spring boot https PKCS12 DerInputStream.getLength(): lengthTag=111, too big

Question

I need to use a Spring boot app on https. I have a letsencrypt signed key. I converted this cert to PKCS12 like this:

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out keystore.p12 -name tomcat -CAfile chain.pem -caname root

I copied this keystore file to resource directory and here is the config part:

require-ssl: true

server:
  port: 8443
  ssl:
    key-store-type: PKCS12
    key-store: classpath:keystore.p12
    key-store-password: xxxxx
    key-alias: tomcat

If I check this keystore, I've got this:

keytool -list -keystore keystore.p12 
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, May 15, 2019, PrivateKeyEntry, 
Certificate fingerprint (SHA-256): 

And when I start my app:

Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=111, too big.
at sun.security.util.DerInputStream.getLength(DerInputStream.java:599)
at sun.security.util.DerValue.init(DerValue.java:391)
at sun.security.util.DerValue.<init>(DerValue.java:332)
at sun.security.util.DerValue.<init>(DerValue.java:345)
at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1938)
at java.security.KeyStore.load(KeyStore.java:1445)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:449)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:353)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:606)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:546)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:371)
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:763)
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:491)
at org.apache.catalina.connector.Connector.startInternal(Connector.java:986)

Do I need to config any other? thx, Zamek

Answer 1

I found the problem, there was a resource filter plugin in my pom.xml destroyed the key file. I had to exclude the key file from resource filter plugin.

Answer 2

Try these settings below in ur pom.xml. Exclude p12,pem,jks or the orther kind of certification file from maven-resource-plugin process

# insert into <build>/<resources>  label

<resource>
        <directory>src/main/resources</directory>
        <includes>
          <include>**/*.p12</include>
          <include>**/*.pem</include>
          <include>**/*.jks</include>
        </includes>
        <filtering>false</filtering>
</resource>

# also insert these configs into <build>/<plugins>  label
# replace ${maven-resources-plugin.version} & ${maven-filtering.version} to the version ur used
<plugin>
          <groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-resources-plugin</artifactId>
          <version>${maven-resources-plugin.version}</version>
          <configuration>
            <nonFilteredFileExtensions>
              <nonFilteredFileExtension>pem</nonFilteredFileExtension>
              <nonFilteredFileExtension>p12</nonFilteredFileExtension>
              <nonFilteredFileExtension>jks</nonFilteredFileExtension>
            </nonFilteredFileExtensions>
          </configuration>
          <dependencies>
            <dependency>
              <groupId>org.apache.maven.shared</groupId>
              <artifactId>maven-filtering</artifactId>
              <version>${maven-filtering.version}</version>
            </dependency>
          </dependencies>
</plugin>

Answer 3

This error can also occur if you use a different binary file.