You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Herb Burnswell <he...@gmail.com> on 2019/02/12 19:21:01 UTC
Server Name Identification (SNI) configuration Tomcat 8.5.23
All,
Tomcat: 8.5.23
OS: RHEL 7.5
I am attempting to set up Tomcat to use two keystore's with SNI. Tomcat
starts successfully but but I receive a timeout when trying to access
either of the defined server names.
Here is a single server name configuration that works successfully:
<Connector port="8443"
maxHttpHeaderSize="8192"
maxPostSize="6291456"
maxThreads="150"
protocol="HTTP/1.1"
executor="appExecutor"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreType="PKCS12"
keystoreFile="/app/certs/config/ex1_keystore.p12"
keystorePass="<passwd>" />
Here is the SNI configuration that I'm trying:
<Connector port="8443"
maxHttpHeaderSize="8192"
maxPostSize="6291456"
maxThreads="150"
protocol="org.apache.coyote.http11.Http11NioProtocol"
executor="appExecutor"
enableLookups="false"
acceptCount="100"
connectionTimeout="20000"
disableUploadTimeout="true"
URIEncoding="UTF-8"
SSLEnabled="true"
scheme="https"
secure="true"
defaultSSLHostConfigName="*.example1.com">
<SSLHostConfig hostName="*.example1.com">
<Certificate certificateKeystoreType="PKCS12"
certificateKeystoreFile="/app/certs/config/ex1_keystore.p12"
certificateKeystorePassword="<passwd>"
type="RSA"/>
</SSLHostConfig>
<SSLHostConfig hostName="*.example2.com">
<Certificate certificateKeystoreType="PKCS12"
certificateKeystoreFile="/app/certs/config/ex2_keystore.p12"
certificateKeystorePassword="<passwd>"
type="RSA"/>
</SSLHostConfig>
</Connector>
As mentioned, Tomcat start successfully, but the sites time out. There is
nothing in the logs that indicate a request is even made.
Am I missing something in this configuration? Any guidance is greatly
appreciated.
Best,
HB
Re: Server Name Identification (SNI) configuration Tomcat 8.5.23
Posted by Herb Burnswell <he...@gmail.com>.
On Tue, Feb 12, 2019 at 11:37 AM Herb Burnswell <he...@gmail.com>
wrote:
>
>
> On Tue, Feb 12, 2019 at 11:26 AM Mark Thomas <ma...@apache.org> wrote:
>
>> On 12/02/2019 19:21, Herb Burnswell wrote:
>> > All,
>> >
>> > Tomcat: 8.5.23
>> > OS: RHEL 7.5
>> >
>> > I am attempting to set up Tomcat to use two keystore's with SNI. Tomcat
>> > starts successfully but but I receive a timeout when trying to access
>> > either of the defined server names.
>>
>> <snip/>
>>
>> > As mentioned, Tomcat start successfully, but the sites time out. There
>> is
>> > nothing in the logs that indicate a request is even made.
>> >
>> > Am I missing something in this configuration? Any guidance is greatly
>> > appreciated.
>>
>> What do the logs say when Tomcat starts with the non-working
>> configuration?
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> Thanks for the reply Mark. Unfortunately there no extra information in
> the logs from the non-working configuration. It appears that everything
> starts successfully with working and non-working configuration.
>
> As mentioned, the timeout attempting to connect to the SNI domains does
> not register in the logs either.
>
> HB
>
Damn, my bad. I figured it out.
Embarrassingly, I had an incorrect password for one of the keystores. I
was focusing so much on the configuration parameters I overlooked the
simple part.
Thanks,
HB
Re: Server Name Identification (SNI) configuration Tomcat 8.5.23
Posted by Herb Burnswell <he...@gmail.com>.
On Tue, Feb 12, 2019 at 11:26 AM Mark Thomas <ma...@apache.org> wrote:
> On 12/02/2019 19:21, Herb Burnswell wrote:
> > All,
> >
> > Tomcat: 8.5.23
> > OS: RHEL 7.5
> >
> > I am attempting to set up Tomcat to use two keystore's with SNI. Tomcat
> > starts successfully but but I receive a timeout when trying to access
> > either of the defined server names.
>
> <snip/>
>
> > As mentioned, Tomcat start successfully, but the sites time out. There
> is
> > nothing in the logs that indicate a request is even made.
> >
> > Am I missing something in this configuration? Any guidance is greatly
> > appreciated.
>
> What do the logs say when Tomcat starts with the non-working configuration?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Thanks for the reply Mark. Unfortunately there no extra information in the
logs from the non-working configuration. It appears that everything starts
successfully with working and non-working configuration.
As mentioned, the timeout attempting to connect to the SNI domains does not
register in the logs either.
HB
Re: Server Name Identification (SNI) configuration Tomcat 8.5.23
Posted by Mark Thomas <ma...@apache.org>.
On 12/02/2019 19:21, Herb Burnswell wrote:
> All,
>
> Tomcat: 8.5.23
> OS: RHEL 7.5
>
> I am attempting to set up Tomcat to use two keystore's with SNI. Tomcat
> starts successfully but but I receive a timeout when trying to access
> either of the defined server names.
<snip/>
> As mentioned, Tomcat start successfully, but the sites time out. There is
> nothing in the logs that indicate a request is even made.
>
> Am I missing something in this configuration? Any guidance is greatly
> appreciated.
What do the logs say when Tomcat starts with the non-working configuration?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org