
D5:E4:FB:8D:42:A8:64:14:A0:BE:9E:8F:73:1C:F1:27:
A6:4D:EC:3A:9F:9E:4E
Signed Certificate Timestamp:
Version : v1(0)
Log ID : CF:11:56:EE:D5:2E:7C:AF:F3:87:5B:D9:69:2E:9B:E9:
1A:71:67:4A:B0:17:EC:AC:01:D2:5B:77:CE:CC:3B:08
Timestamp : Jan 13 17:40:25.227 2025 GMT
Extensions: none
Signature : ecdsa-with-SHA256
30:46:02:21:00:86:75:A6:61:1C:C0:B4:6C:DF:7F:52:
50:43:8E:C3:DE:04:CC:31:79:28:10:E9:CF:16:30:52:
AC:61:C0:B1:72:02:21:00:83:FB:CD:E0:F2:31:92:76:
05:6C:04:6C:FC:2A:02:93:E0:D8:5F:F5:8B:60:EC:68:
47:0F:C9:FE:1F:12:77:9F
Signature Algorithm: sha256WithRSAEncryption
52:51:4d:4b:ee:d9:e0:6f:62:d6:d9:25:5a:ba:c5:37:b4:ba:
30:56:2f:7e:bb:ed:11:8b:da:8b:3d:e6:1a:ac:84:8d:b7:d7:
5f:04:55:98:7e:1d:f1:a2:fa:8d:b8:50:cd:3a:7e:22:bb:09:
f1:89:57:8a:07:75:8d:d3:e9:99:88:66:11:e6:07:27:93:df:
14:04:e9:d2:86:6b:8c:7b:f1:01:a6:ef:e2:7e:d6:a0:2d:9b:
5f:d8:ea:0b:c0:cf:f4:f0:4a:61:9e:96:7a:c0:36:de:a6:2b:
b0:08:d9:05:72:f1:52:4d:d6:1d:62:48:2e:e1:b2:23:f3:64:
77:a3:9d:0f:23:7e:26:8d:1d:a0:70:e9:56:b9:80:17:de:67:
97:86:e0:cd:af:ea:e2:df:a6:93:21:f9:65:ec:16:2f:d4:f6:
d4:45:88:ce:bd:04:b9:ce:e0:51:67:95:f9:16:13:90:b1:b5:
fc:19:70:d9:08:6d:63:6c:32:a4:28:90:a0:5c:5e:c8:01:c0:
e0:b7:11:1e:0b:57:5b:0b:0c:83:2e:b0:00:a1:97:df:34:d3:
56:b9:92:9a:89:b5:cd:02:8c:9c:a2:cb:68:47:6a:76:e2:a5:
ef:66:99:c0:b0:88:67:1d:a2:f1:96:70:1a:2d:db:a1:74:58:
e4:37:7b:a8
And @Bruce5051 could you see if that changed between the previous certificate and the renewed one in the files I shared in the previous reply? I don't see any significant differences between the files.
The ones with an Issuer Name
starting with C=US, O=Let's Encrypt, CN=E are ECDSA requested and issued certificates.
starting with C=US, O=Let's Encrypt, CN=R are RSA requested and issued certificates.
