Hi Maurice,
Like Christopher I don't see any obvious issues. FYI, I run many virtual hosts
all with certificates. Works great. I use certificateKeystoreType="PKCS12" and
the related supporting software.
I would suggest adding type="RSA" to your certificate elements. (As shown in
Christopher's example & matching your set up). It defaults to UNDEFINED.
Further, the Tomcat documentation talks about one certificate working, and two
not working if TYPE is not defined. Now that is within a SSLHostConfig element,
which is not your case. It sounds very similar to what you are experiencing.
Good Luck
On Tuesday, May 26, 2020, 4:53:19 p.m. EDT, Christopher Schultz
<ch...@christopherschultz.net> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Maurice,
On 5/26/20 15:02, Maurice Poos wrote:
>
>
> On Tue, May 26, 2020 at 5:30 PM Christopher Schultz
> <ch...@christopherschultz.net
> <mailto:ch...@christopherschultz.net>>
wrote:
>
> Maurice,
>
> On 5/26/20 09:19, Maurice Poos wrote:
>> Hello and thank you in advance for looking into this.
>
>> I'm a Dutch native so bare with me...
>
> Welcome to the community!
>
>> Problem: Trying to configure TOMCAT9 to handle 2 domains on the
>> same server with https and 2 different keystore files.
>
> This should definitely be possible.
>
>> Server version: Apache Tomcat/9.0.31
>
>> There is no APACHE webserver or other webserver available.
>
> Thank you for making this clear. It helps a lot.
>
>> Single connector configuration works perfectly for that single
>> domain e.g.
>
>> <Connector port="443" address="rabbit.nl <http://rabbit.nl>"
> maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
>> clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl
> <http://rabbit.nl>"
>> keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> keystorePass="password2" />
>
> Excellent. This means that your keystore is in order and the
> certificate works, etc. You may want to use the PKC12 keystore
> format simply because JKS is not really a standard and is being
> deprecated by Java. But it's not causing any problems right now, so
> let's not change i t.
>
>> But the multi-domain connector is flawed somewhere and due to
>> the limited feedback from TOMCAT it's a real struggle to figure
>> out what is wrong
>
>> SERVER.XML CONFIG file exert:
>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
>> acceptCount="100" scheme="https" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" secure="true"
>> clientAuth="false"
>
> Are you possible missing a '>' character, here?
>
>> <SSLHostConfig hostName="appel.nl <http://appel.nl>"
> sslProtocol="TLS"> <Certificate
>> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
>> certificateKeystorePassword="password1"
>> certificateKeyAlias="appel.nl <http://appel.nl>"
> certificateKeyPassword="password1"
>> /> </SSLHostConfig>
>
> This looks okay to me. You do not have to specify
> certificateKeyPassword if it's the same password as
> certificateKeystorePassword. It does not hurt to repeat it, but it
> does make the configuration a little less easy to read.
>
>> <SSLHostConfig hostName="rabbit.nl <http://rabbit.nl>"
> sslProtocol="TLS">
>> <Certificate
>> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> certificateKeystorePassword="password2"
>> certificateKeyAlias="rabbit.nl <http://rabbit.nl>"
> certificateKeyPassword="password2"
>> /> </SSLHostConfig> </Connector>
>
> This looks okay to me, too.
>
>> Can somebody help me?
>
> Do you have any <Host> elements configured?
>
>> 26-May-2020 11:22:34.602 SEVERE [main]
>> org.apache.catalina.util.LifecycleBase.handleSubClassException
>> Failed to initialize component [Connector[HTTP/1.1-443]]
>> org.apache.catalina.LifecycleException: Protocol handler
>> initialization failed at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1
0
>
>>
13)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService
.
>
>>
java:533)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
a
>
>>
va:1057)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Nativ
e
>
>>
>
> Method)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Native
M
>
>>
ethodAccessorImpl.java:62)
>
>
> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(De
l
>
>>
egatingMethodAccessorImpl.java:43)
>
>
> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
>> Caused by: java.lang.IllegalArgumentException at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.createSSLCont
ext(Abstr
>
>
actJsseEndpoint.java:99)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.initialiseSsl
(Abstract
>
>
JsseEndpoint.java:71)
>
>
> at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.NioEndpoint.bind(NioEndpoint.java:
217)
>>
>
at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractEndpoint.bindWithCleanup(A
bstractEn
>
>
dpoint.java:1141)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractEndpoint.init(AbstractEndp
oint.java
>
>
:1154)
>
>
> at
>> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
>>
>>
at
>> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pr
o
>
>>
tocol.java:74)
>
>
> at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1
0
>
>>
10)
>
>
> ... 13 more
>> Caused by: java.io.IOException at org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLUtilBase.getKeyManagers(SSLUtil
Base.java
>
>
:302)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.SSLUtilBase.createSSLContext(SSLUt
ilBase.ja
>
>
va:247)
>
>
> at
>> org.apache.tomcat.util.net
> <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.createSSLCont
ext(Abstr
>
>
actJsseEndpoint.java:97)
>
>
> ... 20 more
>
> This stack trace indicates to me that there is no keystore
> configured, and also there was no certificate PEM file specified on
> the certificate.
>
> Maybe your XML is broken?
>
> -chris
>
>
> Hi Chris
>
> Thank you for accepting me and looking into this.
