subject:"HELP wanted\: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS"

Re: [OT] HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-27 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

All,

On 5/27/20 08:18, Ian Brown wrote:
> I would suggest adding type="RSA" to your certificate elements.
> (As shown in Christopher's example & matching your set up). It
> defaults to UNDEFINED. Further, the Tomcat documentation talks
> about one certificate working, and two not working if TYPE is not
> defined.
Hmm, now this has me thinking. If you have a single keystore and want
to advertise both RSA and ECDSA-based server certificates, you'd have
to do:

If you had more config items like passwords, providers, etc. it would
become even more verbose.

If I were configuring something like this myself, I might like to say
(in English) "this keystore contains everything I need for
www.example.com; load everything and do the right thing". Something
like this:

This can work for PEM files, too, and it's how httpd does things: you
just point SSLCertificateFile at a PEM file and it loads everything.
The only (practical) difference between a keystore and a
multi-certificate/key PEM file is that there are no "aliases" in a PEM
file.

Each key knows its own type; there is no need to require the user to
declare the encryption type. We could even use the "hostName" from the
 element to ignore any certificates whose CN/SANs
doesn't/don't match the hostName so we don't get confused if there are
unrelated certificates in the keystore.

I think there is scope to improve things, here.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7OePoACgkQHPApP6U8
pFiUBRAAvaLDHaWBwwe+7Pk42mPeR0VPcFPcMaglTP4vFN23ww3fqLiaDIeyJpFp
bv0cMAd49S2CQhfw9dDIphXAbgtcgHXLHp80dkRtBmiHSwLPZiW0q1eHA5om5jwM
bTvENmQDsa5mZG//0M4PX53em0sGfWddkxLx6siLkJNAaxryuAXEotYvWb8TVe8w
z2Uh+W6kVxLPTDqzKjjkNODtDeZPC+erlIDjfgoZuEGoOkbQ5LG1rEwN4GfqQAt0
yP0eFWChG+HKNn35PqtRSWrvZ/XtTRJYjNbUSQrz4kkcJFwH6if2+6/lEj1F+y0p
Sdl/ZtD8Md+8ozqE+VMm0YoSABB7Kdyq/6PoEpjnV4dsEWlx2RBXlqs/sbN3YB27
ulVIwJS4Wn0p1TwkZP4HL8COiWqnmqdyk8FSBwyzPMmRix+fwp9nlnT9suIMAe8d
tRcF9Q1ovG0KX2raEnV97eQGgyVfEPuUIQXal3n1XL8IaEfegzJpxk4R99hSryC0
sQrM3+AVfGGS/agX9l/GIFkzGc5VvM8pZa2OOj1hPHLAOZRIsGIKlkvduYd+NikU
SprvaStsSgFAL7tDmvuYl8JKBYAFwUScMm6pmpcnisYrm+1lQOw/3vDgk4/erIkJ
xazHHniD2mNZ/Cnwn7Vn5wzF3zrDhsun1VEr1ykQObgPKqH8EAg=
=TciW
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-27 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Maurice,

On 5/27/20 09:04, Maurice Poos wrote:
> Hello Mark,
>
> It's an honour!
>
> I reply to this in a non standard way because a few things have
> happened while it was night over here. Long story short: it works
> now.
>
> 1) The first thing was that the server got upgraded to v9.0.35
>
> Next I've began to work with your suggestions.
>
>> > port="443" maxThreads="150" minSpareThreads="25" scheme="https"
>> secure="true" SSLEnabled="true"  > certificateKeyAlias="rabbit.nl"
>> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> certificateKeystorePassword="password2" /> 
>> 
>>
>
> 2) Because v35 changed the connector requirements a bit the closing
> ">" after SSLEnabled="true" is mandatory. This immediately made the
> above config work.

The closing > was always required. This isn't a 9.0.35 requirement or
anything. It's ujst ... how XML works. I'm surprised Tomcat even
started with a broken XML document.

