CODEWITHSUNDEEP
javatomcathttpskeystoreresttemplate
srini s
srini s

Reputation: 29

java.security.NoSuchAlgorithmException: (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

I tried many solutions from the web. But no solution seem to be fit to me.

We recently upgraded tomcat server 8.0.x to 8.5.x. With 8.0.x Everything worked fine. But after upgrade, We are facing this error when we are trying to connect to a server from java's Spring restTemplate with https.

I did not see any errors while connecting through http. 

":java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext);  
    nested exception is java.net.SocketException: java.security.NoSuchAlgorithmException: Error constructing implementation (algorithm: Default, provider: SunJSSE, class: sun.security.ssl.SSLContextImpl$DefaultSSLContext)

Upvotes: 2

Views: 20799

Answers (1)

Vissu
Vissu

Reputation: 2043

Some background about recent changes in tomcat 8.5.x: (as Explained by @dave-thompson-085 in another post)

Java 8u60 up getInstance("JKS") (with the normal providers) can read either JKS or PKCS12, but "PKCS12" only reads PKCS12 as is happening here. In 9 and 10 (I haven't yet tried 11) it works both directions, but OP's stacktrace doesn't show modules as 9 up should. Tomcat 8.5 (and 9.0) majorly rewrote the SSL/TLS config area to handle multiple certs (SNI) and also align the previously different JSSE vs APR=OpenSSL configs, but to my reading it should still default to JKS unless you (mis)set javax.net.ssl.keyStoreType

How we fixed this:
In tomcat 8.0 default value for javax.net.ssl.keyStoreType is JKS. After we upgraded to tomcat 8.5.x, they changed to PKCS12 as this is being used as industry standard these days.

After breaking my head for some time, noticed that, In tomcat.conf file, VM arguments configured to use PKCS12. I changed to JKS. Everything worked fine after.

Changed -Djavax.net.ssl.keyStoreType=PKCS12 to -Djavax.net.ssl.keyStoreType=JKS

Tip: If you cannot find tomcat.conf file, search for the file that contains string of "-Djavax.net.ssl.keyStoreType" in side tomcat directory. I saw that, Windows portable tomcat does not have that file.

Upvotes: 2

Related Questions