On Tue, May 26, 2020 at 5:30 PM Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Maurice, > > On 5/26/20 09:19, Maurice Poos wrote: > > Hello and thank you in advance for looking into this. > > > > I'm a Dutch native so bare with me... > > Welcome to the community! > > > Problem: Trying to configure TOMCAT9 to handle 2 domains on the > > same server with https and 2 different keystore files. > > This should definitely be possible. > > > Server version: Apache Tomcat/9.0.31 > > > > There is no APACHE webserver or other webserver available. > > Thank you for making this clear. It helps a lot. > > > Single connector configuration works perfectly for that single > > domain e.g. > > > > <Connector port="443" address="rabbit.nl" maxHttpHeaderSize="8192" > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > > enableLookups="false" disableUploadTimeout="true" > > acceptCount="100" scheme="https" secure="true" SSLEnabled="true" > > clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl" > > keystoreFile="/etc/ssl/crt/rabbit.nl.jks" keystorePass="password2" > > /> > > Excellent. This means that your keystore is in order and the > certificate works, etc. You may want to use the PKC12 keystore format > simply because JKS is not really a standard and is being deprecated by > Java. But it's not causing any problems right now, so let's not change i > t. > > > But the multi-domain connector is flawed somewhere and due to the > > limited feedback from TOMCAT it's a real struggle to figure out > > what is wrong > > > > SERVER.XML CONFIG file exert: > > > > <Connector port="443" > > protocol="org.apache.coyote.http11.Http11NioProtocol" > > maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true" > > acceptCount="100" scheme="https" minSpareThreads="25" > > maxSpareThreads="75" enableLookups="false" secure="true" > > clientAuth="false" > > Are you possible missing a '>' character, here? > > > <SSLHostConfig hostName="appel.nl" sslProtocol="TLS"> <Certificate > > certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks" > > certificateKeystorePassword="password1" > > certificateKeyAlias="appel.nl" certificateKeyPassword="password1" > > /> </SSLHostConfig> > > This looks okay to me. You do not have to specify > certificateKeyPassword if it's the same password as > certificateKeystorePassword. It does not hurt to repeat it, but it > does make the configuration a little less easy to read. > > > <SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS"> > > <Certificate certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks" > > certificateKeystorePassword="password2" > > certificateKeyAlias="rabbit.nl" certificateKeyPassword="password2" > > /> </SSLHostConfig> </Connector> > > This looks okay to me, too. > > > Can somebody help me? > > Do you have any <Host> elements configured? > > > 26-May-2020 11:22:34.602 SEVERE [main] > > org.apache.catalina.util.LifecycleBase.handleSubClassException > > Failed to initialize component [Connector[HTTP/1.1-443]] > > org.apache.catalina.LifecycleException: Protocol handler > > initialization failed at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:10 > 13) > > > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > > > > at > > org.apache.catalina.core.StandardService.initInternal(StandardService. > java:533) > > > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > > > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja > va:1057) > > > > > at > > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:584) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > > > > > Method) > > at > > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM > ethodAccessorImpl.java:62) > > > > > at > > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del > egatingMethodAccessorImpl.java:43) > > > > > at java.base/java.lang.reflect.Method.invoke(Method.java:564) > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473) > > Caused by: java.lang.IllegalArgumentException at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr > actJsseEndpoint.java:99) > > > > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract > JsseEndpoint.java:71) > > > > > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217) > > at > > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEn > dpoint.java:1141) > > > > > at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java > :1154) > > > > > at > > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) > > at > > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro > tocol.java:74) > > > > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:10 > 10) > > > > > ... 