-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Maurice,
On 5/26/20 15:02, Maurice Poos wrote: > > > On Tue, May 26, 2020 at 5:30 PM Christopher Schultz > <ch...@christopherschultz.net > <mailto:ch...@christopherschultz.net>> wrote: > > Maurice, > > On 5/26/20 09:19, Maurice Poos wrote: >> Hello and thank you in advance for looking into this. > >> I'm a Dutch native so bare with me... > > Welcome to the community! > >> Problem: Trying to configure TOMCAT9 to handle 2 domains on the >> same server with https and 2 different keystore files. > > This should definitely be possible. > >> Server version: Apache Tomcat/9.0.31 > >> There is no APACHE webserver or other webserver available. > > Thank you for making this clear. It helps a lot. > >> Single connector configuration works perfectly for that single >> domain e.g. > >> <Connector port="443" address="rabbit.nl <http://rabbit.nl>" > maxHttpHeaderSize="8192" >> maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" SSLEnabled="true" >> clientAuth="false" sslProtocol="TLS" keyAlias="rabbit.nl > <http://rabbit.nl>" >> keystoreFile="/etc/ssl/crt/rabbit.nl.jks" >> keystorePass="password2" /> > > Excellent. This means that your keystore is in order and the > certificate works, etc. You may want to use the PKC12 keystore > format simply because JKS is not really a standard and is being > deprecated by Java. But it's not causing any problems right now, so > let's not change i t. > >> But the multi-domain connector is flawed somewhere and due to >> the limited feedback from TOMCAT it's a real struggle to figure >> out what is wrong > >> SERVER.XML CONFIG file exert: > >> <Connector port="443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true" >> acceptCount="100" scheme="https" minSpareThreads="25" >> maxSpareThreads="75" enableLookups="false" secure="true" >> clientAuth="false" > > Are you possible missing a '>' character, here? > >> <SSLHostConfig hostName="appel.nl <http://appel.nl>" > sslProtocol="TLS"> <Certificate >> certificateKeystoreFile="/etc/ssl/crt/appel.nl.jks" >> certificateKeystorePassword="password1" >> certificateKeyAlias="appel.nl <http://appel.nl>" > certificateKeyPassword="password1" >> /> </SSLHostConfig> > > This looks okay to me. You do not have to specify > certificateKeyPassword if it's the same password as > certificateKeystorePassword. It does not hurt to repeat it, but it > does make the configuration a little less easy to read. > >> <SSLHostConfig hostName="rabbit.nl <http://rabbit.nl>" > sslProtocol="TLS"> >> <Certificate >> certificateKeystoreFile="/etc/ssl/crt/rabbit.nl.jks" >> certificateKeystorePassword="password2" >> certificateKeyAlias="rabbit.nl <http://rabbit.nl>" > certificateKeyPassword="password2" >> /> </SSLHostConfig> </Connector> > > This looks okay to me, too. > >> Can somebody help me? > > Do you have any <Host> elements configured? > >> 26-May-2020 11:22:34.602 SEVERE [main] >> org.apache.catalina.util.LifecycleBase.handleSubClassException >> Failed to initialize component [Connector[HTTP/1.1-443]] >> org.apache.catalina.LifecycleException: Protocol handler >> initialization failed at >> org.apache.catalina.connector.Connector.initInternal(Connector.java:1 0 > >> 13) > > > at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> > > at >> org.apache.catalina.core.StandardService.initInternal(StandardService . > >> java:533) > > > at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> > > at >> org.apache.catalina.core.StandardServer.initInternal(StandardServer.j a > >> va:1057) > > > at >> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136) > >> > > at