>> Notes: - The protocol attribute is missing so I have added that -
>> I'd expect address to be an IP address so I have omitted that
>> attribute - maxHttpHeaderSize="8192" is the default so I have
>> omitted that attribute - maxSpareThreads="75" is not a recognised
>> attribute so I have removed it - acceptCount="100" is the default
>> so I have omitted that attribute - disableUploadTimeout="true" is
>> the default so I have omitted that attribute -
>> enableLookups="false" is the default so I have omitted that
>> attribute - clientAuth="false" is the default so I have omitted
>> that attribute - sslProtocol="TLS" is the default so I have
>> omitted that attribute
>>
>> I'd then add the hostName attribute to the SSLHostConfig element
>> and, once that is working, combine the two.
>
> 3) After after adding the hostName attribute I did get the error
> that you expected below so i added it in the connector.
>
>
>>
>> I don't see a defaultSSLHostConfigName configured for the
>> Connector. That might trigger the error you are seeing (because
>> the _default_ host name won't have an associated certificate.
>>
>> If that is the issue, we can look at trying to improve that error
>> message.
>>
>
> 4) after adding this I've got the working config:
>
>  port="443" maxThreads="150" minSpareThreads="25" scheme="https"
> secure="true" SSLEnabled="true"
> defaultSSLHostConfigName="www.rabbit.nl">  hostName="www.rabbit.nl">  certificateKeyAlias="rabbit.nl"
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="1" /> 
>   certificateKeyAlias="appel.nl"
> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> certificateKeystorePassword="2" /> 
> 

Excellent. Glad you got things working.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7OduMACgkQHPApP6U8
pFjOcg/+M5uQ7ZPdFZ5HiGqAANcsxJHEIOaPR9DxO68uMR+U1oFVUDF7ucmQhHOj
aOgHq/pYUpK0j2mB46TKPTd9BxZVi1kvzmAYHeVKh2XPLSlSwIWRGo0sxl8xiTiz
19ryvGP2AO//Ldb62w69W1KcxHkXa6c2aE7OdHQbvkteHbp0/rJYmNIQYpBhm+bM
b04CL+C89OtJk0AnhnEUVFssDoy+JTKLBUB/MvgDgj56WQ59SWC48m4wRQZgWG/6
SLarJCpBe/PtEQJNkhrTI430HHFhgGVaOgCbjaLKHazaoQAT9VYHkJwJ4a3p8rPe
6LKzTSblOrG9MQc2AX6MEWoXSRqW2cFFtyRQps38Uatfy/kZ1CFGFMTerIUvxVqe
kX28fDcEmR7KGD2W04RRIAvjBKjnwqRRuNnW58FROcmULDFazLuLftkw63bIqbrz
z6wPVMHJ9/3j6XgMOcHu0nTEhNTmBb2lt+X+dxeF5TXoXlECG598hvzq+/hmnemz
iZqy8UqpErj9OgfN0BdvSmTuKlocDwnACrw/vAuXyyzKSZdeWiSnVtTzeCmvLnHt
coTQgzpqDcfdOEqKyLaseH2a3sO4Xgrw0gF0e0jMSXg/algwSu2x/1OX5nZimnAL
3Z42XCBhLZEagX6c38R2cFf+buSujWUaRC5tJQ50NO3FxI5pFU4=
=swDk
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-27 Thread Maurice Poos

Hello Mark,

It's an honour!

I reply to this in a non standard way because a few things have happened
while it was night over here.
Long story short: it works now.

1) The first thing was that the server got upgraded to v9.0.35

Next I've began to work with your suggestions.

>protocol="org.apache.coyote.http11.Http11NioProtocol"
>port="443"
>maxThreads="150"
>minSpareThreads="25"
>scheme="https"
>secure="true"
>SSLEnabled="true"
>
>certificateKeyAlias="rabbit.nl"
>certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>certificateKeystorePassword="password2"
>/>
>
>
>

2) Because v35 changed the connector requirements a bit the closing ">"
after SSLEnabled="true" is mandatory.
This immediately made the above config work.

