You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Maurice Poos <ma...@gmail.com> on 2020/05/26 13:19:33 UTC
HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Hello and thank you in advance for looking into this.
I'm a Dutch native so bare with me...
Problem:
Trying to configure TOMCAT9 to handle 2 domains on the same server with
https and 2 different keystore files.
There is no APACHE webserver or other webserver available.
Single connector configuration works perfectly for that single domain e.g.
<Connector
port="443"
address="rabbit.nl"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
keyAlias="rabbit.nl"
keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
keystorePass="password2" />
But the multi-domain connector is flawed somewhere and due to the limited
feedback from TOMCAT it's a real struggle to figure out what is wrong
SERVER.XML CONFIG file exert:
<Connector
port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192"
maxThreads="150"
SSLEnabled="true"
acceptCount="100"
scheme="https"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
secure="true"
clientAuth="false"
<SSLHostConfig hostName="appel.nl" sslProtocol="TLS">
<Certificate
certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
certificateKeystorePassword="password1" certificateKeyAlias="appel.nl"
certificateKeyPassword="password1" />
</SSLHostConfig>
<SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS">
<Certificate
certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
certificateKeystorePassword="password2" certificateKeyAlias="rabbit.nl"
certificateKeyPassword="password2" />
</SSLHostConfig>
</Connector>
Can somebody help me?
Thank you,
Maurice Poos
_____________________________________________________________________
TOMCAT VERSION
Server version: Apache Tomcat/9.0.31
Server built: Feb 5 2020 19:32:12 UTC
Server number: 9.0.31.0
LINUX
"Ubuntu 18.04.4 LTS"
Architecture:
amd64
JVM Version: 14.0.1+7
JVM Vendor: Oracle Corporation
__________________________________________________________________________
KEY CSR creation
KEY
/usr/bin/keytool -genkey -keysize 2048 -alias rabbit.nl -keyalg RSA
-keystore rabbit.nl.jks
CSR
/usr/bin/keytool -certreq -keyalg RSA -alias rabbit.nl -file rabbit.nl.csr
-keystore rabbit.nl.jks
___________________________________________________________________________
ERROR LOG CATALINA.OUT
26-May-2020 11:22:34.602 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.IllegalArgumentException
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
... 13 more
Caused by: java.io.IOException
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Maurice,
On 5/27/20 09:04, Maurice Poos wrote:
> Hello Mark,
>
> It's an honour!
>
> I reply to this in a non standard way because a few things have
> happened while it was night over here. Long story short: it works
> now.
>
> 1) The first thing was that the server got upgraded to v9.0.35
>
> Next I've began to work with your suggestions.
>
>> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
>> port="443" maxThreads="150" minSpareThreads="25" scheme="https"
>> secure="true" SSLEnabled="true" <SSLHostConfig> <Certificate
>> certificateKeyAlias="rabbit.nl"
>> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> certificateKeystorePassword="password2" /> </SSLHostConfig>
>> </Connector>
>>
>
> 2) Because v35 changed the connector requirements a bit the closing
> ">" after SSLEnabled="true" is mandatory. This immediately made the
> above config work.
The closing > was always required. This isn't a 9.0.35 requirement or
anything. It's ujst ... how XML works. I'm surprised Tomcat even
started with a broken XML document.
>> Notes: - The protocol attribute is missing so I have added that -
>> I'd expect address to be an IP address so I have omitted that
>> attribute - maxHttpHeaderSize="8192" is the default so I have
>> omitted that attribute - maxSpareThreads="75" is not a recognised
>> attribute so I have removed it - acceptCount="100" is the default
>> so I have omitted that attribute - disableUploadTimeout="true" is
>> the default so I have omitted that attribute -
>> enableLookups="false" is the default so I have omitted that
>> attribute - clientAuth="false" is the default so I have omitted
>> that attribute - sslProtocol="TLS" is the default so I have
>> omitted that attribute
>>
>> I'd then add the hostName attribute to the SSLHostConfig element
>> and, once that is working, combine the two.
>
> 3) After after adding the hostName attribute I did get the error
> that you expected below so i added it in the connector.
>
>
>>
>> I don't see a defaultSSLHostConfigName configured for the
>> Connector. That might trigger the error you are seeing (because
>> the _default_ host name won't have an associated certificate.
>>
>> If that is the issue, we can look at trying to improve that error
>> message.
>>
>
> 4) after adding this I've got the working config:
>
> <Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="443" maxThreads="150" minSpareThreads="25" scheme="https"
> secure="true" SSLEnabled="true"
> defaultSSLHostConfigName="www.rabbit.nl"> <SSLHostConfig
> hostName="www.rabbit.nl"> <Certificate
> certificateKeyAlias="rabbit.nl"
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="xxxx1" /> </SSLHostConfig>
> <SSLHostConfig hostName="www.appel.nl"> <Certificate
> certificateKeyAlias="appel.nl"
> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> certificateKeystorePassword="xxxx2" /> </SSLHostConfig>
> </Connector>
Excellent. Glad you got things working.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7OduMACgkQHPApP6U8
pFjOcg/+M5uQ7ZPdFZ5HiGqAANcsxJHEIOaPR9DxO68uMR+U1oFVUDF7ucmQhHOj
aOgHq/pYUpK0j2mB46TKPTd9BxZVi1kvzmAYHeVKh2XPLSlSwIWRGo0sxl8xiTiz
19ryvGP2AO//Ldb62w69W1KcxHkXa6c2aE7OdHQbvkteHbp0/rJYmNIQYpBhm+bM
b04CL+C89OtJk0AnhnEUVFssDoy+JTKLBUB/MvgDgj56WQ59SWC48m4wRQZgWG/6
SLarJCpBe/PtEQJNkhrTI430HHFhgGVaOgCbjaLKHazaoQAT9VYHkJwJ4a3p8rPe
6LKzTSblOrG9MQc2AX6MEWoXSRqW2cFFtyRQps38Uatfy/kZ1CFGFMTerIUvxVqe
kX28fDcEmR7KGD2W04RRIAvjBKjnwqRRuNnW58FROcmULDFazLuLftkw63bIqbrz
z6wPVMHJ9/3j6XgMOcHu0nTEhNTmBb2lt+X+dxeF5TXoXlECG598hvzq+/hmnemz
iZqy8UqpErj9OgfN0BdvSmTuKlocDwnACrw/vAuXyyzKSZdeWiSnVtTzeCmvLnHt
coTQgzpqDcfdOEqKyLaseH2a3sO4Xgrw0gF0e0jMSXg/algwSu2x/1OX5nZimnAL
3Z42XCBhLZEagX6c38R2cFf+buSujWUaRC5tJQ50NO3FxI5pFU4=
=swDk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Posted by Maurice Poos <ma...@gmail.com>.
Hello Mark,
It's an honour!
I reply to this in a non standard way because a few things have happened
while it was night over here.
Long story short: it works now.
1) The first thing was that the server got upgraded to v9.0.35
Next I've began to work with your suggestions.
><Connector
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="443"
> maxThreads="150"
> minSpareThreads="25"
> scheme="https"
> secure="true"
> SSLEnabled="true"
> <SSLHostConfig>
> <Certificate
> certificateKeyAlias="rabbit.nl"
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2"
> />
> </SSLHostConfig>
></Connector>
>
2) Because v35 changed the connector requirements a bit the closing ">"
after SSLEnabled="true" is mandatory.
