You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by George Sexton <ge...@mhsoftware.com.INVALID> on 2022/07/11 01:30:58 UTC
Getting SSL Working on Tomcat9
I'm trying to configure SSL for Tomcat 9 and I'm not having any luck.
My config is:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="50" scheme="https" secure="true" compression="on"
connectionTimeout="4000" disableUploadTimeout="false" connectionUploadTimeout="900000"
maxPostSize="10485760" keyAlias="tomcat" clientAuth="false"
useServerCipherSuitesOrder="true">
<SSLHostConfig
ciphers="TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + a lot of others"
protocols="TLSv1.3,TLSv1.2"
hostName="*.mydomain.com">
<Certificate
certificateKeystoreFile="conf/.keystore"
certificateKeystorePassword="changeit"
type="RSA" />
<!--
<Certificate
certificateFile="${catalina.base}/conf/mydomain.pem"
certificateKeyFile="${catalina.base}/conf/mydomain.key"
certificateKeyPassword="changeit"
certificateChainFile="${catalina.base}/conf/godaddy.chn"
type="RSA" />
-->
</SSLHostConfig>
</Connector>
This was constructed using this page as a reference:
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
I've tried the two shown Certificate configs. They both give the error:
SEVERE: Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
.........
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234)
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
.....
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be defined when using an SSL connector
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:312)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 25 more
Looking at the docs, it doesn't appear that certificateFile is an
attribute of SSLHostConfig. I've looked at this page:
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Certificates
but it's configuring everything on the Connector, which the Connector
page says is deprecated:
/The following NIO and NIO2 SSL configuration attributes have been
deprecated in favor of the default //SSLHostConfig
<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>//element
with the //|hostName|//of //|_default_|//. If this //SSLHostConfig
<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>//element
is not explicitly defined, it will be created.. /
Additionally, I'd like to use SNI for multiple certs, so that will
require an SSLHostConfig I think. Can anyone give me an idea of what I'm
doing wrong?
Thanks.
--
George Sexton
(303) 438 9585 x102
MH Software, Inc.
Re: Getting SSL Working on Tomcat9
Posted by George Sexton <ge...@mhsoftware.com.INVALID>.
Mark,
I looked at the connector entries, and removed any of the ones that were
listed on the page as deprecated. Once I did that, things started working.
Thanks again.
George
On 7/11/2022 8:07 AM, Mark Thomas wrote:
> On 11/07/2022 14:56, George Sexton wrote:
>> Mark,
>>
>> Thanks for looking.
>>
>> If I specify the value for defaultSSLHostConfigName, I still get
>> /SSLHostConfig attribute certificateFile must be defined shen using
>> an SSL connector/.
>>
>> If I remove the hostName from the SSLHostConfig (or specify
>> hostName="_default_"), I get:
>
> ACK.
>
> Because useServerCipherSuitesOrder is present on the Connector, you
> effectively have a SSLHostConfig element for "_default_" with just
> that setting.
>
> Try removing useServerCipherSuitesOrder from the Connector and adding
> honorCipherOrder to the SSLHostConfig element.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
George Sexton
(303) 438 9585 x102
MH Software, Inc.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Getting SSL Working on Tomcat9
Posted by Mark Thomas <ma...@apache.org>.
On 11/07/2022 14:56, George Sexton wrote:
> Mark,
>
> Thanks for looking.
>
> If I specify the value for defaultSSLHostConfigName, I still get
> /SSLHostConfig attribute certificateFile must be defined shen using an
> SSL connector/.
>
> If I remove the hostName from the SSLHostConfig (or specify
> hostName="_default_"), I get:
ACK.
Because useServerCipherSuitesOrder is present on the Connector, you
effectively have a SSLHostConfig element for "_default_" with just that
setting.
Try removing useServerCipherSuitesOrder from the Connector and adding
honorCipherOrder to the SSLHostConfig element.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Getting SSL Working on Tomcat9
Posted by George Sexton <ge...@mhsoftware.com.INVALID>.
Mark,
Thanks for looking.
If I specify the value for defaultSSLHostConfigName, I still get
/SSLHostConfig attribute certificateFile must be defined shen using an
SSL connector/.
If I remove the hostName from the SSLHostConfig (or specify
hostName="_default_"), I get:
WARNING: Match [Server/Service/Connector] failed to set property [compressableMimeType] to [text/css,application/javascript]
Jul 11, 2022 7:45:33 AM org.apache.tomcat.util.net.SSLHostConfig setProtocols
WARNING: The protocol [TLSv1.2] was added to the list of protocols on the SSLHostConfig named [_default_]. Check if a +/- prefix is missing.
