You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Hardibo Pierre-Jean <co...@hardibopj.com> on 2016/05/31 14:33:43 UTC
using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates
Hello, i made two startSSL's certificates because i could only add 5
domains once.
When i use SSLHostConfig for the domains of the first certificate all is
working, but when i try to add other domains (2� certificate) websites
are no more accessible, there's few documentation about that and no
tutorial so i am blocked.
Here is my connector (server.xml):
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<SSLHostConfig hostName="www.hardibopj.com">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="www.tagdirectory.net">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="www.xn--kzako-bsa.com">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="www.xn--tltravail-b4ab.com">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="www.xn--changedeliens-9gb.com">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="en.tagdirectory.net">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat2"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="www.retrogeekzone.com">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat2"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="en.retrogeekzone.com">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat2"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="www.troc-livres-informatique.com">
<Certificate certificateKeystoreFile="/opt/tomcat9/tomcat2"
certificateKeystorePassword="xxxx" type="RSA"/>
</SSLHostConfig>
</Connector>
Thanks for your help !
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hardibo,
On 6/1/16 9:48 AM, Hardibo Pierre-Jean wrote:
> Hello, when i add the second, or i put only the second (tomcat2)
> browser doesn't reach the website but doesnt stop with error
> message.
If you connect with openssl s_client, can you see what certificate is
presented with the server handshake?
Depending upon your version of OpenSSL, it may or may not support the
- -servername option, which is the way to trigger the use of SNI.
- -chris
> Le 31/05/2016 18:52, Christopher Schultz a �crit : Hardibo,
>
> On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote:
>>>> Hello, i made two startSSL's certificates because i could
>>>> only add 5 domains once.
> ??!
>
>>>> When i use SSLHostConfig for the domains of the first
>>>> certificate all is working, but when i try to add other
>>>> domains (2� certificate) websites are no more accessible,
>>>> there's few documentation about that and no tutorial so i am
>>>> blocked. Here is my connector (server.xml): <Connector
>>>> port="8443"
>>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>>> maxThreads="150" SSLEnabled="true" >
> You'll also want to set secure="true" and scheme="https" on your
> <Connector>. This might be the only thing you are missing.
>
> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-
_S
>
>
SLHostConfig
>
>>>> <SSLHostConfig hostName="www.hardibopj.com"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> <SSLHostConfig
>>>> hostName="www.tagdirectory.net"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> <SSLHostConfig
>>>> hostName="www.xn--kzako-bsa.com"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> <SSLHostConfig
>>>> hostName="www.xn--tltravail-b4ab.com"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> <SSLHostConfig
>>>> hostName="www.xn--changedeliens-9gb.com"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> <SSLHostConfig
>>>> hostName="en.tagdirectory.net"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat2"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> <SSLHostConfig
>>>> hostName="www.retrogeekzone.com"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat2"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> <SSLHostConfig
>>>> hostName="en.retrogeekzone.com"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat2"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> <SSLHostConfig
>>>> hostName="www.troc-livres-informatique.com"> <Certificate
>>>> certificateKeystoreFile="/opt/tomcat9/tomcat2"
>>>> certificateKeystorePassword="xxxx" type="RSA"/>
>>>> </SSLHostConfig> </Connector>
> Those all look okay to me. What are you using to test? With a
> single <SSLHostConfig> can you establish a connection? When you add
> the second <SSLHostConfig>, how do things change?
>
> -chris
>>
>> ---------------------------------------------------------------------
>>
>>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
>
> ---------------------------------------------------------------------
>
>
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAldPFJ0ACgkQ9CaO5/Lv0PAF6ACfVcTBSYK14jmbTe8Ajs2JBvtT
ZLcAn350K2zMGeVOo8SmAoZgqDt6kGnf
=xtvv
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL
certificates
Posted by Hardibo Pierre-Jean <co...@hardibopj.com>.
Hello, when i add the second, or i put only the second (tomcat2) browser
doesn't reach the website but doesnt stop with error message.
