-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Maurice,
On 5/26/20 09:19, Maurice Poos wrote: > Hello and thank you in advance for looking into this. > > I'm a Dutch native so bare with me... Welcome to the community! > Problem: Trying to configure TOMCAT9 to handle 2 domains on the > same server with https and 2 different keystore files. This should definitely be possible. > Server version: Apache Tomcat/9.0.31 > > There is no APACHE webserver or other webserver available. Thank you for making this clear. It helps a lot. > Single connector configuration works perfectly for that single > domain e.g. > > <Connector port="443" address="rabbit.nl" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" SSLEnabled="true" > clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl" > keystoreFile="/etc/ssl/crt/rabbit.nl.jks" keystorePass="password2" > /> Excellent. This means that your keystore is in order and the certificate works, etc. You may want to use the PKC12 keystore format simply because JKS is not really a standard and is being deprecated by Java. But it's not causing any problems right now, so let's not change i t. > But the multi-domain connector is flawed somewhere and due to the > limited feedback from TOMCAT it's a real struggle to figure out > what is wrong > > SERVER.XML CONFIG file exert: > > <Connector port="443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true" > acceptCount="100" scheme="https" minSpareThreads="25" > maxSpareThreads="75" enableLookups="false" secure="true" > clientAuth="false" Are you possible missing a '>' character, here? > <SSLHostConfig hostName="appel.nl" sslProtocol="TLS"> <Certificate > certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks" > certificateKeystorePassword="password1" > certificateKeyAlias="appel.nl" certificateKeyPassword="password1" > /> </SSLHostConfig> This looks okay to me. You do not have to specify certificateKeyPassword if it's the same password as certificateKeystorePassword. It does not hurt to repeat it, but it does make the configuration a little less easy to read. > <SSLHostConfig hostName="rabbit.nl" sslProtocol="TLS"> > <Certificate certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks" > certificateKeystorePassword="password2" > certificateKeyAlias="rabbit.nl" certificateKeyPassword="password2" > /> </SSLHostConfig> </Connector> This looks okay to me, too. > Can somebody help me? Do you have any <Host> elements configured? > 26-May-2020 11:22:34.602 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException > Failed to initialize component [Connector[HTTP/1.1-443]] > org.apache.catalina.LifecycleException: Protocol handler > initialization failed at > org.apache.catalina.connector.Connector.initInternal(Connector.java:10 13) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > at > org.apache.catalina.core.StandardService.initInternal(StandardService. java:533) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja va:1057) > > at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > > at org.apache.catalina.startup.Catalina.load(Catalina.java:584) > at org.apache.catalina.startup.Catalina.load(Catalina.java:607) at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeM ethodAccessorImpl.java:62) > > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(Del egatingMethodAccessorImpl.java:43) > > at java.base/java.lang.reflect.Method.invoke(Method.java:564) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473) > Caused by: java.lang.IllegalArgumentException at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr actJsseEndpoint.java:99) > > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract JsseEndpoint.java:71) > > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217) > at > org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEn dpoint.java:1141) > > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java :1154) > > at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pro tocol.java:74) > > at > org.apache.catalina.connector.Connector.initInternal(Connector.java:10 10) > > ... 13 more > Caused by: java.io.IOException at > org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java :302) > > at > org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.ja va:247) > > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr actJsseEndpoint.java:97) > > ... 20 more This stack trace indicates to me that there is no keystore configured, and also there was no certificate PEM file specified on the certificate. Maybe your XML is broken? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7NNhQACgkQHPApP6U8 pFgOcw/9Emd2v318QYhCTzSaYCjBtOaGKE2YoKj0HAf/e8627o1k9SVcI5A5d4VK jYaGICHuj3iI6WCWJkdtrotkc0rfA8OYIco1VE3NtC1UCVTlroTec476AxP9WTCO 0f5tXvee9tKeyYfSm0RwmCYRACO9yl7CLk5LeDuA6f/HfdRl05DxX3y5AgXzlIMC eoDzE5yGZmMeN4XykMSNkB+atw/P+aQ5Ld/m66AaU0SfHVMFfwbb8ctiI+WHgZP2 O5DJPOU8Zqlb1H9nXitT6TYXEJwykGJcmjLEmkT7Ub90iQSAfpPOg/xRJ96L6JA+ t4Fh9Ckz0bvncvl7RKOJko9UXXyZsRrBiU/upejHRAwCbinNi4OksNvQRcV8YJ5a wpdDYLUVblrruIoHcKrYQ9uMYGzvDhKHVt/IeAf5aJNN0Qd/00w1bspSPfKMmT76 FUrcxrT+DXWsxRNbQeFh/vxgSZzBOQog6UXoyHUrBaUksNZomqiHo+6vIqPxSmgs 6yJxT7RO+HBoCYr9h1topBQJSfDzHZKbrAv2rWxBgWFSbtrFKEN62CrkVJthGFW6 sSiLmfeOQI0d613VVzteVP9SmJtB5zol+biB8wUWcMZsnzzVs5x8EYBzH22myh+H BvjWcqoD8KOiVMxM0xGWKvi017eRg97XGGEWWVXOU8I0fCEL7vY= =KBrg -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org