13 more > > Caused by: java.io.IOException at > > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java > :302) > > > > > at > > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.ja > va:247) > > > > > at > > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr > actJsseEndpoint.java:97) > > > > > ... 20 more > > This stack trace indicates to me that there is no keystore configured, > and also there was no certificate PEM file specified on the certificate. > > Maybe your XML is broken? > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7NNhQACgkQHPApP6U8 > pFgOcw/9Emd2v318QYhCTzSaYCjBtOaGKE2YoKj0HAf/e8627o1k9SVcI5A5d4VK > jYaGICHuj3iI6WCWJkdtrotkc0rfA8OYIco1VE3NtC1UCVTlroTec476AxP9WTCO > 0f5tXvee9tKeyYfSm0RwmCYRACO9yl7CLk5LeDuA6f/HfdRl05DxX3y5AgXzlIMC > eoDzE5yGZmMeN4XykMSNkB+atw/P+aQ5Ld/m66AaU0SfHVMFfwbb8ctiI+WHgZP2 > O5DJPOU8Zqlb1H9nXitT6TYXEJwykGJcmjLEmkT7Ub90iQSAfpPOg/xRJ96L6JA+ > t4Fh9Ckz0bvncvl7RKOJko9UXXyZsRrBiU/upejHRAwCbinNi4OksNvQRcV8YJ5a > wpdDYLUVblrruIoHcKrYQ9uMYGzvDhKHVt/IeAf5aJNN0Qd/00w1bspSPfKMmT76 > FUrcxrT+DXWsxRNbQeFh/vxgSZzBOQog6UXoyHUrBaUksNZomqiHo+6vIqPxSmgs > 6yJxT7RO+HBoCYr9h1topBQJSfDzHZKbrAv2rWxBgWFSbtrFKEN62CrkVJthGFW6 > sSiLmfeOQI0d613VVzteVP9SmJtB5zol+biB8wUWcMZsnzzVs5x8EYBzH22myh+H > BvjWcqoD8KOiVMxM0xGWKvi017eRg97XGGEWWVXOU8I0fCEL7vY= > =KBrg > -----END PGP SIGNATURE----- > Hi Chris Thank you for accepting me and looking into this. Not shure about how to format these mails but i'm gonna copy and paste your questions/remarks and answer them below (guidelines tomcat apache #6) > <Connector port="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true" > acceptCount="100" scheme="https" minSpareThreads="25" > maxSpareThreads="75" enableLookups="false" secure="true" > clientAuth="false" Q: Are you possible missing a '>' character, here? A: If it's to close the Connector tag, from the example in server.xml I'd understood that the SSLHostConfig tag has to be inside a Connector tag and there for the closing /Connecter> is after the closing /SSLHostConfig Default server.xml example: <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> </SSLHostConfig> </Connector> Q: Do you have any <Host> elements configured? A: Yes I do: <Host name="www.rabbit.nl" debug="0" appBase="/var/www/www.rabbit.nl" unpackWARs="false" autoDeploy="true"> <Alias>rabbit.nl</Alias> <Context path="/myapp" docBase="/var/www/www.rabbit.nl/webapp/myapp.war" debug="0" privileged="true" reloadable="true" crossContext="true"> <Resource name="bean/ConfigBeanFactory" auth="Container" type="nl.bowtie.reservation.util.ConfigBean" factory="org.apache.naming.factory.BeanFactory" configFilename="/var/www/www.rabbit.nl/config/reservation.properties "/> </Context> <Context path="/" docBase="/var/www/www.rabbit.nl/html" debug="0" privileged="true" reloadable="true" crossContext="true"/> </Host> <Host name="www.appel.nl" debug="0" appBase="/var/www/www.appel.nl" unpackWARs="false" autoDeploy="true"> <Alias>appel.nl</Alias> <Context path="/" docBase="/var/www/www.appel.nl/html" debug="0" privileged="true" reloadable="true" crossContext="true"/> </Host> Q:This stack trace indicates to me that there is no keystore configured, and also there was no certificate PEM file specified on the certificate. A: I Did not realize with all the other things availible a PEM file was mandatory since everything is imported in the jks file /usr/bin/keytool -import -trustcacerts -alias root -file USERTrust_RSA_Certification_Authority.crt -keystore rabbit.nl.jks /usr/bin/keytool -import -trustcacerts -alias inter -file Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt -keystore rabbit.nl.jks /usr/bin/keytool -import -trustcacerts -alias rabbit.nl -file preview_uitgaan24_nl.crt -keystore rabbit.nl.jks Q:Maybe your XML is broken? A: I checked the XML file agains serveral online XML validators, no errors were found. Again thank you and greetings from Belgium. Maurice
