Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Wed, 27 May 2020 01:38:25 -0700 

On 26/05/2020 14:19, Maurice Poos wrote:
> Hello and thank you in advance for looking into this.
> 
> I'm a Dutch native so bare with me...
> 
> Problem:
> Trying to configure TOMCAT9 to handle 2 domains on the same server with
> https and 2 different keystore files.
> There is no APACHE webserver or other webserver available.
> 
> Single connector configuration works perfectly for that single domain e.g.
> 
>      <Connector
>         port="443"
>         address="rabbit.nl"
>         maxHttpHeaderSize="8192"
>         maxThreads="150"
>         minSpareThreads="25"
>         maxSpareThreads="75"
>         enableLookups="false"
>         disableUploadTimeout="true"
>         acceptCount="100"
>         scheme="https"
>         secure="true"
>         SSLEnabled="true"
>         clientAuth="false"
>         sslProtocol="TLS"
>         keyAlias="rabbit.nl"
>         keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>         keystorePass="password2" />

I suggest, as a first step, you covnvert the above working configuration
to the new <SSLHostConfig ... /> style and get that working for each
cert one at a time. When you have the individual configurations working,
then you can combine them.

The configuration above should convert to:

<Connector
        protocol="org.apache.coyote.http11.Http11NioProtocol"
        port="443"
        maxThreads="150"
        minSpareThreads="25"
        scheme="https"
        secure="true"
        SSLEnabled="true"
    <SSLHostConfig>
        <Certificate
                certificateKeyAlias="rabbit.nl"
                certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
                certificateKeystorePassword="password2"
        />
    </SSLHostConfig>
</Connector>

Notes:
 - The protocol attribute is missing so I have added that
 - I'd expect address to be an IP address so I have omitted that
   attribute
 - maxHttpHeaderSize="8192" is the default so I have omitted that
   attribute
 - maxSpareThreads="75" is not a recognised attribute so I have removed
   it
 - acceptCount="100" is the default so I have omitted that attribute
 - disableUploadTimeout="true" is the default so I have omitted that
   attribute
 - enableLookups="false" is the default so I have omitted that attribute
 - clientAuth="false" is the default so I have omitted that attribute
 - sslProtocol="TLS" is the default so I have omitted that attribute

I'd then add the hostName attribute to the SSLHostConfig element and,
once that is working, combine the two.

> But the multi-domain connector is flawed somewhere and due to the limited
> feedback from TOMCAT it's a real struggle to figure out what is wrong

I don't see a defaultSSLHostConfigName configured for the Connector.
That might trigger the error you are seeing (because the _default_ host
name won't have an associated certificate.

If that is the issue, we can look at trying to improve that error message.

> SERVER.XML CONFIG file exert:
> 
> <Connector
>     port="443"
>     protocol="org.apache.coyote.http11.Http11NioProtocol"
>     maxHttpHeaderSize="8192"
>     maxThreads="150"
>     SSLEnabled="true"
>     acceptCount="100"
>     scheme="https"
>     minSpareThreads="25"
>     maxSpareThreads="75"
>     enableLookups="false"
>     secure="true"
>     clientAuth="false"
>     <SSLHostConfig hostName="appel.nl" sslProtocol="TLS">
>             <Certificate
> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> certificateKeystorePassword="password1" certificateKeyAlias="appel.nl"
> certificateKeyPassword="password1" />
>             </SSLHostConfig>
>     <SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS">
>             <Certificate
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2" certificateKeyAlias="rabbit.nl"
> certificateKeyPassword="password2" />
>             </SSLHostConfig>
> </Connector>
> 
> 
> Can somebody help me?
> 
> 
> Thank you,
> 
> Maurice Poos
> 
> _____________________________________________________________________
> TOMCAT VERSION
> Server version: Apache Tomcat/9.0.31
> Server built:   Feb 5 2020 19:32:12 UTC
> Server number:  9.0.31.0
> 
> LINUX
> "Ubuntu 18.04.4 LTS"
> 
> Architecture:
> amd64
> 
> JVM Version:    14.0.1+7
> JVM Vendor:     Oracle Corporation
> __________________________________________________________________________
> KEY CSR creation
> 
> KEY
> /usr/bin/keytool -genkey -keysize 2048 -alias rabbit.nl -keyalg RSA
> -keystore rabbit.nl.jks
> 
> CSR
> /usr/bin/keytool -certreq -keyalg RSA -alias rabbit.nl -file rabbit.nl.csr
> -keystore rabbit.nl.jks
> ___________________________________________________________________________
> 
> ERROR LOG CATALINA.OUT
> 
> 26-May-2020 11:22:34.602 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector[HTTP/1.1-443]]
>     org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
>         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
>         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
>         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
>         at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>         at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>         at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> Method)
>         at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
>         at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>         at java.base/java.lang.reflect.Method.invoke(Method.java:564)
>         at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
>         at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
>     Caused by: java.lang.IllegalArgumentException
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
>         at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
>         at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
>         at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
>         at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
>         at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
>         at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
>         ... 13 more
>     Caused by: java.io.IOException
>         at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
>         at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
>         at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
>         ... 20 more
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to