Tuesday, May 12, 2020

Tomcat "Cannot recover key" SSL error

Tomcat has been enabled with SSL port. While renewing the SSL certificate, Tomcat server is throwing below error.

java.io.IOException: Cannot recover key
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:507)
        at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:218)
        at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:400)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:650)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:434)
        at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:978)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:821)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:642)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:667)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)


The error indicates that key can't be recovered using the password specified in server.xml. SSL section in server.xml is as shown below. If you have wallet pfx/p12 file, then you may convert it to java keystore using the same wallet password to use for java keystore password. 

<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"  maxThreads="100" SSLEnabled="true" scheme="https" secure="true"            keystoreFile="/u01/app.jks" keystorePass="XXXXX"  clientAuth="false" SSLProtocol="TLS" sslEnabledProtocols="TLSv1.2" />

The keystorePass value is different from passphrase used while creating private key/cert. After recreating the java keystore with same password as key and updated server.xml with new password and Tomcat started working fine. 

No comments:

Post a Comment