>Notes:
> - The protocol attribute is missing so I have added that
> - I'd expect address to be an IP address so I have omitted that
>   attribute
> - maxHttpHeaderSize="8192" is the default so I have omitted that
>   attribute
> - maxSpareThreads="75" is not a recognised attribute so I have removed
>   it
> - acceptCount="100" is the default so I have omitted that attribute
> - disableUploadTimeout="true" is the default so I have omitted that
>   attribute
> - enableLookups="false" is the default so I have omitted that attribute
> - clientAuth="false" is the default so I have omitted that attribute
> - sslProtocol="TLS" is the default so I have omitted that attribute
>
>I'd then add the hostName attribute to the SSLHostConfig element and,
>once that is working, combine the two.

3) After after adding the hostName attribute I did get the error that you
expected below
so i added it in the connector.


>
>I don't see a defaultSSLHostConfigName configured for the Connector.
>That might trigger the error you are seeing (because the _default_ host
>name won't have an associated certificate.
>
>If that is the issue, we can look at trying to improve that error message.
>

4) after adding this I've got the working config:











   rabbit.nl
   
   
   
   
 
 
 appel.nl
 
 

Thank you Chris, Mark and Ian.

Maurice Poos


On Wed, May 27, 2020 at 10:38 AM Mark Thomas  wrote:

> On 26/05/2020 14:19, Maurice Poos wrote:
> > Hello and thank you in advance for looking into this.
> >
> > I'm a Dutch native so bare with me...
> >
> > Problem:
> > Trying to configure TOMCAT9 to handle 2 domains on the same server with
> > https and 2 different keystore files.
> > There is no APACHE webserver or other webserver available.
> >
> > Single connector configuration works perfectly for that single domain
> e.g.
> >
> >   > port="443"
> > address="rabbit.nl"
> > maxHttpHeaderSize="8192"
> > maxThreads="150"
> > minSpareThreads="25"
> > maxSpareThreads="75"
> > enableLookups="false"
> > disableUploadTimeout="true"
> > acceptCount="100"
> > scheme="https"
> > secure="true"
> > SSLEnabled="true"
> > clientAuth="false"
> > sslProtocol="TLS"
> > keyAlias="rabbit.nl"
> > keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> > keystorePass="password2" />
>
> I suggest, as a first step, you covnvert the above working configuration
> to the new  style and get that working for each
> cert one at a time. When you have the individual configurations working,
> then you can combine them.
>
> The configuration above should convert to:
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="443"
> maxThreads="150"
> minSpareThreads="25"
> scheme="https"
> secure="true"
> SSLEnabled="true"
> 
>  certificateKeyAlias="rabbit.nl"
> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2"
> />
> 
> 
>
> Notes:
>  - The protocol attribute is missing so I have added that
>  - I'd expect address to be an IP address so I have omitted that
>attribute
>  - maxHttpHeaderSize="8192" is the default so I have omitted that
>attribute
>  - maxSpareThreads="75" is not a recognised attribute so I have removed
>it
>  - acceptCount="100" is the default so I have omitted that attribute
>  - disableUploadTimeout="true" is the default so I have omitted that
>attribute
>  - enableLookups="false" is the default so I have omitted that attribute
>  - clientAuth="false" is the default so I have omitted that attribute
>  - sslProtocol="TLS" is the default so I have omitted that attribute
>
> I'd then add the hostName attribute to the SSLHostConfig element and,
> once that is working, combine the two.
>
> > But the multi-domain connector is flawed somewhere and due to the limited
> > feedback from TOMCAT it's a real struggle to figure out what is wrong
>
>

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-27 Thread Ian Brown

 Hi Maurice,
Like Christopher I don't see any obvious issues. FYI, I run many virtual hosts 
all with certificates. Works great. I use certificateKeystoreType="PKCS12" and 
the related supporting software. 
I would suggest adding type="RSA" to your certificate elements. (As shown in 
Christopher's example & matching your set up). It defaults to UNDEFINED. 
Further, the Tomcat documentation talks about one certificate working, and two 
not working if TYPE is not defined. Now that is within a SSLHostConfig element, 
which is not your case. It sounds very similar to what you are experiencing.
Good Luck
On Tuesday, May 26, 2020, 4:53:19 p.m. EDT, Christopher Schultz 
 wrote:  
 
