Hello Mark,
It's an honour!
I reply to this in a non standard way because a few things have happened
while it was night over here.
Long story short: it works now.
1) The first thing was that the server got upgraded to v9.0.35
Next I've began to work with your suggestions.
><Connector
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="443"
> maxThreads="150"
> minSpareThreads="25"
> scheme="https"
> secure="true"
> SSLEnabled="true"
> <SSLHostConfig>
> <Certificate
> certificateKeyAlias="rabbit.nl"
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2"
> />
> </SSLHostConfig>
></Connector>
>
2) Because v35 changed the connector requirements a bit the closing ">"
after SSLEnabled="true" is mandatory.
This immediately made the above config work.
>Notes:
> - The protocol attribute is missing so I have added that
> - I'd expect address to be an IP address so I have omitted that
> attribute
> - maxHttpHeaderSize="8192" is the default so I have omitted that
> attribute
> - maxSpareThreads="75" is not a recognised attribute so I have removed
> it
> - acceptCount="100" is the default so I have omitted that attribute
> - disableUploadTimeout="true" is the default so I have omitted that
> attribute
> - enableLookups="false" is the default so I have omitted that attribute
> - clientAuth="false" is the default so I have omitted that attribute
> - sslProtocol="TLS" is the default so I have omitted that attribute
>
>I'd then add the hostName attribute to the SSLHostConfig element and,
>once that is working, combine the two.
3) After after adding the hostName attribute I did get the error that you
expected below
so i added it in the connector.
>
>I don't see a defaultSSLHostConfigName configured for the Connector.
>That might trigger the error you are seeing (because the _default_ host
>name won't have an associated certificate.
>
>If that is the issue, we can look at trying to improve that error message.
>
4) after adding this I've got the working config:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
maxThreads="150"
minSpareThreads="25"
scheme="https"
secure="true"
SSLEnabled="true"
defaultSSLHostConfigName="www.rabbit.nl">
<SSLHostConfig hostName="www.rabbit.nl">
<Certificate
certificateKeyAlias="rabbit.nl"
certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
certificateKeystorePassword="xxxx1"
/>
</SSLHostConfig>
<SSLHostConfig hostName="www.appel.nl">
<Certificate
certificateKeyAlias="appel.nl"
certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
certificateKeystorePassword="xxxx2"
/>
</SSLHostConfig>
</Connector>
<Host name="www.rabbit.nl" appBase="/var/www/www.rabbit.nl"
unpackWARs="false" autoDeploy="true">
<Alias>rabbit.nl</Alias>
<Context path="/planner" docBase="/var/www/
www.rabbit.nl/webapp/planner.war" privileged="true"
reloadable="true" crossContext="true">
<Resource name="bean/ConfigBeanFactory" auth="Container"
type="nl.bowtie.reservation.util.ConfigBean"
factory="org.apache.naming.factory.BeanFactory"
configFilename="/var/www/www.rabbit.nl/config/reservation.properties"/>
</Context>
<Context path="/" docBase="/var/www/www.rabbit.nl/html"
privileged="true"
reloadable="true" crossContext="true"/>
</Host>
<Host name="www.appel.nl" appBase="/var/www/www.appel.nl"
unpackWARs="false" autoDeploy="true">
<Alias>appel.nl</Alias>
<Context path="/" docBase="/var/www/www.appel.nl/html"
privileged="true"
reloadable="true" crossContext="true"/>
</Host>
Thank you Chris, Mark and Ian.
Maurice Poos
On Wed, May 27, 2020 at 10:38 AM Mark Thomas <ma...@apache.org> wrote:
> On 26/05/2020 14:19, Maurice Poos wrote:
> > Hello and thank you in advance for looking into this.
> >
> > I'm a Dutch native so bare with me...
> >
> > Problem:
> > Trying to configure TOMCAT9 to handle 2 domains on the same server with
> > https and 2 different keystore files.
> > There is no APACHE webserver or other webserver available.
> >
> > Single connector configuration works perfectly for that single domain
> e.g.
> >
> > <Connector
> > port="443"
> > address="rabbit.nl"
> > maxHttpHeaderSize="8192"
> > maxThreads="150"
> > minSpareThreads="25"
> > maxSpareThreads="75"
> > enableLookups="false"
> > disableUploadTimeout="true"
> > acceptCount="100"
> > scheme="https"
> > secure="true"
> > SSLEnabled="true"
> > clientAuth="false"
> > sslProtocol="TLS"
> > keyAlias="rabbit.nl"
> > keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> > keystorePass="password2" />
>
> I suggest, as a first step, you covnvert the above working configuration
> to the new <SSLHostConfig ... /> style and get that working for each
> cert one at a time. When you have the individual configurations working,
> then you can combine them.