Le 31/05/2016 18:52, Christopher Schultz a �crit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hardibo,
>
> On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote:
>> Hello, i made two startSSL's certificates because i could only add
>> 5 domains once.
> ??!
>
>> When i use SSLHostConfig for the domains of the first certificate
>> all is working, but when i try to add other domains (2�
>> certificate) websites are no more accessible, there's few
>> documentation about that and no tutorial so i am blocked. Here is
>> my connector (server.xml): <Connector port="8443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxThreads="150" SSLEnabled="true" >
> You'll also want to set secure="true" and scheme="https" on your
> <Connector>. This might be the only thing you are missing.
>
> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_S
> SLHostConfig
>
>> <SSLHostConfig hostName="www.hardibopj.com"> <Certificate
>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> <SSLHostConfig hostName="www.tagdirectory.net"> <Certificate
>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> <SSLHostConfig hostName="www.xn--kzako-bsa.com"> <Certificate
>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> <SSLHostConfig hostName="www.xn--tltravail-b4ab.com"> <Certificate
>> certificateKeystoreFile="/opt/tomcat9/tomcat"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> <SSLHostConfig hostName="www.xn--changedeliens-9gb.com">
>> <Certificate certificateKeystoreFile="/opt/tomcat9/tomcat"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> <SSLHostConfig hostName="en.tagdirectory.net"> <Certificate
>> certificateKeystoreFile="/opt/tomcat9/tomcat2"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> <SSLHostConfig hostName="www.retrogeekzone.com"> <Certificate
>> certificateKeystoreFile="/opt/tomcat9/tomcat2"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> <SSLHostConfig hostName="en.retrogeekzone.com"> <Certificate
>> certificateKeystoreFile="/opt/tomcat9/tomcat2"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> <SSLHostConfig hostName="www.troc-livres-informatique.com">
>> <Certificate certificateKeystoreFile="/opt/tomcat9/tomcat2"
>> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
>> </Connector>
> Those all look okay to me. What are you using to test? With a single
> <SSLHostConfig> can you establish a connection? When you add the
> second <SSLHostConfig>, how do things change?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXTcFCAAoJEBzwKT+lPKRY0JkQAKoHkVmJJ5Gn52BwVolkvZIW
> gnnxEmjIIB1+XmemEfpsIYvRNMdPQL4pd0tZcRUzN59yhxPm20XoZguYUlBTOjcg
> ocuZN5/Q6otJ27eMOlcN5ZTWqqpuRbItjY103WX+q2fmC3ulGGrV/ZNyJcgbE2+y
> 2SWO/WAGB/KT1QzL+DNfDyk0zLyl8Poc9ax1NUrPmW/1eM/ubdrAOe+GOyAoY3Et
> vZQkXNDfTp+l+yekvUY4YKSNAj3l/Rjd6XQSyLG97bmMRe+3q37pZmIjYyX/BI/7
> vnx5WX+UWz8pCrXktgZCpG/CIJC5FLeSmbObmvYKyehUDBFo93AQBgU5SwgkDha2
> Uy6apmjjJYqKtJlijz3fA7AFo9SoQntQH/gIu+zdReLidMa5R9Cuu4cTYUrAcCrl
> vPE4elwVsfKAaWDg8UZk8CDevLNBG/9LYXFw6e2UVvo19hn9+7gf4YBsj0qHgU9m
> lKFThhD3w/IawLpqS2ZS5sXJR+KMO1Yy2mektmWBsN+BaR1gcnUacrc678wtsHGw
> 3cJFn8mKQdomIhRy85TzNqt6vVjeLtZC8Md1vqOasPM73GiV7c4ijoSkioLZNwM1
> uovy0J8v3sE9JpJOoDsRxVc3gsBbHhj84EWlVgYYVnomt7p/z0RS30oCU7l/u0j/
> 5umswB87kivFp2laHPu3
> =jJvc
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using SSLHostConfig on tomcat 9 in order to get 2 SSL certificates
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hardibo,
On 5/31/16 10:33 AM, Hardibo Pierre-Jean wrote:
> Hello, i made two startSSL's certificates because i could only add
> 5 domains once.