 -BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Maurice,

On 5/26/20 15:02, Maurice Poos wrote:
>
>
> On Tue, May 26, 2020 at 5:30 PM Christopher Schultz
>  >
wrote:
>
> Maurice,
>
> On 5/26/20 09:19, Maurice Poos wrote:
>> Hello and thank you in advance for looking into this.
>
>> I'm a Dutch native so bare with me...
>
> Welcome to the community!
>
>> Problem: Trying to configure TOMCAT9 to handle 2 domains on the
>> same server with https and 2 different keystore files.
>
> This should definitely be possible.
>
>> Server version: Apache Tomcat/9.0.31
>
>> There is no APACHE webserver or other webserver available.
>
> Thank you for making this clear. It helps a lot.
>
>> Single connector configuration works perfectly for that single
>> domain e.g.
>
>> http://rabbit.nl>"
> maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
>> clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl
> "
>> keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> keystorePass="password2" />
>
> Excellent. This means that your keystore is in order and the
> certificate works, etc. You may want to use the PKC12 keystore
> format simply because JKS is not really a standard and is being
> deprecated by Java. But it's not causing any problems right now, so
> let's not change i t.
>
>> But the multi-domain connector is flawed somewhere and due to
>> the limited feedback from TOMCAT it's a real struggle to figure
>> out what is wrong
>
>> SERVER.XML CONFIG file exert:
>
>> > protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
>> acceptCount="100" scheme="https" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" secure="true"
>> clientAuth="false"
>
> Are you possible missing a '>' character, here?
>
>> http://appel.nl>"
> sslProtocol="TLS"> > certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
>> certificateKeystorePassword="password1"
>> certificateKeyAlias="appel.nl "
> certificateKeyPassword="password1"
>> /> 
>
> This looks okay to me. You do not have to specify
> certificateKeyPassword if it's the same password as
> certificateKeystorePassword. It does not hurt to repeat it, but it
> does make the configuration a little less easy to read.
>
>> http://rabbit.nl>"
> sslProtocol="TLS">
>> > certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> certificateKeystorePassword="password2"
>> certificateKeyAlias="rabbit.nl "
> certificateKeyPassword="password2"
>> />  
>
> This looks okay to me, too.
>
>> Can somebody help me?
>
> Do you have any  elements configured?
>
>> 26-May-2020 11:22:34.602 SEVERE [main]
>> org.apache.catalina.util.LifecycleBase.handleSubClassException
>> Failed to initialize component [Connector[HTTP/1.1-443]]
>> org.apache.catalina.LifecycleException: Protocol handler
>> initialization failed at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1
0
>
>>
13)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService
.
>
>>
java:533)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
a
>
>>
va:1057)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Nativ
e
>
>>
>
> Method)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Native
M
>
>>
ethodAccessorImpl.java:62)
>
>
> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(De
l
>
>>
egatingMethodAccessorImpl.java:43)
>
>
> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
>> Caused by:

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-27 Thread Mark Thomas

On 26/05/2020 21:53, Christopher Schultz wrote:

> Okay, good.
> 
> What is your JVM language? I'm guessing it's Dutch (or maybe Flemish?
> French?). Tomcat doesn't have a translation for error messages and
> such, so your messages are not terribly helpful (e.g. IOException with
> no detail).

Nope.

If Tomcat can't find a message for the users current Locale it will use
the English message.

It looks like the message got deleted in this case. That is an issue
that needs to get fixed.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-27 Thread Mark Thomas

On 26/05/2020 14:19, Maurice Poos wrote:
> Hello and thank you in advance for looking into this.
> 
> I'm a Dutch native so bare with me...
> 
> Problem:
> Trying to configure TOMCAT9 to handle 2 domains on the same server with
> https and 2 different keystore files.
> There is no APACHE webserver or other webserver available.
> 
> Single connector configuration works perfectly for that single domain e.g.
> 
>   port="443"
> address="rabbit.nl"
> maxHttpHeaderSize="8192"
> maxThreads="150"
> minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false"
> disableUploadTimeout="true"
> acceptCount="100"
> scheme="https"
> secure="true"
> SSLEnabled="true"
> clientAuth="false"
> sslProtocol="TLS"
> keyAlias="rabbit.nl"
> keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> keystorePass="password2" />

I suggest, as a first step, you covnvert the above working configuration
to the new  style and get that working for each
cert one at a time. When you have the individual configurations working,
then you can combine them.