>
> Not shure about how to format these mails but i'm gonna copy and
> paste your questions/remarks and answer them below (guidelines
> tomcat
apache #6)
>
>> <Connector port="443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
>> acceptCount="100" scheme="https" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" secure="true"
>> clientAuth="false"
>
> Q: Are you possible missing a '>' character, here? A: If it's to
> close the Connector tag, from the example in server.xml I'd
> understood that the SSLHostConfig tag has to be inside a Connector
> tag and there for the closing /Connecter> is after the closing
> /SSLHostConfig
Yes. Your initial post does not have the closing > for the <Connector>
it was like this:
<Connector [attributes]
<SSLHostConfig>
<Certificate />
<Certificate />
</SSLHostConfig>
</Connector>
> Default server.xml example: <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate
certificateKeystoreFile="conf/localhost-rsa.jks"
> type="RSA" /> </SSLHostConfig> </Connector>
>
>
> Q: Do you have any <Host> elements configured?
>
> A: Yes I do:
>
> <Host name="www.rabbit.nl <http://www.rabbit.nl>" debug="0"
> appBase="/var/www/www.rabbit.nl <http://www.rabbit.nl>"
> unpackWARs="false" autoDeploy="true"> <Alias>rabbit.nl
> <http://rabbit.nl></Alias> <Context path="/myapp"
> docBase="/var/www/www.rabbit.nl/webapp/myapp.war
> <http://www.rabbit.nl/webapp/myapp.war>" debug="0"
> privileged="true" reloadable="true" crossContext="true"> <Resource
> name="bean/ConfigBeanFactory" auth="Container"
> type="nl.bowtie.reservation.util.ConfigBean"
> factory="org.apache.naming.factory.BeanFactory"
>
> configFilename="/var/www/www.rabbit.nl/config/reservation.properties
>
>
<http://www.rabbit.nl/config/reservation.properties>"/>
> </Context> <Context path="/" docBase="/var/www/www.rabbit.nl/html
> <http://www.rabbit.nl/html>" debug="0" privileged="true"
> reloadable="true" crossContext="true"/> </Host> <Host
> name="www.appel.nl <http://www.appel.nl>" debug="0"
> appBase="/var/www/www.appel.nl <http://www.appel.nl>"
> unpackWARs="false" autoDeploy="true"> <Alias>appel.nl
> <http://appel.nl></Alias> <Context path="/"
> docBase="/var/www/www.appel.nl/html <http://www.appel.nl/html>"
> debug="0" privileged="true" reloadable="true"
> crossContext="true"/> </Host>
This is good to know. I don't think you *must* have a 1-to-1
relationshi between <Host> and <Certificate>, but I wanted to make
sure that things were in agreement.
> Q:This stack trace indicates to me that there is no keystore
> configured, and also there was no certificate PEM file specified on
> the certificate. A: I Did not realize with all the other things
> availible a PEM file was mandatory since everything is imported in
> the jks file
>
> /usr/bin/keytool -import -trustcacerts -alias root -file
> USERTrust_RSA_Certification_Authority.crt -keystore rabbit.nl.jks
> /usr/bin/keytool -import -trustcacerts -alias inter -file
> Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt -keystore
rabbit.nl.jks
> /usr/bin/keytool -import -trustcacerts -alias rabbit.nl
> <http://rabbit.nl> -file preview_uitgaan24_nl.crt -keystore
rabbit.nl.jks
The PEM file is not required. For JSSE (which is the default: you are
not using the APR connector), you can use the JKS keystore and you
don't need anything else.
> Q:Maybe your XML is broken? A: I checked the XML file agains
> serveral online XML validators, no errors were found.
Okay, good.
What is your JVM language? I'm guessing it's Dutch (or maybe Flemish?
French?). Tomcat doesn't have a translation for error messages and
such, so your messages are not terribly helpful (e.g. IOException with
no detail).
If you run your JVM with -Duser.language=en (or =de or =fr) you will
get English (or German or French) detail messages which may be helpful
to you.
I'm sorry; everything looks good to me to far. Do you know have a
single <Connector> in your server.xml?
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7Nga4ACgkQHPApP6U8
pFgfUxAAroeIUdsb0VelJ2e972KLNHDzUXQ3LQmLfOcvHHmb0YMdJWHyAPFcx6Wv
Bm2zi+kocGIGAq8Se4jqPneJLta/tNekgwqn7Y4XX3jMGdlnTowZjuBC8tFslGi4
c2Z4vAN+UiA4VIhkb9LMoC1ER3aAUsKZggmltAqltSSLHRJ01kJei08jxcFoaNZ9
U3IMBtVKdb5o4vefvjuB3Q7QYGZ6vfxUw1nad/JESlwl8wNQV/v5sXKbG/VPQseY
Lzh+q37VwHiS0P7b0FEbkLlYV2nUwUBEkROmahLtMtZ9j8d7TNRaFKLO1NSQHWlR
G9UnVKx7b7s3x67J/P8zMPfh19mFnYewSgMvDPgHAXNBSxAiyEv6yqqN/A0WefeB
0Lyv9PYR3gBc26QFtRSWDpi38vhSdF58qnYsX6piUJf6j6TcVYNwgZUh7w6RR0Kn
VpPpz+U4hjZymR8q7iXRtdVWjql3PSUYmOzhYgt5TgNgzHvkM59Q06TiSfrpcIKI
MVlFSUo7LH8I8XMYg6rrGv1NEg16XOMyDfDSjrnAbsEroM5rSKFtL9o4DmCQuhqk
LkR43TnRU586bkvN3u1GssS4Le6wwzOOoTFnBg8nSqYL4zcJiIQf4szSIolSFCPn
urVtfLENkcR+D9pX96mBb8r0Zio8+D/EgcQwYSeRq2cq9XNMgr0=
=Tttx
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
