ssl - How to resolve : java.io.IOException: jsse.alias_no_key_entry

Question

I have a Debian virtual machine with Tomcat installed. I would like to install an SSL certificate so that my website is in Https.

I received the following certificate files with my VM:

my-domain.cer  my-domain.chain.crt.pem  my-domain.crt.pem
my-domain.csr  my-domain.key  my-domain.ch.p7c

I created a keystore with the following command :

keytool -import -trustcacerts -alias tomcat -keystore keystore.jks -file my-domain.cer

Then, I modified the file conf/server.xml file with the following code:

<Connector acceptCount="100" bindOnInit="false" connectionTimeout="20000" disableUploadTimeout="true" enableLookups="false"
        maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" useBodyEncodingForURI="true"
        keyAlias="tomcat" keystoreFile="/usr/local/tomcat/ssl/keystore.jks" keystorePass="PASSWORD" keystoreType="JKS"
        port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
        sslEnabledProtocols="TLSv1.2,TLSv1.3" SSLEnabled="true" clientAuth="false"/>

Unfortunately, I get the following error when starting tomcat :

 org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:983)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:535)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1055)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:585)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:608)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:306)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:491)
Caused by: java.lang.IllegalArgumentException: jsse.alias_no_key_entry
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:224)
        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1103)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1116)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:557)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:980)
        ... 13 more
Caused by: java.io.IOException: jsse.alias_no_key_entry
        at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:330)
        at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:104)
        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:239)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
        ... 20 more

I do not understand where it can come from. Because my alias is however the good one ...

Thank you in advance for your help

Answer 1

In my case, the cause of this issue was that the SSL key alias present in the application was not same as the alias passed while creating the certificate.

keytool -genkeypair -keyalg RSA -alias dummyApp -keystore dummy-app.p12 -storepass password -validity 3650 -keysize 2048 -dname "CN=dummy-app, OU=Enterprise, O=Test, L=Unknown, ST=Unknown, C=US" -storetype pkcs12

To fix, this I had to correct the value of the server.ssl.key-alias property. As per the above SSL generation example, its value should be dummyApp.