The configuration above should convert to:






Notes:
 - The protocol attribute is missing so I have added that
 - I'd expect address to be an IP address so I have omitted that
   attribute
 - maxHttpHeaderSize="8192" is the default so I have omitted that
   attribute
 - maxSpareThreads="75" is not a recognised attribute so I have removed
   it
 - acceptCount="100" is the default so I have omitted that attribute
 - disableUploadTimeout="true" is the default so I have omitted that
   attribute
 - enableLookups="false" is the default so I have omitted that attribute
 - clientAuth="false" is the default so I have omitted that attribute
 - sslProtocol="TLS" is the default so I have omitted that attribute

I'd then add the hostName attribute to the SSLHostConfig element and,
once that is working, combine the two.

> But the multi-domain connector is flawed somewhere and due to the limited
> feedback from TOMCAT it's a real struggle to figure out what is wrong

I don't see a defaultSSLHostConfigName configured for the Connector.
That might trigger the error you are seeing (because the _default_ host
name won't have an associated certificate.

If that is the issue, we can look at trying to improve that error message.

> SERVER.XML CONFIG file exert:
> 
>  port="443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxHttpHeaderSize="8192"
> maxThreads="150"
> SSLEnabled="true"
> acceptCount="100"
> scheme="https"
> minSpareThreads="25"
> maxSpareThreads="75"
> enableLookups="false"
> secure="true"
> clientAuth="false"
> 
>  certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> certificateKeystorePassword="password1" certificateKeyAlias="appel.nl"
> certificateKeyPassword="password1" />
> 
> 
>  certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
> certificateKeystorePassword="password2" certificateKeyAlias="rabbit.nl"
> certificateKeyPassword="password2" />
> 
> 
> 
> 
> Can somebody help me?
> 
> 
> Thank you,
> 
> Maurice Poos
> 
> _
> TOMCAT VERSION
> Server version: Apache Tomcat/9.0.31
> Server built:   Feb 5 2020 19:32:12 UTC
> Server number:  9.0.31.0
> 
> LINUX
> "Ubuntu 18.04.4 LTS"
> 
> Architecture:
> amd64
> 
> JVM Version:14.0.1+7
> JVM Vendor: Oracle Corporation
> __
> KEY CSR creation
> 
> KEY
> /usr/bin/keytool -genkey -keysize 2048 -alias rabbit.nl -keyalg RSA
> -keystore rabbit.nl.jks
> 
> CSR
> /usr/bin/keytool -certreq -keyalg RSA -alias rabbit.nl -file rabbit.nl.csr
> -keystore rabbit.nl.jks
> ___
> 
> ERROR LOG CATALINA.OUT
> 
> 26-May-2020 11:22:34.602 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
> initialize component [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Protocol handler initialization
> failed
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
> at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> at
>

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-26 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Maurice,

