Re: tomcat-10.0.x Problem https multiple IP

2022-01-24 Thread Christopher Schultz 

Jaebo,

On 1/21/22 06:42, Jaebo Nah wrote:

Thank you for your help, I found the problem.
Only one certificate may be contained in the KeyStore file.
I had several certificates in the KeyStore file, and the Tomcat server 
10.x always got the first certificate in the KeyStore file.
With Tomcat 9.x you could specify the key alias. That doesn't seem 
possible with Tomcat 10.x.


You are misreading the documentation. You can certainly have mutiple 
keys + certs in the same keystore. You want to use 
"certificataeKeyAlias" to choose which key to use for the .


Hope that helps,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat-10.0.x Problem https multiple IP

2022-01-21 Thread Jaebo Nah 
Dear all,

Thank you for your help, I found the problem.
Only one certificate may be contained in the KeyStore file.
I had several certificates in the KeyStore file, and the Tomcat server 10.x 
always got the first certificate in the KeyStore file.
With Tomcat 9.x you could specify the key alias. That doesn't seem possible 
with Tomcat 10.x.

Rgds 

 
 Jaebo Nah
  

 Deutsche Pfandbriefbank AG
  Information Technology
Application Management Front Office
  Ludwig-Erhard-Strasse 14
  65760 Eschborn, Germany
 T: +49 6196 9727-209
   jaebo@pfandbriefbank.com
http://www.pfandbriefbank.com 
 

Bitte denken Sie an die Umwelt und verzichten möglichst auf den Ausdruck von 
E-Mails.
Please think about the environment before printing the email.

Management Board: Andreas Arndt (CEO), Thomas Köntgen (Deputy CEO), Andreas 
Schenk, Marcus Schulte; Chairman of the Supervisory Board: Dr. Günther Bräunig; 
Registered office: Munich; Legal form: Aktiengesellschaft; Commercial register: 
Local Court Munich, HRB 41054
The information contained in this message is confidential or protected by law. 
If you are not the intended recipient, please contact the sender and delete 
this message. Any unauthorized copying of this message or unauthorized 
distribution of the information contained herein is prohibited.
Unsere aktuell gültigen Datenschutzhinweise finden Sie unter 
https://www.pfandbriefbank.com/datenschutz/europaeische-datenschutz-grundverordnung-eu-dsgvo.html
The currently valid data protection information can be found at 
https://www.pfandbriefbank.com/en/privacy/translate-to-english-europaeische-datenschutz-grundvero.html

RE: tomcat-10.0.x Problem https multiple IP

2022-01-21 Thread Jaebo Nah 
logfiles/apache-tomcat-10.0.14/webapps/fxrates]
21-Jan-2022 11:22:23.725 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/fxrates] has finished in 
[12] ms
21-Jan-2022 11:22:23.725 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/docs]
21-Jan-2022 11:22:23.737 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/docs] has finished in 
[11] ms
21-Jan-2022 11:22:23.737 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/host-manager]
21-Jan-2022 11:22:23.758 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/host-manager] has 
finished in [20] ms
21-Jan-2022 11:22:23.758 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/examples]
21-Jan-2022 11:22:23.892 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/examples] has finished in 
[134] ms
21-Jan-2022 11:22:23.893 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deploying web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/manager]
21-Jan-2022 11:22:23.908 INFO [main] 
org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web 
application directory 
[/apps/vr_apps/logfiles/apache-tomcat-10.0.14/webapps/manager] has finished in 
[15] ms
21-Jan-2022 11:22:23.911 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandler ["http-nio-10.100.142.32-8080"]
21-Jan-2022 11:22:23.915 INFO [main] org.apache.coyote.AbstractProtocol.start 
Starting ProtocolHandler ["https-jsse-nio2-10.100.142.32-8443"]
21-Jan-2022 11:22:23.916 INFO [main] org.apache.catalina.startup.Catalina.start 
Server startup in [439] milliseconds



 
 Jaebo Nah
  

 Deutsche Pfandbriefbank AG
  Information Technology
Application Management Front Office
  Ludwig-Erhard-Strasse 14
  65760 Eschborn, Germany
 T: +49 6196 9727-209
   jaebo@pfandbriefbank.com
http://www.pfandbriefbank.com 
 

Bitte denken Sie an die Umwelt und verzichten möglichst auf den Ausdruck von 
E-Mails.
Please think about the environment before printing the email.