??!
> When i use SSLHostConfig for the domains of the first certificate
> all is working, but when i try to add other domains (2�
> certificate) websites are no more accessible, there's few
> documentation about that and no tutorial so i am blocked. Here is
> my connector (server.xml): <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" >
You'll also want to set secure="true" and scheme="https" on your
<Connector>. This might be the only thing you are missing.
http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_S
SLHostConfig
> <SSLHostConfig hostName="www.hardibopj.com"> <Certificate
> certificateKeystoreFile="/opt/tomcat9/tomcat"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> <SSLHostConfig hostName="www.tagdirectory.net"> <Certificate
> certificateKeystoreFile="/opt/tomcat9/tomcat"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> <SSLHostConfig hostName="www.xn--kzako-bsa.com"> <Certificate
> certificateKeystoreFile="/opt/tomcat9/tomcat"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> <SSLHostConfig hostName="www.xn--tltravail-b4ab.com"> <Certificate
> certificateKeystoreFile="/opt/tomcat9/tomcat"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> <SSLHostConfig hostName="www.xn--changedeliens-9gb.com">
> <Certificate certificateKeystoreFile="/opt/tomcat9/tomcat"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> <SSLHostConfig hostName="en.tagdirectory.net"> <Certificate
> certificateKeystoreFile="/opt/tomcat9/tomcat2"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> <SSLHostConfig hostName="www.retrogeekzone.com"> <Certificate
> certificateKeystoreFile="/opt/tomcat9/tomcat2"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> <SSLHostConfig hostName="en.retrogeekzone.com"> <Certificate
> certificateKeystoreFile="/opt/tomcat9/tomcat2"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> <SSLHostConfig hostName="www.troc-livres-informatique.com">
> <Certificate certificateKeystoreFile="/opt/tomcat9/tomcat2"
> certificateKeystorePassword="xxxx" type="RSA"/> </SSLHostConfig>
> </Connector>
Those all look okay to me. What are you using to test? With a single
<SSLHostConfig> can you establish a connection? When you add the
second <SSLHostConfig>, how do things change?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXTcFCAAoJEBzwKT+lPKRY0JkQAKoHkVmJJ5Gn52BwVolkvZIW
gnnxEmjIIB1+XmemEfpsIYvRNMdPQL4pd0tZcRUzN59yhxPm20XoZguYUlBTOjcg
ocuZN5/Q6otJ27eMOlcN5ZTWqqpuRbItjY103WX+q2fmC3ulGGrV/ZNyJcgbE2+y
2SWO/WAGB/KT1QzL+DNfDyk0zLyl8Poc9ax1NUrPmW/1eM/ubdrAOe+GOyAoY3Et
vZQkXNDfTp+l+yekvUY4YKSNAj3l/Rjd6XQSyLG97bmMRe+3q37pZmIjYyX/BI/7
vnx5WX+UWz8pCrXktgZCpG/CIJC5FLeSmbObmvYKyehUDBFo93AQBgU5SwgkDha2
Uy6apmjjJYqKtJlijz3fA7AFo9SoQntQH/gIu+zdReLidMa5R9Cuu4cTYUrAcCrl
vPE4elwVsfKAaWDg8UZk8CDevLNBG/9LYXFw6e2UVvo19hn9+7gf4YBsj0qHgU9m
lKFThhD3w/IawLpqS2ZS5sXJR+KMO1Yy2mektmWBsN+BaR1gcnUacrc678wtsHGw
3cJFn8mKQdomIhRy85TzNqt6vVjeLtZC8Md1vqOasPM73GiV7c4ijoSkioLZNwM1
uovy0J8v3sE9JpJOoDsRxVc3gsBbHhj84EWlVgYYVnomt7p/z0RS30oCU7l/u0j/
5umswB87kivFp2laHPu3
=jJvc
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org