EAP 6 "JBWEB003043: ... No Certificate file specified or invalid file format" when using native libraries

Solution Unverified - Updated 5 Aug 2024

Environment

Red Hat JBoss Enterprise Application Platform (EAP) 6.x
JBossWeb Native library

Issue

https connector initialization failed when native=true. We have the following error when we try to use the native libraries :

ERROR [org.apache.coyote.http11] (MSC service thread 1-4) [] [] [] JBWEB003043: Error initializing endpoint: java.lang.Exception: No Certificate file specified or invalid file format
 at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
 at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:649) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
 at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.java:104) [jbossweb-7.2.2.Final-redhat-1.jar:7.2.2.Final-redhat-1]
.....
Caused by: LifecycleException:  JBWEB000023: Protocol handler initialization failed at org.apache.catalina.connector.Connector.init(Connector.java:986)

The error appears only when we set native=true in the virtual host.
The configuration contains

<subsystem xmlns="urn:jboss:domain:web:1.4"
  default-virtual-server="default-host" native="true">
     <connector name="https" protocol="HTTP/1.1" scheme="https"
	socket-binding="https" secure="true">
	<ssl name="https" 
		password="${VAULT::Keystore::serverskeystore::MUYx........."
		certificate-key-file="${test.jboss.web.ssl.certificate-key-file}"
		verify-client="true" 
		ca-certificate-file="${test.jboss.web.ssl.certificate-ca-file}" ></ssl>
     </connector>
     <virtual-server name="default-host" enable-welcome-root="true">
	<alias name="localhost" ></alias>
	<alias name="example.com" ></alias>
     </virtual-server>
.. ..
</subsystem>

Resolution

For native APR https connectors all 3 (certificate-key-file, certificate-file, ca-certificate-file) must be either in cer(crt) or pem format.

certificate-key-file: server private key
certificate-file_: server certificate
ca-certificate-file: the CA certificate

A sample configuration, without client cert, will look like

<connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">
  <ssl name="ssl"
      key-alias="labs.guest.redhat.com"
      password="12345678"
      certificate-key-file="/home/test/lab/certs/labs.guest.redhat.com_CA/labs.guest.redhat.com" 
      certificate-file="/home/test/lab/certs/labs.guest.redhat.com_CA/labs.guest.redhat.com.pem" 
      ca-certificate-file="/home/test/lab/certs/labs.guest.redhat.com_CA/ca.pem"
  ></ssl>
</connector>

Where

 key-alias="labs.guest.redhat.com"
 password="12345678"
 certificate-key-file="/home/test/etc/certs/labs.guest.redhat.com_CA/labs.guest.redhat.com.pem" 
 certificate-file="/home/test/etc/certs/labs.guest.redhat.com_CA/labs.guest.redhat.com.pem" 
 ca-certificate-file="/home/test/etc/certs/labs.guest.redhat.com_CA/ca.pem"

You can refer to Why does my SSL certificate not work with the Tomcat Native Library? for sample commands that convert to .pem format.

Root Cause

APR https connectors do not support jks format files. JIO or NIO connectors do support them.

SBR

Product(s)

Red Hat JBoss Enterprise Application Platform

Components

jbossas

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.