Management Board: Andreas Arndt (CEO), Thomas Köntgen (Deputy CEO), Andreas 
Schenk, Marcus Schulte; Chairman of the Supervisory Board: Dr. Günther Bräunig; 
Registered office: Munich; Legal form: Aktiengesellschaft; Commercial register: 
Local Court Munich, HRB 41054
The information contained in this message is confidential or protected by law. 
If you are not the intended recipient, please contact the sender and delete 
this message. Any unauthorized copying of this message or unauthorized 
distribution of the information contained herein is prohibited.
Unsere aktuell gültigen Datenschutzhinweise finden Sie unter 
https://www.pfandbriefbank.com/datenschutz/europaeische-datenschutz-grundverordnung-eu-dsgvo.html
The currently valid data protection information can be found at 
https://www.pfandbriefbank.com/en/privacy/translate-to-english-europaeische-datenschutz-grundvero.html


-Original Message-
From: Mark Thomas  
Sent: Friday, January 21, 2022 10:49 AM
To: users@tomcat.apache.org
Subject: Re: tomcat-10.0.x Problem https multiple IP

On 21/01/2022 09:29, Jaebo Nah wrote:
> Dear all,
> 
> I want to use a Tomcat apache-tomcat-10.0.14 with https .
> 
> The Linux Server have multiple ip Address with different Domain Names
> 
> 10.100.142.30  =   one.domain.loc
> 
> 10.100.142.31  =   two.domain.loc
> 
> 10.100.142.32  =   three.domain.loc
> 
> When I try to connect to the Tomcat  with https://two.domain.loc:8443 
> <https://two.domain.loc:8443>
> 
> I get the following Error
> 
> NET::ERR_CERT_COMMON_NAME_INVALID
> 
> This server could not prove that it is two.domain.loc. Its security 
> certificate is from three.domain.loc. Possible reasons are a 
> misconfiguration or an attacker intercepting your connection.
> 
> The connection to one.domain.loc is similar as two.domain.loc .
> 
> Only the connection to three.domain.loc is working.
> 
> Thx for your answer

What do the logs show for this connector when Tomcat starts?

> server.xml
> 
>  
>    address=" two.domain.loc"

That looks wrong. address should be an IP address. I suspect this is being 
ignored and the con

RE: tomcat-10.0.x Problem https multiple IP

2022-01-21 Thread Jaebo Nah 
Sorry, a little mistake in my description .

It should be .

  SSLEnabled="true" defaultSSLHostConfigName="10.100.142.31" >
 
 

But also (see below) is not working.

  SSLEnabled="true" defaultSSLHostConfigName="two.domain.loc" >
 
 


 
 Jaebo Nah
  

 Deutsche Pfandbriefbank AG
  Information Technology
Application Management Front Office
  Ludwig-Erhard-Strasse 14
  65760 Eschborn, Germany
 T: +49 6196 9727-209
   jaebo@pfandbriefbank.com
http://www.pfandbriefbank.com 
 

Bitte denken Sie an die Umwelt und verzichten möglichst auf den Ausdruck von 
E-Mails.
Please think about the environment before printing the email.