On 5/26/20 15:02, Maurice Poos wrote:
>
>
> On Tue, May 26, 2020 at 5:30 PM Christopher Schultz
>  >
wrote:
>
> Maurice,
>
> On 5/26/20 09:19, Maurice Poos wrote:
>> Hello and thank you in advance for looking into this.
>
>> I'm a Dutch native so bare with me...
>
> Welcome to the community!
>
>> Problem: Trying to configure TOMCAT9 to handle 2 domains on the
>> same server with https and 2 different keystore files.
>
> This should definitely be possible.
>
>> Server version: Apache Tomcat/9.0.31
>
>> There is no APACHE webserver or other webserver available.
>
> Thank you for making this clear. It helps a lot.
>
>> Single connector configuration works perfectly for that single
>> domain e.g.
>
>> http://rabbit.nl>"
> maxHttpHeaderSize="8192"
>> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>> enableLookups="false" disableUploadTimeout="true"
>> acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
>> clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl
> "
>> keystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> keystorePass="password2" />
>
> Excellent. This means that your keystore is in order and the
> certificate works, etc. You may want to use the PKC12 keystore
> format simply because JKS is not really a standard and is being
> deprecated by Java. But it's not causing any problems right now, so
> let's not change i t.
>
>> But the multi-domain connector is flawed somewhere and due to
>> the limited feedback from TOMCAT it's a real struggle to figure
>> out what is wrong
>
>> SERVER.XML CONFIG file exert:
>
>> > protocol="org.apache.coyote.http11.Http11NioProtocol"
>> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
>> acceptCount="100" scheme="https" minSpareThreads="25"
>> maxSpareThreads="75" enableLookups="false" secure="true"
>> clientAuth="false"
>
> Are you possible missing a '>' character, here?
>
>> http://appel.nl>"
> sslProtocol="TLS"> > certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
>> certificateKeystorePassword="password1"
>> certificateKeyAlias="appel.nl "
> certificateKeyPassword="password1"
>> /> 
>
> This looks okay to me. You do not have to specify
> certificateKeyPassword if it's the same password as
> certificateKeystorePassword. It does not hurt to repeat it, but it
> does make the configuration a little less easy to read.
>
>> http://rabbit.nl>"
> sslProtocol="TLS">
>> > certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks"
>> certificateKeystorePassword="password2"
>> certificateKeyAlias="rabbit.nl "
> certificateKeyPassword="password2"
>> />  
>
> This looks okay to me, too.
>
>> Can somebody help me?
>
> Do you have any  elements configured?
>
>> 26-May-2020 11:22:34.602 SEVERE [main]
>> org.apache.catalina.util.LifecycleBase.handleSubClassException
>> Failed to initialize component [Connector[HTTP/1.1-443]]
>> org.apache.catalina.LifecycleException: Protocol handler
>> initialization failed at
>> org.apache.catalina.connector.Connector.initInternal(Connector.java:1
0
>
>>
13)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardService.initInternal(StandardService
.
>
>>
java:533)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at
>> org.apache.catalina.core.StandardServer.initInternal(StandardServer.j
a
>
>>
va:1057)
>
>
> at
>> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>>
>
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Nativ
e
>
>>
>
> Method)
>> at
>> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Native
M
>
>>
ethodAccessorImpl.java:62)
>
>
> at
>> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(De
l
>
>>
egatingMethodAccessorImpl.java:43)
>
>
> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
>> at
>> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) at
>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
>> Caused by: java.lang.IllegalArgumentException at
>> org.apache.tomcat.util.net
> .AbstractJsseEndpoint.createSSLCont
ext(Abstr
>
>
actJsseEndpoint.java:99)
>
>
> at
>> org.apache.tomcat.util.net
> .AbstractJsseEndpoint.initialiseSsl
(Abstract
>
>
JsseEndpoint.java:71)
>
>
> at org.apache.tomcat.util.net
> .NioEndpoint.bind(NioEndpoint.java:
217)
>>
>
at
>> org.apache.tomcat.util.net
> .AbstractEndpoint.bindWithCleanup(A
bstractEn
>
>
dpoint.java:1141)
>
>
> at
>> org.apache.tomcat.util.net
> .AbstractEndpoint.init(AbstractEndp
oint.java
>
>