org.apache.catalina.startup.Catalina.load(Catalina.java:584) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:607) >> at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Nativ e > >> > > Method) >> at >> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(Native M > >> ethodAccessorImpl.java:62) > > > at >> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(De l > >> egatingMethodAccessorImpl.java:43) > > > at java.base/java.lang.reflect.Method.invoke(Method.java:564) >> at >> org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303) at >> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473) >> Caused by: java.lang.IllegalArgumentException at >> org.apache.tomcat.util.net > <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.createSSLCont ext(Abstr > > actJsseEndpoint.java:99) > > > at >> org.apache.tomcat.util.net > <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.initialiseSsl (Abstract > > JsseEndpoint.java:71) > > > at org.apache.tomcat.util.net > <http://org.apache.tomcat.util.net>.NioEndpoint.bind(NioEndpoint.java: 217) >> > at >> org.apache.tomcat.util.net > <http://org.apache.tomcat.util.net>.AbstractEndpoint.bindWithCleanup(A bstractEn > > dpoint.java:1141) > > > at >> org.apache.tomcat.util.net > <http://org.apache.tomcat.util.net>.AbstractEndpoint.init(AbstractEndp oint.java > > :1154) > > > at >> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581) >> >> at >> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Pr o > >> tocol.java:74) > > > at >> org.apache.catalina.connector.Connector.initInternal(Connector.java:1 0 > >> 10) > > > ... 13 more >> Caused by: java.io.IOException at org.apache.tomcat.util.net > <http://org.apache.tomcat.util.net>.SSLUtilBase.getKeyManagers(SSLUtil Base.java > > :302) > > > at >> org.apache.tomcat.util.net > <http://org.apache.tomcat.util.net>.SSLUtilBase.createSSLContext(SSLUt ilBase.ja > > va:247) > > > at >> org.apache.tomcat.util.net > <http://org.apache.tomcat.util.net>.AbstractJsseEndpoint.createSSLCont ext(Abstr > > actJsseEndpoint.java:97) > > > ... 20 more > > This stack trace indicates to me that there is no keystore > configured, and also there was no certificate PEM file specified on > the certificate. > > Maybe your XML is broken? > > -chris > > > Hi Chris > > Thank you for accepting me and looking into this. > > Not shure about how to format these mails but i'm gonna copy and > paste your questions/remarks and answer them below (guidelines > tomcat apache #6) > >> <Connector port="443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> maxHttpHeaderSize="8192" maxThreads="150" SSLEnabled="true" >> acceptCount="100" scheme="https" minSpareThreads="25" >> maxSpareThreads="75" enableLookups="false" secure="true" >> clientAuth="false" > > Q: Are you possible missing a '>' character, here? A: If it's to > close the Connector tag, from the example in server.xml I'd > understood that the SSLHostConfig tag has to be inside a Connector > tag and there for the closing /Connecter> is after the closing > /SSLHostConfig Yes. Your initial post does not have the closing > for the <Connector> it was like this: <Connector [attributes] <SSLHostConfig> <Certificate /> <Certificate /> </SSLHostConfig> </Connector> > Default server.xml example: <Connector port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true"> <SSLHostConfig> <Certificate certificateKeystoreFile="conf/localhost-rsa.jks" > type="RSA" /> </SSLHostConfig> </Connector> > > > Q: Do you have any <Host> elements configured? > > A: Yes I do: > > <Host name="www.rabbit.nl <http://www.rabbit.nl>" debug="0" > appBase="/var/www/www.rabbit.nl <http://www.rabbit.nl>" > unpackWARs="false" autoDeploy="true"> <Alias>rabbit.nl > <http://rabbit.nl></Alias> <Context path="/myapp" > docBase="/var/www/www.rabbit.nl/webapp/myapp.war > <http://www.rabbit.nl/webapp/myapp.war>" debug="0" > privileged="true" reloadable="true" crossContext="true"> <Resource > name="bean/ConfigBeanFactory" auth="Container" > type="nl.bowtie.reservation.util.ConfigBean" > factory="org.apache.naming.factory.BeanFactory" > > configFilename="/var/www/www.rabbit.nl/config/reservation.properties > > <http://www.rabbit.nl/config/reservation.properties>"/> > </Context> <Context path="/" docBase="/var/www/www.rabbit.nl/html > <http://www.rabbit.nl/html>" debug="0" privileged="true" > reloadable="true" crossContext="true"/> </Host> <Host > name="www.appel.nl <http://www.appel.nl>" debug="0" > appBase="/var/www/www.appel.nl <http://www.appel.nl>" > unpackWARs="false" autoDeploy="true"> <Alias>appel.nl > <http://appel.nl></Alias> <Context path="/" > docBase="/var/www/www.appel.nl/html <http://www.appel.nl/html>" > debug="0" privileged="true" reloadable="true" > crossContext="true"/> </Host> This is good to know. I don't think you *must* have a 1-to-1 relationshi between <Host> and <Certificate>, but I wanted to make sure that things were in agreement. > Q:This stack trace indicates to me that there is no keystore > configured, and also there was no certificate PEM file specified on > the certificate. A: I Did not realize with all the other things > availible a PEM file was mandatory since everything is imported in > the jks file > > /usr/bin/keytool -import -trustcacerts -alias root -file > USERTrust_RSA_Certification_Authority.crt -keystore rabbit.nl.jks > /usr/bin/keytool -import -trustcacerts -alias inter -file > Sectigo_RSA_Domain_Validation_Secure_Server_CA.crt -keystore rabbit.nl.jks > /usr/bin/keytool -import -trustcacerts -alias rabbit.nl > <http://rabbit.nl> -file preview_uitgaan24_nl.crt -keystore rabbit.nl.jks The PEM file is not required. For JSSE (which is the default: you are not using the APR connector), you can use the JKS keystore and you don't need anything else. > Q:Maybe your XML is broken? A: I checked the XML file agains > serveral online XML validators, no errors were found. Okay, good. What is your JVM language? I'm guessing it's Dutch (or maybe Flemish? French?). Tomcat doesn't have a translation for error messages and such, so your messages are not terribly helpful (e.g. IOException with no detail). If you run your JVM with -Duser.language=en (or =de or =fr) you will get English (or German or French) detail messages which may be helpful to you. I'm sorry; everything looks good to me to far. Do you know have a single <Connector> in your server.xml? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7Nga4ACgkQHPApP6U8 pFgfUxAAroeIUdsb0VelJ2e972KLNHDzUXQ3LQmLfOcvHHmb0YMdJWHyAPFcx6Wv Bm2zi+kocGIGAq8Se4jqPneJLta/tNekgwqn7Y4XX3jMGdlnTowZjuBC8tFslGi4 c2Z4vAN+UiA4VIhkb9LMoC1ER3aAUsKZggmltAqltSSLHRJ01kJei08jxcFoaNZ9 U3IMBtVKdb5o4vefvjuB3Q7QYGZ6vfxUw1nad/JESlwl8wNQV/v5sXKbG/VPQseY Lzh+q37VwHiS0P7b0FEbkLlYV2nUwUBEkROmahLtMtZ9j8d7TNRaFKLO1NSQHWlR G9UnVKx7b7s3x67J/P8zMPfh19mFnYewSgMvDPgHAXNBSxAiyEv6yqqN/A0WefeB 0Lyv9PYR3gBc26QFtRSWDpi38vhSdF58qnYsX6piUJf6j6TcVYNwgZUh7w6RR0Kn VpPpz+U4hjZymR8q7iXRtdVWjql3PSUYmOzhYgt5TgNgzHvkM59Q06TiSfrpcIKI MVlFSUo7LH8I8XMYg6rrGv1NEg16XOMyDfDSjrnAbsEroM5rSKFtL9o4DmCQuhqk LkR43TnRU586bkvN3u1GssS4Le6wwzOOoTFnBg8nSqYL4zcJiIQf4szSIolSFCPn urVtfLENkcR+D9pX96mBb8r0Zio8+D/EgcQwYSeRq2cq9XNMgr0= =Tttx -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