Management Board: Andreas Arndt (CEO), Thomas Köntgen (Deputy CEO), Andreas 
Schenk, Marcus Schulte; Chairman of the Supervisory Board: Dr. Günther Bräunig; 
Registered office: Munich; Legal form: Aktiengesellschaft; Commercial register: 
Local Court Munich, HRB 41054
The information contained in this message is confidential or protected by law. 
If you are not the intended recipient, please contact the sender and delete 
this message. Any unauthorized copying of this message or unauthorized 
distribution of the information contained herein is prohibited.
Unsere aktuell gültigen Datenschutzhinweise finden Sie unter 
https://www.pfandbriefbank.com/datenschutz/europaeische-datenschutz-grundverordnung-eu-dsgvo.html
The currently valid data protection information can be found at 
https://www.pfandbriefbank.com/en/privacy/translate-to-english-europaeische-datenschutz-grundvero.html



From: Jaebo Nah
Sent: Friday, January 21, 2022 10:30 AM
To: 'users@tomcat.apache.org' 
Subject: tomcat-10.0.x Problem https multiple IP

Dear all,

I want to use a Tomcat apache-tomcat-10.0.14 with https .

The Linux Server have multiple ip Address with different Domain Names

10.100.142.30  =   one.domain.loc
10.100.142.31  =   two.domain.loc
10.100.142.32  =   three.domain.loc

When I try to connect to the Tomcat  with https://two.domain.loc:8443
I get the following Error

NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is two.domain.loc. Its security certificate 
is from three.domain.loc. Possible reasons are a misconfiguration or an 
attacker intercepting your connection.

The connection to one.domain.loc is similar as two.domain.loc .

Only the connection to three.domain.loc is working.

Thx for your answer

server.xml

 
 

  



ifconfig
myeth0:1: flags=4163  mtu 1500
inet 10.100.142.30  netmask 255.255.255.128  broadcast 10.100.142.127
ether 00:50:56:a7:4f:5d  txqueuelen 1000  (Ethernet)

myeth0:2: flags=4163  mtu 1500
inet 10.100.142.31  netmask 255.255.255.128  broadcast 10.100.142.127
ether 00:50:56:a7:4f:5d  txqueuelen 1000  (Ethernet)

myeth0:3: flags=4163  mtu 1500
inet 10.100.142.32  netmask 255.255.255.128  broadcast 10.100.142.127
ether 00:50:56:a7:4f:5d  txqueuelen 1000  (Ethernet)

Re: tomcat-10.0.x Problem https multiple IP

2022-01-21 Thread Mark Thomas 

On 21/01/2022 09:29, Jaebo Nah wrote:

Dear all,

I want to use a Tomcat apache-tomcat-10.0.14 with https .

The Linux Server have multiple ip Address with different Domain Names

10.100.142.30  =   one.domain.loc

10.100.142.31  =   two.domain.loc

10.100.142.32  =   three.domain.loc

When I try to connect to the Tomcat  with https://two.domain.loc:8443 



I get the following Error

NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is two.domain.loc. Its security 
certificate is from three.domain.loc. Possible reasons are a 
misconfiguration or an attacker intercepting your connection.


The connection to one.domain.loc is similar as two.domain.loc .

Only the connection to three.domain.loc is working.

Thx for your answer


What do the logs show for this connector when Tomcat starts?


server.xml



That looks wrong. address should be an IP address. I suspect this is 
being ignored and the connector is listening on all IP addresses. If 
that is what you want, just remove this setting




   port="8443"

   protocol="org.apache.coyote.http11.Http11Nio2Protocol"

   maxThreads="150"

   scheme="https"

      enableLookups="false"

   SSLEnabled="true" defaultSSLHostConfigName="10.100.142.32" >


You want to use host names here, not IP addresses.

      className="org.apache.coyote.http2.Http2Protocol" />


      

Same here. Host name, not IP address.


protocols="TLSv1.2,+TLSv1.1,+TLSv1">

     

   


You have only configured one SSLHost so all requests will go to that 
host and use that certificate.


You need 2 more HostConfig sections. 5 more if you want Tomcat to 
respond to requests that use hostnames and requests that use IP addresses.





     


If you want Tomcat to respond to requests that use hostnames and 
requests that use IP addresses you'd be better off with 3 Connectors 
each with address set for the IP and an SSLHostConfig section that 
configured the appropriate certificate.


