You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Maurice Poos <ma...@gmail.com> on 2020/12/22 13:59:04 UTC

Subdomain with SSL in same connector

Hi there,

This question (or the gist of it) was asked around 2009 but a lot can
happen in 10 years.
The question is as follows:

I've got tomcat 9.0.35 running on a server (no apache or anything else)
The connector and ssl are all running smoothly.

When I put an alias in the connector of course the SSL breaks because the
subdomain is not included in the certificate in the keystore nor are
wildcards used.

Is it possible to add the subdomain ssl to the first keystore and then use
the alias to secure the subdomain.
Or...do I need to set up a separate connector, different keystore etc.

Thank you all for reading and stay safe!

Maurice

As a keynote..I'm not up to all the RFC's

*Config (highlights):*
*--------------------*

<SSLHostConfig hostName="site1.nl">
        <Certificate
                certificateKeyAlias="site1.nl"
                certificateKeystoreFile="/etc/ssl/crt/site1.nl.jks"
                certificateKeystorePassword="whiterabbit"/>
</SSLHostConfig>
##########################

<Host name="site1.nl"  unpackWARs="true" appbase="/var/www/www.site1.nl"
autoDeploy="true">
         <Alias>www.site1.nl</Alias>
*-->*     <Alias>subdomain1.site1.nl</Alias> *<-- This is what I want to
add -->*
        <Context path="/" docBase="/var/www/www.site1.nl/html"
 privileged="true"
              reloadable="true" crossContext="false"/>
        <Context path="/calendar" docBase="/var/www/
www.site1.nl/webapp/calendar.war"  privileged="true"
                reloadable="true" crossContext="false"/>
</Host>

Re: Subdomain with SSL in same connector

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Maurice,

On 12/22/20 08:59, Maurice Poos wrote:
> Hi there,
> 
> This question (or the gist of it) was asked around 2009 but a lot can
> happen in 10 years.
> The question is as follows:
> 
> I've got tomcat 9.0.35 running on a server (no apache or anything else)
> The connector and ssl are all running smoothly.
> 
> When I put an alias in the connector of course the SSL breaks because the
> subdomain is not included in the certificate in the keystore nor are
> wildcards used.
> 
> Is it possible to add the subdomain ssl to the first keystore and then use
> the alias to secure the subdomain.
> Or...do I need to set up a separate connector, different keystore etc.
> 
> Thank you all for reading and stay safe!
> 
> Maurice
> 
> As a keynote..I'm not up to all the RFC's
> 
> *Config (highlights):*
> *--------------------*
> 
> <SSLHostConfig hostName="site1.nl">
>          <Certificate
>                  certificateKeyAlias="site1.nl"
>                  certificateKeystoreFile="/etc/ssl/crt/site1.nl.jks"
>                  certificateKeystorePassword="whiterabbit"/>
> </SSLHostConfig>
> ##########################
> 
> <Host name="site1.nl"  unpackWARs="true" appbase="/var/www/www.site1.nl"
> autoDeploy="true">
>           <Alias>www.site1.nl</Alias>
> *-->*     <Alias>subdomain1.site1.nl</Alias> *<-- This is what I want to
> add -->*
>          <Context path="/" docBase="/var/www/www.site1.nl/html"
>   privileged="true"
>                reloadable="true" crossContext="false"/>
>          <Context path="/calendar" docBase="/var/www/
> www.site1.nl/webapp/calendar.war"  privileged="true"
>                  reloadable="true" crossContext="false"/>
> </Host>

This isn't really a Tomcat thing, it's an X.509 thing. There is no way 
your client is going to accept a certificate for www.site1.nl when 
requesting a resource from subdomain1.site1.nl unless it's been 
instructed (by the user) to ignore TLS hostname mismatches, which is a 
pretty insecure practice.

So no matter which way you configure Tomcat, the client isn't going to 
make the connection.

If you have two separate certificates (one for www, one for subdomain1), 
then I would expect Tomcat to allow you to put them all into one 
keystore and list each one in a separate <SSLHostConfig> under the 
<Connector>. The <Host> just "accepts" requests once the TLS handshake 
is complete, so using an <Alias> there should work.

If it's not working, please post your full <Connector> and <Host> 
configurations (with any secrets removed) and also the output of this 
command:

$ keytool -list -v -keystore /etc/ssl/crt/site1.nl.jks
$ keytool -list -v -keystore /etc/ssl/crt/subdomain.site1.nl.jks

Note: you might want to start using PKCS12 (.p12) files since (a) 
OpenSSL can use them and (b) Javva is dropping support for JKS files.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org