Certificate generated but cannot deploy to tomcat

I have a certificate succesfully generated by certify the web. I have selected the deployment task to deploy to tomcat but the deployment fails. The Tomcat server is version 9.
The error in the log is:
2021-10-30 22:55:08.545 -07:00 [INF] Deploy to Tomcat:: exporting PFX format certificates and key
2021-10-30 22:55:08.569 -07:00 [INF] Deploy to Tomcat: Copying file (Windows file copy) to C:\Program Files\Apache Software Foundation\Tomcat 9\conf
2021-10-30 22:55:08.583 -07:00 [ERR] Failed to copy to destination file: C:\Program Files\Apache Software Foundation\Tomcat 9\conf:Access to the path ‘C:\Program Files\Apache Software Foundation\Tomcat 9\conf’ is denied.
2021-10-30 22:55:08.583 -07:00 [ERR] Failed to copy to destination file: C:\Program Files\Apache Software Foundation\Tomcat 9\conf:Access to the path ‘C:\Program Files\Apache Software Foundation\Tomcat 9\conf’ is denied.

So it looks like certify the web simply cannot access the conf folder but I then added the everyone group with full access to the folder as a test but the deployment still fails with the same error.
Why can’t certify the web client copy the certificate file to the requested folder? I even downloaded procmon to view file access and there is no access denied error when certify the web tries to access the conf folder.

My guess is that you’re giving it a folder path when it is asking for a file path. It can’t make a file out of the existing folder, so it gets an error.

Ah yes, as @jljtgr suggested it’s expecting you to provide a full filename for each thing to export, not just a folder. If you delete the content of the text box the placeholder text will explain that.

I would have liked to say that as well, but that specific deployment type has the example cut off and the parameter name doesn’t actually say “file” like the other ones… but “Destination Path”.


1 Like

Thanks for pointing that out, some of these got the wording updated recently but I don’t think the tomcat one did.

Thanks! That seems to have gotten the certificate exported to the conf folder. But now the Tomcat server isn’t starting. I’m getting this error below indicating that the keystore password is incorrect? I was hoping the deployment task would be able to take care of this. If there is any additional documentation on using the Tomcat deployment task I haven’t seen it and would love to read it.

31-Oct-2021 09:03:24.194 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.IllegalArgumentException: keystore password was incorrect
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
… 12 more
Caused by: java.io.IOException: keystore password was incorrect
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2015)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.security.KeyStoreUtil.load(KeyStoreUtil.java:67)
at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:217)
at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:206)
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:283)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
… 19 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded

Nevermind I found it.

Looks like the keystore password should be blank. I removed the old keystore password in the server.xml file and restarted the service and now it is working.

1 Like

You can optionally set a password if you want one under Certificate > Advanced Settings > Signing and Security (then re-request your cert), historically we just default to blank.