If you wanted to share a thread pool across those connectors then you 
could use an Executor.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat-10.0.x Problem https multiple IP

2022-01-21 Thread Olaf Kock 
Dear Jaebo,

On 21.01.22 10:29, Jaebo Nah wrote:
>  10.100.142.31  =   two.domain.loc
>
> 
>   address=" two.domain.loc"
>
>   SSLEnabled="true" defaultSSLHostConfigName="10.100.142.32" >
>
>       protocols="TLSv1.2,+TLSv1.1,+TLSv1">
>
>
Above, I only left the lines from your mail that deal with host names
and IP addresses and deleted all others. Note the mismatch between
"two..." refering to "...31" initially, and then you use "...32" later.

Individual IP addresses are no longer needed for https connections to a
server. I'd recommend to either handle them all in a single server, or,
if you need to run multiple tomcats, to handle the correct certificate
choice in a reverse proxy that delegates to the proper Tomcat in the
background.

Olaf

tomcat-10.0.x Problem https multiple IP

2022-01-21 Thread Jaebo Nah 
Dear all,

I want to use a Tomcat apache-tomcat-10.0.14 with https .

The Linux Server have multiple ip Address with different Domain Names

10.100.142.30  =   one.domain.loc
10.100.142.31  =   two.domain.loc
10.100.142.32  =   three.domain.loc

When I try to connect to the Tomcat  with https://two.domain.loc:8443
I get the following Error

NET::ERR_CERT_COMMON_NAME_INVALID

This server could not prove that it is two.domain.loc. Its security certificate 
is from three.domain.loc. Possible reasons are a misconfiguration or an 
attacker intercepting your connection.

The connection to one.domain.loc is similar as two.domain.loc .

Only the connection to three.domain.loc is working.

Thx for your answer

server.xml

 
 

  



ifconfig
myeth0:1: flags=4163  mtu 1500
inet 10.100.142.30  netmask 255.255.255.128  broadcast 10.100.142.127
ether 00:50:56:a7:4f:5d  txqueuelen 1000  (Ethernet)

myeth0:2: flags=4163  mtu 1500
inet 10.100.142.31  netmask 255.255.255.128  broadcast 10.100.142.127
ether 00:50:56:a7:4f:5d  txqueuelen 1000  (Ethernet)

myeth0:3: flags=4163  mtu 1500
inet 10.100.142.32  netmask 255.255.255.128  broadcast 10.100.142.127
ether 00:50:56:a7:4f:5d  txqueuelen 1000  (Ethernet)


 
 Jaebo Nah
  

 Deutsche Pfandbriefbank AG
  Information Technology
Application Management Front Office
  Ludwig-Erhard-Strasse 14
  65760 Eschborn, Germany
 T: +49 6196 9727-209
   jaebo@pfandbriefbank.com
http://www.pfandbriefbank.com 
 

Bitte denken Sie an die Umwelt und verzichten möglichst auf den Ausdruck von 
E-Mails.
Please think about the environment before printing the email.

Management Board: Andreas Arndt (CEO), Thomas Köntgen (Deputy CEO), Andreas 
Schenk, Marcus Schulte; Chairman of the Supervisory Board: Dr. Günther Bräunig; 
Registered office: Munich; Legal form: Aktiengesellschaft; Commercial register: 
Local Court Munich, HRB 41054
The information contained in this message is confidential or protected by law. 
If you are not the intended recipient, please contact the sender and delete 
this message. Any unauthorized copying of this message or unauthorized 
distribution of the information contained herein is prohibited.
Unsere aktuell gültigen Datenschutzhinweise finden Sie unter 
https://www.pfandbriefbank.com/datenschutz/europaeische-datenschutz-grundverordnung-eu-dsgvo.html
The currently valid data protection information can be found at 
https://www.pfandbriefbank.com/en/privacy/translate-to-english-europaeische-datenschutz-grundvero.html