Jul 11, 2022 7:45:33 AM org.apache.tomcat.util.digester.Digester endElement
SEVERE: End event threw exception
java.lang.reflect.InvocationTargetException
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique.
at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:294)
at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(Abstrac
tEndpoint.java:250)
Jul 11, 2022 7:45:33 AM org.apache.catalina.startup.Catalina parseServerXml
WARNING: Unable to load server configuration from [/srv/tomcat/conf/server.xml]
org.xml.sax.SAXParseException; systemId:file:/srv/tomcat/conf/server.xml; lineNumber: 166; columnNumber: 21; Error at line [166] column [21]: [Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique.]
at org.apache.tomcat.util.digester.Digester.createSAXException(Digester.java:1966)
Caused by: java.lang.IllegalArgumentException: Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique.
at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:294)
at org.apache.tomcat.util.net.AbstractEndpoint.addSslHostConfig(AbstractEndpoint.java:250)
at org.apache.coyote.http11.AbstractHttp11Protocol.addSslHostConfig(AbstractHttp11Protocol.java:719)
On 7/11/2022 2:12 AM, Mark Thomas wrote:
> On 11/07/2022 02:30, George Sexton wrote:
>> I'm trying to configure SSL for Tomcat 9 and I'm not having any luck.
>
> <snip/>
>
>> Caused by: java.io.IOException: SSLHostConfig attribute
>> certificateFile must be defined when using an SSL connector
>> at
>> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:312)
>
> <snip/>
>
>> Looking at the docs, it doesn't appear that certificateFile is an
>> attribute of SSLHostConfig.
>
> That looks like a message string that need to be updated to reference
> the Certificate element instead. I'll look into that.
>
> <snip/>
>
>> /The following NIO and NIO2 SSL configuration attributes have been
>> deprecated in favor of the default //SSLHostConfig
>> <https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>//element
>> with the //|hostName|//of //|_default_|//. If this //SSLHostConfig
>> <https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>//element
>> is not explicitly defined, it will be created.. /
>>
>> Additionally, I'd like to use SNI for multiple certs, so that will
>> require an SSLHostConfig I think. Can anyone give me an idea of what
>> I'm doing wrong?
>
> From further up in the docs:
>
> <quote>
> Each secure connector must define at least one SSLHostConfig. The
> names of the SSLHostConfig elements must be unique and one of them
> must match the defaultSSLHostConfigName attribute of the Connector.
> </quote>
>
> You haven't specified an explicit defaultSSLHostConfigName so the
> default value of "_default_" is being used. The error message you are
> seeing is complaining that the SSLHostConfig for "_default_" is
> incomplete.
>
> Either adding the defaultSSLHostConfigName="*.mydomain.com" attribute
> to the Connector element or removing the hostName attribute from the
> SSLHostConfig element should fix it.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
--
George Sexton
(303) 438 9585 x102
MH Software, Inc.
Re: Getting SSL Working on Tomcat9
Posted by Mark Thomas <ma...@apache.org>.
On 11/07/2022 02:30, George Sexton wrote:
> I'm trying to configure SSL for Tomcat 9 and I'm not having any luck.
<snip/>
> Caused by: java.io.IOException: SSLHostConfig attribute certificateFile
> must be defined when using an SSL connector
> at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:312)
<snip/>
> Looking at the docs, it doesn't appear that certificateFile is an
> attribute of SSLHostConfig.
That looks like a message string that need to be updated to reference
the Certificate element instead. I'll look into that.
<snip/>
> /The following NIO and NIO2 SSL configuration attributes have been
> deprecated in favor of the default //SSLHostConfig
> <https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>//element
> with the //|hostName|//of //|_default_|//. If this //SSLHostConfig
> <https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>//element
> is not explicitly defined, it will be created.. /
>
> Additionally, I'd like to use SNI for multiple certs, so that will
> require an SSLHostConfig I think. Can anyone give me an idea of what I'm
> doing wrong?
From further up in the docs:
<quote>
Each secure connector must define at least one SSLHostConfig. The names
of the SSLHostConfig elements must be unique and one of them must match
the defaultSSLHostConfigName attribute of the Connector.
</quote>
You haven't specified an explicit defaultSSLHostConfigName so the
default value of "_default_" is being used. The error message you are
seeing is complaining that the SSLHostConfig for "_default_" is incomplete.
Either adding the defaultSSLHostConfigName="*.mydomain.com" attribute to
the Connector element or removing the hostName attribute from the
SSLHostConfig element should fix it.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org