This immediately made the above config work.
>Notes:
> - The protocol attribute is missing so I have added that
> - I'd expect address to be an IP address so I have omitted that
> attribute
> - maxHttpHeaderSize="8192" is the default so I have omitted that
> attribute
> - maxSpareThreads="75" is not a recognised attribute so I have removed
> it
> - acceptCount="100" is the default so I have omitted that attribute
> - disableUploadTimeout="true" is the default so I have omitted that
> attribute
> - enableLookups="false" is the default so I have omitted that attribute
> - clientAuth="false" is the default so I have omitted that attribute
> - sslProtocol="TLS" is the default so I have omitted that attribute
>
>I'd then add the hostName attribute to the SSLHostConfig element and,
>once that is working, combine the two.
3) After after adding the hostName attribute I did get the error that you
expected below
so i added it in the connector.
>
>I don't see a defaultSSLHostConfigName configured for the Connector.
>That might trigger the error you are seeing (because the _default_ host
>name won't have an associated certificate.
>
>If that is the issue, we can look at trying to improve that error message.
>
4) after adding this I've got the working config:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
maxThreads="150"
minSpareThreads="25"
scheme="https"
secure="true"
SSLEnabled="true"
defaultSSLHostConfigName="www.rabbit.nl">
<SSLHostConfig hostName="www.rabbit.nl">
<Certificate
certificateKeyAlias="rabbit.nl"
certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
certificateKeystorePassword="xxxx1"
/>
</SSLHostConfig>
<SSLHostConfig hostName="www.appel.nl">
<Certificate
certificateKeyAlias="appel.nl"
certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
certificateKeystorePassword="xxxx2"
/>
</SSLHostConfig>
</Connector>
<Host name="www.rabbit.nl" appBase="/var/www/www.rabbit.nl"
unpackWARs="false" autoDeploy="true">
<Alias>rabbit.nl</Alias>
<Context path="/planner" docBase="/var/www/
www.rabbit.nl/webapp/planner.war" privileged="true"
reloadable="true" crossContext="true">
<Resource name="bean/ConfigBeanFactory" auth="Container"
type="nl.bowtie.reservation.util.ConfigBean"
factory="org.apache.naming.factory.BeanFactory"
configFilename="/var/www/www.rabbit.nl/config/reservation.properties"/>
</Context>
<Context path="/" docBase="/var/www/www.rabbit.nl/html"
privileged="true"
reloadable="true" crossContext="true"/>
</Host>
<Host name="www.appel.nl" appBase="/var/www/www.appel.nl"
unpackWARs="false" autoDeploy="true">
<Alias>appel.nl</Alias>
<Context path="/" docBase="/var/www/www.appel.nl/html"
privileged="true"
reloadable="true" crossContext="true"/>
</Host>
Thank you Chris, Mark and Ian.
Maurice Poos
On Wed, May 27, 2020 at 10:38 AM Mark Thomas <ma...@apache.org> wrote:
> On 26/05/2020 14:19, Maurice Poos wrote:
> > Hello and thank you in advance for looking into this.
> >
> > I'm a Dutch native so bare with me...
> >
> > Problem:
> > Trying to configure TOMCAT9 to handle 2 domains on the same server with
> > https and 2 different keystore files.
> > There is no APACHE webserver or other webserver available.
> >
> > Single connector configuration works perfectly for that single domain
> e.g.
> >
> > <Connector
> > port="443"
> > address="rabbit.nl"
> > maxHttpHeaderSize="8192"
> > maxThreads="150"
> > minSpareThreads="25"
> > maxSpareThreads="75"
> > enableLookups="false"
> > disableUploadTimeout="true"
> > acceptCount="100"
> > scheme="https"
> > secure="true"
> > SSLEnabled="true"
> > clientAuth="false"
> > sslProtocol="TLS"
> > keyAlias="rabbit.nl"
> > keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> > keystorePass="password2" />
>
> I suggest, as a first step, you covnvert the above working configuration
> to the new <SSLHostConfig ... /> style and get that working for each
> cert one at a time. When you have the individual configurations working,
> then you can combine them.
>
> The configuration above should convert to:
>
> <Connector
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="443"
> maxThreads="150"
> minSpareThreads="25"
> scheme="https"
> secure="true"
> SSLEnabled="true"
> <SSLHostConfig>
> <Certificate
> certificateKeyAlias="rabbit.nl"
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2"
> />
> </SSLHostConfig>
> </Connector>
>
> Notes:
> - The protocol attribute is missing so I have added that
> - I'd expect address to be an IP address so I have omitted that
> attribute
> - maxHttpHeaderSize="8192" is the default so I have omitted that
> attribute
> - maxSpareThreads="75" is not a recognised attribute so I have removed
> it
> - acceptCount="100" is the default so I have omitted that attribute
> - disableUploadTimeout="true" is the default so I have omitted that
> attribute
> - enableLookups="false" is the default so I have omitted that attribute
> - clientAuth="false" is the default so I have omitted that attribute
> - sslProtocol="TLS" is the default so I have omitted that attribute
>
> I'd then add the hostName attribute to the SSLHostConfig element and,
> once that is working, combine the two.
>
> > But the multi-domain connector is flawed somewhere and due to the limited
> > feedback from TOMCAT it's a real struggle to figure out what is wrong
>
> I don't see a defaultSSLHostConfigName configured for the Connector.
> That might trigger the error you are seeing (because the _default_ host
> name won't have an associated certificate.
>
> If that is the issue, we can look at trying to improve that error message.
>
> > SERVER.XML CONFIG file exert:
> >
> > <Connector
> > port="443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxHttpHeaderSize="8192"
> > maxThreads="150"
> > SSLEnabled="true"
> > acceptCount="100"
> > scheme="https"
> > minSpareThreads="25"
> > maxSpareThreads="75"
> > enableLookups="false"
> > secure="true"
> > clientAuth="false"
> > <SSLHostConfig hostName="appel.nl" sslProtocol="TLS">
> > <Certificate
> > certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> > certificateKeystorePassword="password1" certificateKeyAlias="appel.nl"
> > certificateKeyPassword="password1" />
> > </SSLHostConfig>
> > <SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS">
> > <Certificate
> > certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> > certificateKeystorePassword="password2" certificateKeyAlias="rabbit.nl"
> > certificateKeyPassword="password2" />
> > </SSLHostConfig>
> > </Connector>
> >
> >
> > Can somebody help me?
