Errors during server start after SSL Certificate Renewal
Hello
Do you have any guidelines on how to renew an expired SSL certificate in TeamCity, Is it possible from the administration module?
I have already attempted the following without success. I did not face the same issue last year.
And I performed exactly the same steps.
1. Created a new KeyStore with the PFX store by executing the following command:
keytool -importkeystore -srckeystore "d:\certificate.pfx" -destkeystore D:\.keystore.jks -deststorepass pass -deststoretype JKS
2. Verified the content by entering the password:
keytool.exe -list -keystore keystore.jks -v
3. Moved the keystore to the TeamCity conf folder.
4. Verified that the server.xml in the TeamCity conf folder points to the correct file and the password is correct
keystoreFile="d:\TeamCity\conf\.keystore.jks"keystorePass="pass"
Despite these steps, I still receive the following error when the TeamCity server starts up.
24-May-2024 11:49:00.813 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1050)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:554)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1045)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:724)
at org.apache.catalina.startup.Catalina.start(Catalina.java:760)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:347)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:478)
Caused by: java.lang.IllegalArgumentException: Cannot recover key
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:235)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:604)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:76)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1047)
... 13 more
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at java.base/sun.security.provider.KeyProtector.recover(KeyProtector.java:304)
at java.base/sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:144)
at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)
at java.base/java.security.KeyStore.getKey(KeyStore.java:1057)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:354)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 20 more
Please sign in to leave a comment.
It seems like the significant part of your error is
java.security.UnrecoverableKeyException: Cannot recover key. There is a decent write-up on this error here: https://www.baeldung.com/java-security-unrecoverablekeyexception-resolve.I am able to reproduce this error by using a different password for .keystore.jks than was used for the certificate.pfx file. Could you please try using the same password in your
keytool -importkeystorecommand, as below?Hello Eric
Thanks for the input, I will take a look at it.
Hello Eric
Will the following steps give the same result?
The SSL/HTTPS Certificates tab is for outbound connections and I don't think it accepts .jks certificates. To upload a certificate to this menu, it would need to be in one of the supported formats: PEM, DER or PKCS#7.