>
> The configuration above should convert to:
>
> <Connector
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="443"
> maxThreads="150"
> minSpareThreads="25"
> scheme="https"
> secure="true"
> SSLEnabled="true"
> <SSLHostConfig>
> <Certificate
> certificateKeyAlias="rabbit.nl"
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2"
> />
> </SSLHostConfig>
> </Connector>
>
> Notes:
> - The protocol attribute is missing so I have added that
> - I'd expect address to be an IP address so I have omitted that
> attribute
> - maxHttpHeaderSize="8192" is the default so I have omitted that
> attribute
> - maxSpareThreads="75" is not a recognised attribute so I have removed
> it
> - acceptCount="100" is the default so I have omitted that attribute
> - disableUploadTimeout="true" is the default so I have omitted that
> attribute
> - enableLookups="false" is the default so I have omitted that attribute
> - clientAuth="false" is the default so I have omitted that attribute
> - sslProtocol="TLS" is the default so I have omitted that attribute
>
> I'd then add the hostName attribute to the SSLHostConfig element and,
> once that is working, combine the two.
>
> > But the multi-domain connector is flawed somewhere and due to the limited
> > feedback from TOMCAT it's a real struggle to figure out what is wrong
>
> I don't see a defaultSSLHostConfigName configured for the Connector.
> That might trigger the error you are seeing (because the _default_ host
> name won't have an associated certificate.
>
> If that is the issue, we can look at trying to improve that error message.
>
> > SERVER.XML CONFIG file exert:
> >
> > <Connector
> > port="443"
> > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxHttpHeaderSize="8192"
> > maxThreads="150"
> > SSLEnabled="true"
> > acceptCount="100"
> > scheme="https"
> > minSpareThreads="25"
> > maxSpareThreads="75"
> > enableLookups="false"
> > secure="true"
> > clientAuth="false"
> > <SSLHostConfig hostName="appel.nl" sslProtocol="TLS">
> > <Certificate
> > certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> > certificateKeystorePassword="password1" certificateKeyAlias="appel.nl"
> > certificateKeyPassword="password1" />
> > </SSLHostConfig>
> > <SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS">
> > <Certificate
> > certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> > certificateKeystorePassword="password2" certificateKeyAlias="rabbit.nl"
> > certificateKeyPassword="password2" />
> > </SSLHostConfig>
> > </Connector>
> >
> >
> > Can somebody help me?
> >
> >
> > Thank you,
> >
> > Maurice Poos
> >
> > _____________________________________________________________________
> > TOMCAT VERSION
> > Server version: Apache Tomcat/9.0.31
> > Server built: Feb 5 2020 19:32:12 UTC
> > Server number: 9.0.31.0
> >
> > LINUX
> > "Ubuntu 18.04.4 LTS"
> >
> > Architecture:
> > amd64
> >
> > JVM Version: 14.0.1+7
> > JVM Vendor: Oracle Corporation
> >
> __________________________________________________________________________
> > KEY CSR creation
> >
> > KEY
> > /usr/bin/keytool -genkey -keysize 2048 -alias rabbit.nl -keyalg RSA
> > -keystore rabbit.nl.jks
> >
> > CSR
> > /usr/bin/keytool -certreq -keyalg RSA -alias rabbit.nl -file
> rabbit.nl.csr
> > -keystore rabbit.nl.jks
> >
> ___________________________________________________________________________
> >
> > ERROR LOG CATALINA.OUT
> >
> > 26-May-2020 11:22:34.602 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> > initialize component [Connector[HTTP/1.1-443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> initialization
> > failed
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> >
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at
> >
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
> > at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> > at
> > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> > Method)
> > at
> >
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> > at
> >
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> > at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
> > Caused by: java.lang.IllegalArgumentException
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
> > at org.apache.tomcat.util.net
> .NioEndpoint.bind(NioEndpoint.java:217)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
> > at
> > org.apache.tomcat.util.net
> .AbstractEndpoint.init(AbstractEndpoint.java:1154)
> > at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> > at
> >
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
> > at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
> > ... 13 more
> > Caused by: java.io.IOException
> > at
> > org.apache.tomcat.util.net
> .SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
> > at
> > org.apache.tomcat.util.net
> .SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
> > at
> > org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
> > ... 20 more
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