> >
> >
> > Thank you,
> >
> > Maurice Poos
> >
> > _____________________________________________________________________
> > TOMCAT VERSION
> > Server version: Apache Tomcat/9.0.31
> > Server built: Feb 5 2020 19:32:12 UTC
> > Server number: 9.0.31.0
> >
> > LINUX
> > "Ubuntu 18.04.4 LTS"
> >
> > Architecture:
> > amd64
> >
> > JVM Version: 14.0.1+7
> > JVM Vendor: Oracle Corporation
> >
> __________________________________________________________________________
> > KEY CSR creation
> >
> > KEY
> > /usr/bin/keytool -genkey -keysize 2048 -alias rabbit.nl -keyalg RSA
> > -keystore rabbit.nl.jks
> >
> > CSR
> > /usr/bin/keytool -certreq -keyalg RSA -alias rabbit.nl -file
> rabbit.nl.csr
> > -keystore rabbit.nl.jks
> >
> ___________________________________________________________________________
> >
> > ERROR LOG CATALINA.OUT
> >
> > 26-May-2020 11:22:34.602 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> > initialize component [Connector[HTTP/1.1-443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> initialization
> > failed
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> >
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> > at
> > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> > at
> >
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
> > Caused by: java.lang.IllegalArgumentException
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
> > at org.apache.tomcat.util.net
> .NioEndpoint.bind(NioEndpoint.java:217)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.init(AbstractEndpoint.java:1154)
> > at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
> > ... 13 more
> > Caused by: java.io.IOException
> > at
> > org.apache.tomcat.util.net
> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
> > at
> > org.apache.tomcat.util.net
> .SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
> > ... 20 more
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Posted by Mark Thomas <ma...@apache.org>.
On 26/05/2020 14:19, Maurice Poos wrote:
> Hello and thank you in advance for looking into this.
>
> I'm a Dutch native so bare with me...
>
> Problem:
> Trying to configure TOMCAT9 to handle 2 domains on the same server with
> https and 2 different keystore files.
> There is no APACHE webserver or other webserver available.
>
> Single connector configuration works perfectly for that single domain e.g.
>
> <Connector
> port="443"
> address="rabbit.nl"
> maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false"
> disableUploadTimeout="true"
> acceptCount="100"
> scheme="https"
> secure="true"
> SSLEnabled="true"
> clientAuth="false"
> sslProtocol="TLS"
> keyAlias="rabbit.nl"
> keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> keystorePass="password2" />
I suggest, as a first step, you covnvert the above working configuration
to the new <SSLHostConfig ... /> style and get that working for each
cert one at a time. When you have the individual configurations working,
then you can combine them.
The configuration above should convert to:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
maxThreads="150"
minSpareThreads="25"
scheme="https"
secure="true"
SSLEnabled="true"
<SSLHostConfig>
<Certificate
certificateKeyAlias="rabbit.nl"
certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
certificateKeystorePassword="password2"
/>
</SSLHostConfig>
</Connector>
Notes:
- The protocol attribute is missing so I have added that
- I'd expect address to be an IP address so I have omitted that
attribute
- maxHttpHeaderSize="8192" is the default so I have omitted that
attribute
- maxSpareThreads="75" is not a recognised attribute so I have removed
it
- acceptCount="100" is the default so I have omitted that attribute
- disableUploadTimeout="true" is the default so I have omitted that
attribute
- enableLookups="false" is the default so I have omitted that attribute
- clientAuth="false" is the default so I have omitted that attribute
- sslProtocol="TLS" is the default so I have omitted that attribute
I'd then add the hostName attribute to the SSLHostConfig element and,
once that is working, combine the two.
> But the multi-domain connector is flawed somewhere and due to the limited
> feedback from TOMCAT it's a real struggle to figure out what is wrong
I don't see a defaultSSLHostConfigName configured for the Connector.
That might trigger the error you are seeing (because the _default_ host
name won't have an associated certificate.
If that is the issue, we can look at trying to improve that error message.
> SERVER.XML CONFIG file exert:
>
> <Connector
> port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxHttpHeaderSize="8192"
> maxThreads="150"
> SSLEnabled="true"
> acceptCount="100"
> scheme="https"
> minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false"
> secure="true"
> clientAuth="false"
> <SSLHostConfig hostName="appel.nl" sslProtocol="TLS">
> <Certificate
> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> certificateKeystorePassword="password1" certificateKeyAlias="appel.nl"
> certificateKeyPassword="password1" />
> </SSLHostConfig>
> <SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS">
> <Certificate
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2" certificateKeyAlias="rabbit.nl"
> certificateKeyPassword="password2" />
> </SSLHostConfig>
> </Connector>
>
>
> Can somebody help me?
>
>
> Thank you,
>
> Maurice Poos
>
> _____________________________________________________________________
> TOMCAT VERSION
> Server version: Apache Tomcat/9.0.31
> Server built: Feb 5 2020 19:32:12 UTC
> Server number: 9.0.31.0
>
> LINUX
> "Ubuntu 18.04.4 LTS"
>
> Architecture:
> amd64
>
> JVM Version: 14.0.1+7
> JVM Vendor: Oracle Corporation
> __________________________________________________________________________
> KEY CSR creation
>
> KEY
> /usr/bin/keytool -genkey -keysize 2048 -alias rabbit.nl -keyalg RSA
> -keystore rabbit.nl.jks
>
> CSR
> /usr/bin/keytool -certreq -keyalg RSA -alias rabbit.nl -file rabbit.nl.csr
> -keystore rabbit.nl.jks
> ___________________________________________________________________________
>
> ERROR LOG CATALINA.OUT
>
> 26-May-2020 11:22:34.602 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
> Caused by: java.lang.IllegalArgumentException
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
> at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
> ... 13 more
> Caused by: java.io.IOException
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
> at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
> at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
> ... 20 more
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1
VPS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
On 5/27/20 08:18, Ian Brown wrote:
> I would suggest adding type="RSA" to your certificate elements.
> (As shown in Christopher's example & matching your set up). It
> defaults to UNDEFINED. Further, the Tomcat documentation talks
> about one certificate working, and two not working if TYPE is not
> defined.
Hmm, now this has me thinking. If you have a single keystore and want
to advertise both RSA and ECDSA-based server certificates, you'd have
to do:
<SSLHostConfig>
<Certificate type="RSA" certificateKeystoreFile="keystore.jks"
certificateKeyAlias="www.example.com.RSA" />
<Certificate type="EC" certificateKeystoreFile="keystore.jks"
certificateKeyAlias="www.example.com.ECDSA" />
</SSLHostConfig>
If you had more config items like passwords, providers, etc. it would
become even more verbose.
If I were configuring something like this myself, I might like to say
(in English) "this keystore contains everything I need for
www.example.com; load everything and do the right thing". Something
like this:
<SSLHostConfig hostName="example.com">
<Certificates keystore="keystore.jks" />
</SSLHostConfig>
This can work for PEM files, too, and it's how httpd does things: you
just point SSLCertificateFile at a PEM file and it loads everything.
The only (practical) difference between a keystore and a
multi-certificate/key PEM file is that there are no "aliases" in a PEM
file.
Each key knows its own type; there is no need to require the user to
declare the encryption type. We could even use the "hostName" from the
<SSLHostConfig> element to ignore any certificates whose CN/SANs
doesn't/don't match the hostName so we don't get confused if there are
unrelated certificates in the keystore.
