I'm trying to configure SSL for Tomcat 9 and I'm not having any luck.
My config is:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true" maxThreads="50" scheme="https" secure="true"
compression="on"
connectionTimeout="4000" disableUploadTimeout="false"
connectionUploadTimeout="900000"
maxPostSize="10485760" keyAlias="tomcat" clientAuth="false"
useServerCipherSuitesOrder="true">
<SSLHostConfig
ciphers="TLS_ECDH_RSA_WITH_AES_128_CBC_SHA + a lot of others"
protocols="TLSv1.3,TLSv1.2"
hostName="*.mydomain.com">
<Certificate
certificateKeystoreFile="conf/.keystore"
certificateKeystorePassword="changeit"
type="RSA" />
<!--
<Certificate
certificateFile="${catalina.base}/conf/mydomain.pem"
certificateKeyFile="${catalina.base}/conf/mydomain.key"
certificateKeyPassword="changeit"
certificateChainFile="${catalina.base}/conf/godaddy.chn"
type="RSA" />
-->
</SSLHostConfig>
</Connector>
This was constructed using this page as a reference:
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html
I've tried the two shown Certificate configs. They both give the error:
SEVERE: Failed to initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1051)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:556)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
.........
Caused by: java.lang.IllegalArgumentException: SSLHostConfig attribute
certificateFile must be defined when using an SSL connector
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1240)
.....
Caused by: java.io.IOException: SSLHostConfig attribute certificateFile must be
defined when using an SSL connector
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:312)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105)
... 25 more
Looking at the docs, it doesn't appear that certificateFile is an
attribute of SSLHostConfig. I've looked at this page:
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Certificates
but it's configuring everything on the Connector, which the Connector
page says is deprecated:
/The following NIO and NIO2 SSL configuration attributes have been
deprecated in favor of the default //SSLHostConfig
<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>//element
with the //|hostName|//of //|_default_|//. If this //SSLHostConfig
<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig>//element
is not explicitly defined, it will be created.. /
Additionally, I'd like to use SNI for multiple certs, so that will
require an SSLHostConfig I think. Can anyone give me an idea of what I'm
doing wrong?
Thanks.
--
George Sexton
(303) 438 9585 x102
MH Software, Inc.
