Support password protected private key for SSL

[mekya]

The exception logs are as follows

2022-04-02 12:59:44,646 [main] INFO  o.a.c.http11.Http11Nio2Protocol - Initializing ProtocolHandler ["https-jsse-nio2-0.0.0.0-5443"]
2022-04-02 12:59:44,896 [main] ERROR o.a.catalina.core.StandardService - Failed to initialize connector [Connector[org.apache.coyote.http11.Http11Nio2Protocol-5443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:1076)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:843)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:173)
    at org.apache.catalina.startup.Tomcat.start(Tomcat.java:440)
    at org.red5.server.tomcat.TomcatLoader.start(TomcatLoader.java:450)
    at org.red5.server.tomcat.TomcatLoader.afterPropertiesSet(TomcatLoader.java:183)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1677)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1615)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:220)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveNamedBean(DefaultListableBeanFactory.java:1015)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:345)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.getBean(DefaultListableBeanFactory.java:340)
    at org.springframework.context.support.AbstractApplicationContext.getBean(AbstractApplicationContext.java:1094)
    at org.red5.server.service.ShutdownServer.afterPropertiesSet(ShutdownServer.java:118)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1677)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1615)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:553)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:757)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542)
    at org.red5.server.Launcher.launch(Launcher.java:95)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.red5.server.Bootstrap.bootStrap(Bootstrap.java:91)
    at org.red5.server.Bootstrap.main(Bootstrap.java:48)
Caused by: java.lang.IllegalArgumentException: PBE parameter parsing error: expecting the object identifier for AES cipher
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:100)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:72)
    at org.apache.tomcat.util.net.Nio2Endpoint.bind(Nio2Endpoint.java:157)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1161)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:222)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:599)
    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:80)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:1074)
    ... 40 common frames omitted
Caused by: java.io.IOException: PBE parameter parsing error: expecting the object identifier for AES cipher
    at java.base/com.sun.crypto.provider.PBES2Parameters.parseES(PBES2Parameters.java:384)
    at java.base/com.sun.crypto.provider.PBES2Parameters.engineInit(PBES2Parameters.java:285)
    at java.base/java.security.AlgorithmParameters.init(AlgorithmParameters.java:312)
    at java.base/sun.security.x509.AlgorithmId.decodeParams(AlgorithmId.java:151)
    at java.base/sun.security.x509.AlgorithmId.<init>(AlgorithmId.java:133)
    at java.base/sun.security.x509.AlgorithmId.parse(AlgorithmId.java:413)
    at java.base/javax.crypto.EncryptedPrivateKeyInfo.<init>(EncryptedPrivateKeyInfo.java:101)
    at org.apache.tomcat.util.net.jsse.PEMFile$Part.toPrivateKey(PEMFile.java:183)
    at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:126)
    at org.apache.tomcat.util.net.jsse.PEMFile.<init>(PEMFile.java:90)
    at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:312)
    at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:244)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:98)
    ... 47 common frames omitted

[mekya]

I've studied the code and find out somethings.

Firstly, the log is from the -----BEGIN ENCRYPTED PRIVATE KEY-----. It's not from -----BEGIN RSA PRIVATE KEY-----.

This difference is important because we have a solution for ENCRYPTED PRIVATE KEY but not for RSA PRIVATE KEY.

Let's continue with the solution. If you have this problem and you've an ENCRYPTED PRIVATE KEY, just add your key password to jee-container.xml

1. Open the conf/jee-container.xml

2. Find the line <entry key="SSLCertificateKeyFile" value="${http.ssl_certificate_key_file}" /> and add the below line under it.

   <entry key="KeystorePass" value="WRITE_YOUR_KEY_FILE_PASSWORD" />

   It should look like something below

   <entry key="SSLCertificateKeyFile" value="${http.ssl_certificate_key_file}" />
   <entry key="KeystorePass" value="WRITE_YOUR_KEY_FILE_PASSWORD" />

3. Save the file and Restart the Ant Media Server

   sudo service antmedia restart