I think there is scope to improve things, here.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7OePoACgkQHPApP6U8
pFiUBRAAvaLDHaWBwwe+7Pk42mPeR0VPcFPcMaglTP4vFN23ww3fqLiaDIeyJpFp
bv0cMAd49S2CQhfw9dDIphXAbgtcgHXLHp80dkRtBmiHSwLPZiW0q1eHA5om5jwM
bTvENmQDsa5mZG//0M4PX53em0sGfWddkxLx6siLkJNAaxryuAXEotYvWb8TVe8w
z2Uh+W6kVxLPTDqzKjjkNODtDeZPC+erlIDjfgoZuEGoOkbQ5LG1rEwN4GfqQAt0
yP0eFWChG+HKNn35PqtRSWrvZ/XtTRJYjNbUSQrz4kkcJFwH6if2+6/lEj1F+y0p
Sdl/ZtD8Md+8ozqE+VMm0YoSABB7Kdyq/6PoEpjnV4dsEWlx2RBXlqs/sbN3YB27
ulVIwJS4Wn0p1TwkZP4HL8COiWqnmqdyk8FSBwyzPMmRix+fwp9nlnT9suIMAe8d
tRcF9Q1ovG0KX2raEnV97eQGgyVfEPuUIQXal3n1XL8IaEfegzJpxk4R99hSryC0
sQrM3+AVfGGS/agX9l/GIFkzGc5VvM8pZa2OOj1hPHLAOZRIsGIKlkvduYd+NikU
SprvaStsSgFAL7tDmvuYl8JKBYAFwUScMm6pmpcnisYrm+1lQOw/3vDgk4/erIkJ
xazHHniD2mNZ/Cnwn7Vn5wzF3zrDhsun1VEr1ykQObgPKqH8EAg=
=TciW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Posted by Ian Brown <it...@yahoo.ca.INVALID>.
Hi Maurice,
Like Christopher I don't see any obvious issues. FYI, I run many virtual hosts all with certificates. Works great. I use certificateKeystoreType="PKCS12" and the related supporting software.
I would suggest adding type="RSA" to your certificate elements. (As shown in Christopher's example & matching your set up). It defaults to UNDEFINED. Further, the Tomcat documentation talks about one certificate working, and two not working if TYPE is not defined. Now that is within a SSLHostConfig element, which is not your case. It sounds very similar to what you are experiencing.
Good Luck
On Tuesday, May 26, 2020, 4:53:19 p.m. EDT, Christopher Schultz <ch...@christopherschultz.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Maurice,
On 5/26/20 15:02, Maurice Poos wrote:
>
>
> On Tue, May 26, 2020 at 5:30 PM Christopher Schultz
> <chris@christopherschultz.net
> <ma...@christopherschultz.net>>
wrote:
>
> Maurice,
>
> On 5/26/20 09:19, Maurice Poos wrote:
>> Hello and thank you in advance for looking into this.
>
>> I'm a Dutch native so bare with me...
>
> Welcome to the community!
>
>> Problem: Trying to configure TOMCAT9 to handle 2 domains on the
>> same server with https and 2 different keystore files.
>
> This should definitely be possible.
>
>> Server version: Apache Tomcat/9.0.31
>
>> There is no APACHE webserver or other webserver available.
>
> Thank you for making this clear. It helps a lot.
>
>> Single connector configuration works perfectly for that single
>> domain e.g.
>
>> <Connector port="443" address="rabbit.nl <http://rabbit.nl>"
> maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
>> clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl
> <http://rabbit.nl>"
>> keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> keystorePass="password2" />
>
> Excellent. This means that your keystore is in order and the
> certificate works, etc. You may want to use the PKC12 keystore
> format simply because JKS is not really a standard and is being
> deprecated by Java. But it's not causing any problems right now, so
> let's not change i t.
>
>> But the multi-domain connector is flawed somewhere and due to
>> the limited feedback from TOMCAT it's a real struggle to figure
>> out what is wrong
>
>> SERVER.XML CONFIG file exert:
>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
>> acceptCount="100" scheme="https" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" secure="true"
>> clientAuth="false"
>
> Are you possible missing a '>' character, here?
>
>> <SSLHostConfig hostName="appel.nl <http://appel.nl>"
> sslProtocol="TLS"> <Certificate
>> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
>> certificateKeystorePassword="password1"
>> certificateKeyAlias="appel.nl <http://appel.nl>"
> certificateKeyPassword="password1"
>> /> </SSLHostConfig>
>
> This looks okay to me. You do not have to specify
> certificateKeyPassword if it's the same password as
> certificateKeystorePassword. It does not hurt to repeat it, but it
> does make the configuration a little less easy to read.
>
>> <SSLHostConfig hostName="rabbit.nl <http://rabbit.nl>"
> sslProtocol="TLS">
>> <Certificate
>> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> certificateKeystorePassword="password2"
>> certificateKeyAlias="rabbit.nl <http://rabbit.nl>"
> certificateKeyPassword="password2"
>> /> </SSLHostConfig> </Connector>
>
> This looks okay to me, too.
>
>> Can somebody help me?
>
> Do you have any <Host> elements configured?
>
>> 26-May-2020 11:22:34.602 SEVERE [main]
>> org.apache.catalina.util.LifecycleBase.handleSubClassException
>> Failed to initialize component [Connector[HTTP/1.1-443]]
>> org.apache.catalina.LifecycleException: Protocol handler
>> initialization failed at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1
0
>
>>
13)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService
.
>
>>
java:533)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
a
>
>>
va:1057)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Nativ
e
>
>>
>
> Method)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Native
M
>
>>
ethodAccessorImpl.java:62)
>
>
> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(De
l
>
>>
egatingMethodAccessorImpl.java:43)
>
>
> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
>> Caused by: java.lang.IllegalArgumentException at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.createSSLCont
ext(Abstr
>
>
actJsseEndpoint.java:99)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.initialiseSsl
(Abstract
>
>
JsseEndpoint.java:71)
>
>
> at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.NioEndpoint.bind(NioEndpoint.java:
217)
>>
>
at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractEndpoint.bindWithCleanup(A
bstractEn
>
>
dpoint.java:1141)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractEndpoint.init(AbstractEndp
oint.java
>
>
:1154)
>
>
> at
>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
>>
>>
at
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pr
o
>
>>
tocol.java:74)
>
>
> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1
0
>
>>
10)
>
>
> ... 13 more
>> Caused by: java.io.IOException at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLUtilBase.getKeyManagers(SSLUtil
Base.java
>
>
:302)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLUtilBase.createSSLContext(SSLUt
ilBase.ja
>
>
va:247)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.createSSLCont
ext(Abstr
>
>
actJsseEndpoint.java:97)
>
>
> ... 20 more
>
> This stack trace indicates to me that there is no keystore
> configured, and also there was no certificate PEM file specified on
> the certificate.
>
> Maybe your XML is broken?
>
> -chris
>
>
> Hi Chris
>
> Thank you for accepting me and looking into this.
>
> Not shure about how to format these mails but i'm gonna copy and
> paste your questions/remarks and answer them below (guidelines
> tomcat
apache #6)
>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
>> acceptCount="100" scheme="https" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" secure="true"
>> clientAuth="false"
>
> Q: Are you possible missing a '>' character, here? A: If it's to
> close the Connector tag, from the example in server.xml I'd
> understood that the SSLHostConfig tag has to be inside a Connector
> tag and there for the closing /Connecter> is after the closing
> /SSLHostConfig
Yes. Your initial post does not have the closing > for the <Connector>
it was like this:
<Connector [attributes]
<SSLHostConfig>
<Certificate />
<Certificate />
</SSLHostConfig>
</Connector>
> Default server.xml example: <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate
certificateKeystoreFile="conf/localhost-rsa.jks"
> type="RSA" /> </SSLHostConfig> </Connector>
>
>
> Q: Do you have any <Host> elements configured?