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-26 Thread Maurice Poos

On Tue, May 26, 2020 at 5:30 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Maurice,
>
> On 5/26/20 09:19, Maurice Poos wrote:
> > Hello and thank you in advance for looking into this.
> >
> > I'm a Dutch native so bare with me...
>
> Welcome to the community!
>
> > Problem: Trying to configure TOMCAT9 to handle 2 domains on the
> > same server with https and 2 different keystore files.
>
> This should definitely be possible.
>
> > Server version: Apache Tomcat/9.0.31
> >
> > There is no APACHE webserver or other webserver available.
>
> Thank you for making this clear. It helps a lot.
>
> > Single connector configuration works perfectly for that single
> > domain e.g.
> >
> >  > maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> > enableLookups="false" disableUploadTimeout="true"
> > acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
> > clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl"
> > keystoreFile="/etc/ssl/crt/rabbit.nl.jks" keystorePass="password2"
> > />
>
> Excellent. This means that your keystore is in order and the
> certificate works, etc. You may want to use the PKC12 keystore format
> simply because JKS is not really a standard and is being deprecated by
> Java. But it's not causing any problems right now, so let's not change i
> t.
>
> > But the multi-domain connector is flawed somewhere and due to the
> > limited feedback from TOMCAT it's a real struggle to figure out
> > what is wrong
> >
> > SERVER.XML CONFIG file exert:
> >
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> > maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
> > acceptCount="100" scheme="https" minSpareThreads="25"
> > maxSpareThreads="75" enableLookups="false" secure="true"
> > clientAuth="false"
>
> Are you possible missing a '>' character, here?
>
> >   > certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> > certificateKeystorePassword="password1"
> > certificateKeyAlias="appel.nl" certificateKeyPassword="password1"
> > /> 
>
> This looks okay to me. You do not have to specify
> certificateKeyPassword if it's the same password as
> certificateKeystorePassword. It does not hurt to repeat it, but it
> does make the configuration a little less easy to read.
>
> > 
> >  > certificateKeystorePassword="password2"
> > certificateKeyAlias="rabbit.nl" certificateKeyPassword="password2"
> > />  
>
> This looks okay to me, too.
>
> > Can somebody help me?
>
> Do you have any  elements configured?
>
> > 26-May-2020 11:22:34.602 SEVERE [main]
> > org.apache.catalina.util.LifecycleBase.handleSubClassException
> > Failed to initialize component [Connector[HTTP/1.1-443]]
> > org.apache.catalina.LifecycleException: Protocol handler
> > initialization failed at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:10
> 13)
> >
> >
> at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >
> >
> at
> > org.apache.catalina.core.StandardService.initInternal(StandardService.
> java:533)
> >
> >
> at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >
> >
> at
> > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> va:1057)
> >
> >
> at
> > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
> >
> >
> at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at
> > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
> >
> >
> Method)
> > at
> > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM
> ethodAccessorImpl.java:62)
> >
> >
> at
> > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del
> egatingMethodAccessorImpl.java:43)
> >
> >
> at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
> > Caused by: java.lang.IllegalArgumentException at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:99)
> >
> >
> at
> > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
> JsseEndpoint.java:71)
> >
> >
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
> > at
> > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEn
> dpoint.java:1141)
> >
> >
> at
> > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
> :1154)
> >
> >
> at
> > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> > at
> > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
> tocol.java:74)
> >
> >
> at
> > org.apache.catalina.connector.Connector.initInternal(Connector.java:10
> 10)
> >
> >
> ... 13 more
> > Caused by: java.io.IOException at
> > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java
> :302)
>

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-26 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Maurice,

On 5/26/20 09:19, Maurice Poos wrote:
> Hello and thank you in advance for looking into this.
>
> I'm a Dutch native so bare with me...

Welcome to the community!

> Problem: Trying to configure TOMCAT9 to handle 2 domains on the
> same server with https and 2 different keystore files.

This should definitely be possible.

> Server version: Apache Tomcat/9.0.31
>
> There is no APACHE webserver or other webserver available.

Thank you for making this clear. It helps a lot.

> Single connector configuration works perfectly for that single
> domain e.g.
>
>  maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true" SSLEnabled="true"
> clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl"
> keystoreFile="/etc/ssl/crt/rabbit.nl.jks" keystorePass="password2"
> />

Excellent. This means that your keystore is in order and the
certificate works, etc. You may want to use the PKC12 keystore format
simply because JKS is not really a standard and is being deprecated by
Java. But it's not causing any problems right now, so let's not change i
t.

