Maurice,
On 12/22/20 08:59, Maurice Poos wrote:
Hi there,
This question (or the gist of it) was asked around 2009 but a lot can
happen in 10 years.
The question is as follows:
I've got tomcat 9.0.35 running on a server (no apache or anything else)
The connector and ssl are all running smoothly.
When I put an alias in the connector of course the SSL breaks because the
subdomain is not included in the certificate in the keystore nor are
wildcards used.
Is it possible to add the subdomain ssl to the first keystore and then use
the alias to secure the subdomain.
Or...do I need to set up a separate connector, different keystore etc.
Thank you all for reading and stay safe!
Maurice
As a keynote..I'm not up to all the RFC's
*Config (highlights):*
*--------------------*
<SSLHostConfig hostName="site1.nl">
<Certificate
certificateKeyAlias="site1.nl"
certificateKeystoreFile="/etc/ssl/crt/site1.nl.jks"
certificateKeystorePassword="whiterabbit"/>
</SSLHostConfig>
##########################
<Host name="site1.nl" unpackWARs="true" appbase="/var/www/www.site1.nl"
autoDeploy="true">
<Alias>www.site1.nl</Alias>
*-->* <Alias>subdomain1.site1.nl</Alias> *<-- This is what I want to
add -->*
<Context path="/" docBase="/var/www/www.site1.nl/html"
privileged="true"
reloadable="true" crossContext="false"/>
<Context path="/calendar" docBase="/var/www/
www.site1.nl/webapp/calendar.war" privileged="true"
reloadable="true" crossContext="false"/>
</Host>
This isn't really a Tomcat thing, it's an X.509 thing. There is no way
your client is going to accept a certificate for www.site1.nl when
requesting a resource from subdomain1.site1.nl unless it's been
instructed (by the user) to ignore TLS hostname mismatches, which is a
pretty insecure practice.
So no matter which way you configure Tomcat, the client isn't going to
make the connection.
If you have two separate certificates (one for www, one for subdomain1),
then I would expect Tomcat to allow you to put them all into one
keystore and list each one in a separate <SSLHostConfig> under the
<Connector>. The <Host> just "accepts" requests once the TLS handshake
is complete, so using an <Alias> there should work.
If it's not working, please post your full <Connector> and <Host>
configurations (with any secrets removed) and also the output of this
command:
$ keytool -list -v -keystore /etc/ssl/crt/site1.nl.jks
$ keytool -list -v -keystore /etc/ssl/crt/subdomain.site1.nl.jks
Note: you might want to start using PKCS12 (.p12) files since (a)
OpenSSL can use them and (b) Javva is dropping support for JKS files.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