>
> A: Yes I do:
>
> <Host name="www.rabbit.nl <http://www.rabbit.nl>" debug="0"
> appBase="/var/www/www.rabbit.nl <http://www.rabbit.nl>"
> unpackWARs="false" autoDeploy="true"> <Alias>rabbit.nl
> <http://rabbit.nl></Alias> <Context path="/myapp"
> docBase="/var/www/www.rabbit.nl/webapp/myapp.war
> <http://www.rabbit.nl/webapp/myapp.war>" debug="0"
> privileged="true" reloadable="true" crossContext="true"> <Resource
> name="bean/ConfigBeanFactory" auth="Container"
> type="nl.bowtie.reservation.util.ConfigBean"
> factory="org.apache.naming.factory.BeanFactory"
>
> configFilename="/var/www/www.rabbit.nl/config/reservation.properties
>
>
<http://www.rabbit.nl/config/reservation.properties>"/>
> </Context> <Context path="/" docBase="/var/www/www.rabbit.nl/html
> <http://www.rabbit.nl/html>" debug="0" privileged="true"
> reloadable="true" crossContext="true"/> </Host> <Host
> name="www.appel.nl <http://www.appel.nl>" debug="0"
> appBase="/var/www/www.appel.nl <http://www.appel.nl>"
> unpackWARs="false" autoDeploy="true"> <Alias>appel.nl
> <http://appel.nl></Alias> <Context path="/"
> docBase="/var/www/www.appel.nl/html <http://www.appel.nl/html>"
> debug="0" privileged="true" reloadable="true"
> crossContext="true"/> </Host>
This is good to know. I don't think you *must* have a 1-to-1
relationshi between <Host> and <Certificate>, but I wanted to make
sure that things were in agreement.
> Q:This stack trace indicates to me that there is no keystore
> configured, and also there was no certificate PEM file specified on
> the certificate. A: I Did not realize with all the other things
> availible a PEM file was mandatory since everything is imported in
> the jks file
>
> /usr/bin/keytool -import -trustcacerts -alias root -file
> USERTrust_RSA_Certification_Authority.crt -keystore rabbit.nl.jks
> /usr/bin/keytool -import -trustcacerts -alias inter -file
> Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt -keystore
rabbit.nl.jks
> /usr/bin/keytool -import -trustcacerts -alias rabbit.nl
> <http://rabbit.nl> -file preview_uitgaan24_nl.crt -keystore
rabbit.nl.jks
The PEM file is not required. For JSSE (which is the default: you are
not using the APR connector), you can use the JKS keystore and you
don't need anything else.
> Q:Maybe your XML is broken? A: I checked the XML file agains
> serveral online XML validators, no errors were found.
Okay, good.
What is your JVM language? I'm guessing it's Dutch (or maybe Flemish?
French?). Tomcat doesn't have a translation for error messages and
such, so your messages are not terribly helpful (e.g. IOException with
no detail).
If you run your JVM with -Duser.language=en (or =de or =fr) you will
get English (or German or French) detail messages which may be helpful
to you.
I'm sorry; everything looks good to me to far. Do you know have a
single <Connector> in your server.xml?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7Nga4ACgkQHPApP6U8
pFgfUxAAroeIUdsb0VelJ2e972KLNHDzUXQ3LQmLfOcvHHmb0YMdJWHyAPFcx6Wv
Bm2zi+kocGIGAq8Se4jqPneJLta/tNekgwqn7Y4XX3jMGdlnTowZjuBC8tFslGi4
c2Z4vAN+UiA4VIhkb9LMoC1ER3aAUsKZggmltAqltSSLHRJ01kJei08jxcFoaNZ9
U3IMBtVKdb5o4vefvjuB3Q7QYGZ6vfxUw1nad/JESlwl8wNQV/v5sXKbG/VPQseY
Lzh+q37VwHiS0P7b0FEbkLlYV2nUwUBEkROmahLtMtZ9j8d7TNRaFKLO1NSQHWlR
G9UnVKx7b7s3x67J/P8zMPfh19mFnYewSgMvDPgHAXNBSxAiyEv6yqqN/A0WefeB
0Lyv9PYR3gBc26QFtRSWDpi38vhSdF58qnYsX6piUJf6j6TcVYNwgZUh7w6RR0Kn
VpPpz+U4hjZymR8q7iXRtdVWjql3PSUYmOzhYgt5TgNgzHvkM59Q06TiSfrpcIKI
MVlFSUo7LH8I8XMYg6rrGv1NEg16XOMyDfDSjrnAbsEroM5rSKFtL9o4DmCQuhqk
LkR43TnRU586bkvN3u1GssS4Le6wwzOOoTFnBg8nSqYL4zcJiIQf4szSIolSFCPn
urVtfLENkcR+D9pX96mBb8r0Zio8+D/EgcQwYSeRq2cq9XNMgr0=
=Tttx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Posted by Mark Thomas <ma...@apache.org>.
On 26/05/2020 21:53, Christopher Schultz wrote:
> Okay, good.
>
> What is your JVM language? I'm guessing it's Dutch (or maybe Flemish?
> French?). Tomcat doesn't have a translation for error messages and
> such, so your messages are not terribly helpful (e.g. IOException with
> no detail).
Nope.
If Tomcat can't find a message for the users current Locale it will use
the English message.
It looks like the message got deleted in this case. That is an issue
that needs to get fixed.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Maurice,
On 5/26/20 15:02, Maurice Poos wrote:
>
>
> On Tue, May 26, 2020 at 5:30 PM Christopher Schultz
> <chris@christopherschultz.net
> <ma...@christopherschultz.net>>
wrote:
>
> Maurice,
>
> On 5/26/20 09:19, Maurice Poos wrote:
>> Hello and thank you in advance for looking into this.
>
>> I'm a Dutch native so bare with me...
>
> Welcome to the community!
>
>> Problem: Trying to configure TOMCAT9 to handle 2 domains on the
>> same server with https and 2 different keystore files.
>
> This should definitely be possible.
>
>> Server version: Apache Tomcat/9.0.31
>
>> There is no APACHE webserver or other webserver available.
>
> Thank you for making this clear. It helps a lot.
>
>> Single connector configuration works perfectly for that single
>> domain e.g.
>
>> <Connector port="443" address="rabbit.nl <http://rabbit.nl>"
> maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
>> clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl
> <http://rabbit.nl>"
>> keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> keystorePass="password2" />
>
> Excellent. This means that your keystore is in order and the
> certificate works, etc. You may want to use the PKC12 keystore
> format simply because JKS is not really a standard and is being
> deprecated by Java. But it's not causing any problems right now, so
> let's not change i t.
>
>> But the multi-domain connector is flawed somewhere and due to
>> the limited feedback from TOMCAT it's a real struggle to figure
>> out what is wrong
>
>> SERVER.XML CONFIG file exert:
>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
>> acceptCount="100" scheme="https" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" secure="true"
>> clientAuth="false"
>
> Are you possible missing a '>' character, here?