> But the multi-domain connector is flawed somewhere and due to the
> limited feedback from TOMCAT it's a real struggle to figure out
> what is wrong
>
> SERVER.XML CONFIG file exert:
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true"
> acceptCount="100" scheme="https" minSpareThreads="25"
> maxSpareThreads="75" enableLookups="false" secure="true"
> clientAuth="false"

Are you possible missing a '>' character, here?

>   certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks"
> certificateKeystorePassword="password1"
> certificateKeyAlias="appel.nl" certificateKeyPassword="password1"
> /> 

This looks okay to me. You do not have to specify
certificateKeyPassword if it's the same password as
certificateKeystorePassword. It does not hurt to repeat it, but it
does make the configuration a little less easy to read.

> 
>  certificateKeystorePassword="password2"
> certificateKeyAlias="rabbit.nl" certificateKeyPassword="password2"
> />  

This looks okay to me, too.

> Can somebody help me?

Do you have any  elements configured?

> 26-May-2020 11:22:34.602 SEVERE [main]
> org.apache.catalina.util.LifecycleBase.handleSubClassException
> Failed to initialize component [Connector[HTTP/1.1-443]]
> org.apache.catalina.LifecycleException: Protocol handler
> initialization failed at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:10
13)
>
>
at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>
at
> org.apache.catalina.core.StandardService.initInternal(StandardService.
java:533)
>
>
at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>
at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
va:1057)
>
>
at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
>
>
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
>
>
Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM
ethodAccessorImpl.java:62)
>
>
at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del
egatingMethodAccessorImpl.java:43)
>
>
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
> Caused by: java.lang.IllegalArgumentException at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:99)
>
>
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
JsseEndpoint.java:71)
>
>
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEn
dpoint.java:1141)
>
>
at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
:1154)
>
>
at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
> at
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro
tocol.java:74)
>
>
at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:10
10)
>
>
... 13 more
> Caused by: java.io.IOException at
> org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java
:302)
>
>
at
> org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.ja
va:247)
>
>
at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
actJsseEndpoint.java:97)
>
>
... 20 more

This stack trace indicates to me that there is no keystore configured,
and also there was no certificate PEM file specified on the certificate.

Maybe your XML is broken?

- -chris
-BEGIN PGP

HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

2020-05-26 Thread Maurice Poos

Hello and thank you in advance for looking into this.

I'm a Dutch native so bare with me...

Problem:
Trying to configure TOMCAT9 to handle 2 domains on the same server with
https and 2 different keystore files.
There is no APACHE webserver or other webserver available.

Single connector configuration works perfectly for that single domain e.g.

 


But the multi-domain connector is flawed somewhere and due to the limited
feedback from TOMCAT it's a real struggle to figure out what is wrong

SERVER.XML CONFIG file exert:










Can somebody help me?


Thank you,

Maurice Poos

_
TOMCAT VERSION
Server version: Apache Tomcat/9.0.31
Server built:   Feb 5 2020 19:32:12 UTC
Server number:  9.0.31.0

LINUX
"Ubuntu 18.04.4 LTS"

Architecture:
amd64

JVM Version:14.0.1+7
JVM Vendor: Oracle Corporation
__
KEY CSR creation

KEY
/usr/bin/keytool -genkey -keysize 2048 -alias rabbit.nl -keyalg RSA
-keystore rabbit.nl.jks

CSR
/usr/bin/keytool -certreq -keyalg RSA -alias rabbit.nl -file rabbit.nl.csr
-keystore rabbit.nl.jks
___

ERROR LOG CATALINA.OUT

26-May-2020 11:22:34.602 SEVERE [main]
org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to
initialize component [Connector[HTTP/1.1-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
at
org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
at org.apache.catalina.startup.Catalina.load(Catalina.java:584)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
at
java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:564)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.IllegalArgumentException
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217)
at
org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
at
org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
at
org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
... 13 more
Caused by: java.io.IOException
at
org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
at
org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at
org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more

Re: [OT] HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

Re: HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

HELP wanted: Configure 2 domains, 2 SSL and 2 keyfiles on 1 VPS

10 matches

Site Navigation

Mail list logo

Footer information