>
>> <SSLHostConfig hostName="appel.nl <http://appel.nl>"
> sslProtocol="TLS"> <Certificate
>> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
>> certificateKeystorePassword="password1"
>> certificateKeyAlias="appel.nl <http://appel.nl>"
> certificateKeyPassword="password1"
>> /> </SSLHostConfig>
>
> This looks okay to me. You do not have to specify
> certificateKeyPassword if it's the same password as
> certificateKeystorePassword. It does not hurt to repeat it, but it
> does make the configuration a little less easy to read.
>
>> <SSLHostConfig hostName="rabbit.nl <http://rabbit.nl>"
> sslProtocol="TLS">
>> <Certificate
>> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> certificateKeystorePassword="password2"
>> certificateKeyAlias="rabbit.nl <http://rabbit.nl>"
> certificateKeyPassword="password2"
>> /> </SSLHostConfig> </Connector>
>
> This looks okay to me, too.
>
>> Can somebody help me?
>
> Do you have any <Host> elements configured?
>
>> 26-May-2020 11:22:34.602 SEVERE [main]
>> org.apache.catalina.util.LifecycleBase.handleSubClassException
>> Failed to initialize component [Connector[HTTP/1.1-443]]
>> org.apache.catalina.LifecycleException: Protocol handler
>> initialization failed at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1
0
>
>>
13)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService
.
>
>>
java:533)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
a
>
>>
va:1057)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Nativ
e
>
>>
>
> Method)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Native
M
>
>>
ethodAccessorImpl.java:62)
>
>
> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(De
l
>
>>
egatingMethodAccessorImpl.java:43)
>
>
> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
>> Caused by: java.lang.IllegalArgumentException at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.createSSLCont
ext(Abstr
>
>
actJsseEndpoint.java:99)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.initialiseSsl
(Abstract
>
>
JsseEndpoint.java:71)
>
>
> at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.NioEndpoint.bind(NioEndpoint.java:
217)
>>
>
at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractEndpoint.bindWithCleanup(A
bstractEn
>
>
dpoint.java:1141)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractEndpoint.init(AbstractEndp
oint.java
>
>
:1154)
>
>
> at
>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
>>
>>
at
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pr
o
>
>>
tocol.java:74)
>
>
> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1
0
>
>>
10)
>
>
> ... 13 more
>> Caused by: java.io.IOException at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLUtilBase.getKeyManagers(SSLUtil
Base.java
>
>
:302)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLUtilBase.createSSLContext(SSLUt
ilBase.ja
>
>
va:247)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.createSSLCont
ext(Abstr
>
>
actJsseEndpoint.java:97)
>
>
> ... 20 more
>
> This stack trace indicates to me that there is no keystore
> configured, and also there was no certificate PEM file specified on
> the certificate.
>
> Maybe your XML is broken?
>
> -chris
>
>
> Hi Chris
>
> Thank you for accepting me and looking into this.
>
> Not shure about how to format these mails but i'm gonna copy and
> paste your questions/remarks and answer them below (guidelines
> tomcat
apache #6)
>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
>> acceptCount="100" scheme="https" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" secure="true"
>> clientAuth="false"
>
> Q: Are you possible missing a '>' character, here? A: If it's to
> close the Connector tag, from the example in server.xml I'd
> understood that the SSLHostConfig tag has to be inside a Connector
> tag and there for the closing /Connecter> is after the closing
> /SSLHostConfig
Yes. Your initial post does not have the closing > for the <Connector>
it was like this:
<Connector [attributes]
<SSLHostConfig>
<Certificate />
<Certificate />
</SSLHostConfig>
</Connector>
> Default server.xml example: <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate
certificateKeystoreFile="conf/localhost-rsa.jks"
> type="RSA" /> </SSLHostConfig> </Connector>
>
>
> Q: Do you have any <Host> elements configured?
>
> A: Yes I do:
>
> <Host name="www.rabbit.nl <http://www.rabbit.nl>" debug="0"
> appBase="/var/www/www.rabbit.nl <http://www.rabbit.nl>"
> unpackWARs="false" autoDeploy="true"> <Alias>rabbit.nl
> <http://rabbit.nl></Alias> <Context path="/myapp"
> docBase="/var/www/www.rabbit.nl/webapp/myapp.war
> <http://www.rabbit.nl/webapp/myapp.war>" debug="0"
> privileged="true" reloadable="true" crossContext="true"> <Resource
> name="bean/ConfigBeanFactory" auth="Container"
> type="nl.bowtie.reservation.util.ConfigBean"
> factory="org.apache.naming.factory.BeanFactory"
>
> configFilename="/var/www/www.rabbit.nl/config/reservation.properties
>
>
<http://www.rabbit.nl/config/reservation.properties>"/>
> </Context> <Context path="/" docBase="/var/www/www.rabbit.nl/html
> <http://www.rabbit.nl/html>" debug="0" privileged="true"
> reloadable="true" crossContext="true"/> </Host> <Host
> name="www.appel.nl <http://www.appel.nl>" debug="0"
> appBase="/var/www/www.appel.nl <http://www.appel.nl>"
> unpackWARs="false" autoDeploy="true"> <Alias>appel.nl
> <http://appel.nl></Alias> <Context path="/"
> docBase="/var/www/www.appel.nl/html <http://www.appel.nl/html>"
> debug="0" privileged="true" reloadable="true"
> crossContext="true"/> </Host>
This is good to know. I don't think you *must* have a 1-to-1
relationshi between <Host> and <Certificate>, but I wanted to make
sure that things were in agreement.
> Q:This stack trace indicates to me that there is no keystore
> configured, and also there was no certificate PEM file specified on
> the certificate. A: I Did not realize with all the other things
> availible a PEM file was mandatory since everything is imported in
> the jks file
>
> /usr/bin/keytool -import -trustcacerts -alias root -file
> USERTrust_RSA_Certification_Authority.crt -keystore rabbit.nl.jks
> /usr/bin/keytool -import -trustcacerts -alias inter -file
> Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt -keystore
rabbit.nl.jks
> /usr/bin/keytool -import -trustcacerts -alias rabbit.nl
> <http://rabbit.nl> -file preview_uitgaan24_nl.crt -keystore
rabbit.nl.jks
The PEM file is not required. For JSSE (which is the default: you are
not using the APR connector), you can use the JKS keystore and you
don't need anything else.
> Q:Maybe your XML is broken? A: I checked the XML file agains
> serveral online XML validators, no errors were found.
Okay, good.
What is your JVM language? I'm guessing it's Dutch (or maybe Flemish?
French?). Tomcat doesn't have a translation for error messages and
such, so your messages are not terribly helpful (e.g. IOException with
no detail).
If you run your JVM with -Duser.language=en (or =de or =fr) you will
get English (or German or French) detail messages which may be helpful
to you.
I'm sorry; everything looks good to me to far. Do you know have a
single <Connector> in your server.xml?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7Nga4ACgkQHPApP6U8
pFgfUxAAroeIUdsb0VelJ2e972KLNHDzUXQ3LQmLfOcvHHmb0YMdJWHyAPFcx6Wv
Bm2zi+kocGIGAq8Se4jqPneJLta/tNekgwqn7Y4XX3jMGdlnTowZjuBC8tFslGi4
c2Z4vAN+UiA4VIhkb9LMoC1ER3aAUsKZggmltAqltSSLHRJ01kJei08jxcFoaNZ9
U3IMBtVKdb5o4vefvjuB3Q7QYGZ6vfxUw1nad/JESlwl8wNQV/v5sXKbG/VPQseY
Lzh+q37VwHiS0P7b0FEbkLlYV2nUwUBEkROmahLtMtZ9j8d7TNRaFKLO1NSQHWlR
G9UnVKx7b7s3x67J/P8zMPfh19mFnYewSgMvDPgHAXNBSxAiyEv6yqqN/A0WefeB
0Lyv9PYR3gBc26QFtRSWDpi38vhSdF58qnYsX6piUJf6j6TcVYNwgZUh7w6RR0Kn
VpPpz+U4hjZymR8q7iXRtdVWjql3PSUYmOzhYgt5TgNgzHvkM59Q06TiSfrpcIKI
MVlFSUo7LH8I8XMYg6rrGv1NEg16XOMyDfDSjrnAbsEroM5rSKFtL9o4DmCQuhqk
LkR43TnRU586bkvN3u1GssS4Le6wwzOOoTFnBg8nSqYL4zcJiIQf4szSIolSFCPn
urVtfLENkcR+D9pX96mBb8r0Zio8+D/EgcQwYSeRq2cq9XNMgr0=
=Tttx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Posted by Maurice Poos <ma...@gmail.com>.
On Tue, May 26, 2020 at 5:30 PM Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Maurice,
>
> On 5/26/20 09:19, Maurice Poos wrote:
> > Hello and thank you in advance for looking into this.
> >
> > I'm a Dutch native so bare with me...
>
> Welcome to the community!
>
> > Problem: Trying to configure TOMCAT9 to handle 2 domains on the
> > same server with https and 2 different keystore files.
>
> This should definitely be possible.
>
> > Server version: Apache Tomcat/9.0.31
> >
> > There is no APACHE webserver or other webserver available.
>
> Thank you for making this clear. It helps a lot.
>
> > Single connector configuration works perfectly for that single
> > domain e.g.
> >
> > <Connector port="443" address="rabbit.nl" maxHttpHeaderSize="8192"
> > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> > enableLookups="false" disableUploadTimeout="true"
> > acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
> > clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl"
> > keystoreFile="/etc/ssl/crt/rabbit.nl.jks" keystorePass="password2"
> > />
>
> Excellent. This means that your keystore is in order and the
> certificate works, etc. You may want to use the PKC12 keystore format
> simply because JKS is not really a standard and is being deprecated by
> Java. But it's not causing any problems right now, so let's not change i
> t.
>
> > But the multi-domain connector is flawed somewhere and due to the
> > limited feedback from TOMCAT it's a real struggle to figure out
> > what is wrong
> >
> > SERVER.XML CONFIG file exert:
> >
> > <Connector port="443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
> > acceptCount="100" scheme="https" minSpareThreads="25"
> > maxSpareThreads="75" enableLookups="false" secure="true"
> > clientAuth="false"
>
> Are you possible missing a '>' character, here?
>
> > <SSLHostConfig hostName="appel.nl" sslProtocol="TLS"> <Certificate
> > certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> > certificateKeystorePassword="password1"
> > certificateKeyAlias="appel.nl" certificateKeyPassword="password1"
> > /> </SSLHostConfig>
>
> This looks okay to me. You do not have to specify
> certificateKeyPassword if it's the same password as
> certificateKeystorePassword. It does not hurt to repeat it, but it
> does make the configuration a little less easy to read.
>
> > <SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS">
> > <Certificate certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> > certificateKeystorePassword="password2"
> > certificateKeyAlias="rabbit.nl" certificateKeyPassword="password2"
> > /> </SSLHostConfig> </Connector>
>
> This looks okay to me, too.
>
> > Can somebody help me?
>
> Do you have any <Host> elements configured?
>
> > 26-May-2020 11:22:34.602 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException
> > Failed to initialize component [Connector[HTTP/1.1-443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> > initialization failed at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:10
> 13)
> >
> >
> at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >
> >
> at
> > org.apache.catalina.core.StandardService.initInternal(StandardService.
> java:533)
> >
> >
> at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >
> >
> at
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> va:1057)
> >
> >
> at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >
> >
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at
> > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> >
> >
> Method)
> > at
> > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM
> ethodAccessorImpl.java:62)
> >
> >
> at
> > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del
> egatingMethodAccessorImpl.java:43)
> >
> >
> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
> > Caused by: java.lang.IllegalArgumentException at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:99)
> >
> >
> at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
> JsseEndpoint.java:71)
> >
> >
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
> > at
> > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEn
> dpoint.java:1141)
> >
> >
> at
> > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
> :1154)
> >
> >
> at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> > at
> > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
> tocol.java:74)
> >
> >
> at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:10
> 10)
> >
> >
> ... 13 more
> > Caused by: java.io.IOException at
> > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java
> :302)
> >
> >
> at
> > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.ja
> va:247)
> >
> >
> at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:97)
> >
> >
> ... 20 more
>
> This stack trace indicates to me that there is no keystore configured,
> and also there was no certificate PEM file specified on the certificate.
>
> Maybe your XML is broken?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7NNhQACgkQHPApP6U8
> pFgOcw/9Emd2v318QYhCTzSaYCjBtOaGKE2YoKj0HAf/e8627o1k9SVcI5A5d4VK
> jYaGICHuj3iI6WCWJkdtrotkc0rfA8OYIco1VE3NtC1UCVTlroTec476AxP9WTCO
> 0f5tXvee9tKeyYfSm0RwmCYRACO9yl7CLk5LeDuA6f/HfdRl05DxX3y5AgXzlIMC
> eoDzE5yGZmMeN4XykMSNkB+atw/P+aQ5Ld/m66AaU0SfHVMFfwbb8ctiI+WHgZP2
> O5DJPOU8Zqlb1H9nXitT6TYXEJwykGJcmjLEmkT7Ub90iQSAfpPOg/xRJ96L6JA+
> t4Fh9Ckz0bvncvl7RKOJko9UXXyZsRrBiU/upejHRAwCbinNi4OksNvQRcV8YJ5a
> wpdDYLUVblrruIoHcKrYQ9uMYGzvDhKHVt/IeAf5aJNN0Qd/00w1bspSPfKMmT76
> FUrcxrT+DXWsxRNbQeFh/vxgSZzBOQog6UXoyHUrBaUksNZomqiHo+6vIqPxSmgs
> 6yJxT7RO+HBoCYr9h1topBQJSfDzHZKbrAv2rWxBgWFSbtrFKEN62CrkVJthGFW6
> sSiLmfeOQI0d613VVzteVP9SmJtB5zol+biB8wUWcMZsnzzVs5x8EYBzH22myh+H
> BvjWcqoD8KOiVMxM0xGWKvi017eRg97XGGEWWVXOU8I0fCEL7vY=
> =KBrg
> -----END PGP SIGNATURE-----
>
Hi Chris
Thank you for accepting me and looking into this.
Not shure about how to format these mails but i'm gonna copy and paste your
questions/remarks and answer them below (guidelines tomcat apache #6)
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
> acceptCount="100" scheme="https" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" secure="true"
> clientAuth="false"
Q: Are you possible missing a '>' character, here?
A: If it's to close the Connector tag, from the example in server.xml I'd
understood that the SSLHostConfig tag has to be inside a Connector tag and
there for the closing /Connecter> is after the closing /SSLHostConfig
Default server.xml example:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
Q: Do you have any <Host> elements configured?
A: Yes I do:
<Host name="www.rabbit.nl" debug="0" appBase="/var/www/www.rabbit.nl"
unpackWARs="false" autoDeploy="true">
<Alias>rabbit.nl</Alias>
<Context path="/myapp" docBase="/var/www/www.rabbit.nl/webapp/myapp.war"
debug="0" privileged="true"
reloadable="true" crossContext="true">
<Resource name="bean/ConfigBeanFactory" auth="Container"
type="nl.bowtie.reservation.util.ConfigBean"
factory="org.apache.naming.factory.BeanFactory"
configFilename="/var/www/www.rabbit.nl/config/reservation.properties
"/>
</Context>
<Context path="/" docBase="/var/www/www.rabbit.nl/html" debug="0"
privileged="true"
reloadable="true" crossContext="true"/>
</Host>
<Host name="www.appel.nl" debug="0" appBase="/var/www/www.appel.nl"
unpackWARs="false" autoDeploy="true">
<Alias>appel.nl</Alias>
<Context path="/" docBase="/var/www/www.appel.nl/html" debug="0"
privileged="true"
reloadable="true" crossContext="true"/>
</Host>
Q:This stack trace indicates to me that there is no keystore configured,
and also there was no certificate PEM file specified on the certificate.
A: I Did not realize with all the other things availible a PEM file was
mandatory since everything is imported in the jks file
/usr/bin/keytool -import -trustcacerts -alias root -file
USERTrust_RSA_Certification_Authority.crt -keystore rabbit.nl.jks
/usr/bin/keytool -import -trustcacerts -alias inter -file
Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt -keystore rabbit.nl.jks
/usr/bin/keytool -import -trustcacerts -alias rabbit.nl -file
preview_uitgaan24_nl.crt -keystore rabbit.nl.jks
Q:Maybe your XML is broken?
A: I checked the XML file agains serveral online XML validators, no errors
were found.
Again thank you and greetings from Belgium.
Maurice
Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Maurice,
On 5/26/20 09:19, Maurice Poos wrote:
> Hello and thank you in advance for looking into this.
>
> I'm a Dutch native so bare with me...
Welcome to the community!
> Problem: Trying to configure TOMCAT9 to handle 2 domains on the
> same server with https and 2 different keystore files.
This should definitely be possible.
> Server version: Apache Tomcat/9.0.31
>
> There is no APACHE webserver or other webserver available.
Thank you for making this clear. It helps a lot.
> Single connector configuration works perfectly for that single
> domain e.g.
>
> <Connector port="443" address="rabbit.nl" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
> clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl"
> keystoreFile="/etc/ssl/crt/rabbit.nl.jks" keystorePass="password2"
> />
Excellent. This means that your keystore is in order and the
certificate works, etc. You may want to use the PKC12 keystore format
simply because JKS is not really a standard and is being deprecated by
Java. But it's not causing any problems right now, so let's not change i
t.
> But the multi-domain connector is flawed somewhere and due to the
> limited feedback from TOMCAT it's a real struggle to figure out
> what is wrong
>
> SERVER.XML CONFIG file exert:
>
> <Connector port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
> acceptCount="100" scheme="https" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" secure="true"
> clientAuth="false"
Are you possible missing a '>' character, here?
> <SSLHostConfig hostName="appel.nl" sslProtocol="TLS"> <Certificate
> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> certificateKeystorePassword="password1"
> certificateKeyAlias="appel.nl" certificateKeyPassword="password1"
> /> </SSLHostConfig>
This looks okay to me. You do not have to specify
certificateKeyPassword if it's the same password as
certificateKeystorePassword. It does not hurt to repeat it, but it
does make the configuration a little less easy to read.
> <SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS">
> <Certificate certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2"
> certificateKeyAlias="rabbit.nl" certificateKeyPassword="password2"
> /> </SSLHostConfig> </Connector>
This looks okay to me, too.
> Can somebody help me?
Do you have any <Host> elements configured?
> 26-May-2020 11:22:34.602 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException
> Failed to initialize component [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Protocol handler
> initialization failed at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:10
13)
>
>
at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>
at
> org.apache.catalina.core.StandardService.initInternal(StandardService.
java:533)
>
>
at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>
at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
va:1057)
>
>
at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>
>
Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM
ethodAccessorImpl.java:62)
>
>
at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del
egatingMethodAccessorImpl.java:43)
>
>
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
> Caused by: java.lang.IllegalArgumentException at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:99)
>
>
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
JsseEndpoint.java:71)
>
>
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEn
dpoint.java:1141)
>
>
at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
:1154)
>
>
at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
tocol.java:74)
>
>
at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:10
10)
>
>
... 13 more
> Caused by: java.io.IOException at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java
:302)
>
>
at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.ja
va:247)
>
>
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:97)
>
>
... 20 more
This stack trace indicates to me that there is no keystore configured,
and also there was no certificate PEM file specified on the certificate.
Maybe your XML is broken?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7NNhQACgkQHPApP6U8
pFgOcw/9Emd2v318QYhCTzSaYCjBtOaGKE2YoKj0HAf/e8627o1k9SVcI5A5d4VK
jYaGICHuj3iI6WCWJkdtrotkc0rfA8OYIco1VE3NtC1UCVTlroTec476AxP9WTCO
0f5tXvee9tKeyYfSm0RwmCYRACO9yl7CLk5LeDuA6f/HfdRl05DxX3y5AgXzlIMC
eoDzE5yGZmMeN4XykMSNkB+atw/P+aQ5Ld/m66AaU0SfHVMFfwbb8ctiI+WHgZP2
O5DJPOU8Zqlb1H9nXitT6TYXEJwykGJcmjLEmkT7Ub90iQSAfpPOg/xRJ96L6JA+
t4Fh9Ckz0bvncvl7RKOJko9UXXyZsRrBiU/upejHRAwCbinNi4OksNvQRcV8YJ5a
wpdDYLUVblrruIoHcKrYQ9uMYGzvDhKHVt/IeAf5aJNN0Qd/00w1bspSPfKMmT76
FUrcxrT+DXWsxRNbQeFh/vxgSZzBOQog6UXoyHUrBaUksNZomqiHo+6vIqPxSmgs
6yJxT7RO+HBoCYr9h1topBQJSfDzHZKbrAv2rWxBgWFSbtrFKEN62CrkVJthGFW6
sSiLmfeOQI0d613VVzteVP9SmJtB5zol+biB8wUWcMZsnzzVs5x8EYBzH22myh+H
BvjWcqoD8KOiVMxM0xGWKvi017eRg97XGGEWWVXOU8I0fCEL7vY=
=KBrg
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org