Re: tomcat-10.0.x Problem https multiple IP

Fri, 21 Jan 2022 01:49:07 -0800 

On 21/01/2022 09:29, Jaebo Nah wrote:

Dear all,

I want to use a Tomcat apache-tomcat-10.0.14 with https .

The Linux Server have multiple ip Address with different Domain Names

10.100.142.30  =   one.domain.loc

10.100.142.31  =   two.domain.loc

10.100.142.32  =   three.domain.loc
When I try to connect to the Tomcat  with https://two.domain.loc:8443 <https://two.domain.loc:8443> 

I get the following Error

NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is two.domain.loc. Its security certificate is from three.domain.loc. Possible reasons are a misconfiguration or an attacker intercepting your connection. 

The connection to one.domain.loc is similar as two.domain.loc .

Only the connection to three.domain.loc is working.

Thx for your answer


What do the logs show for this connector when Tomcat starts?


server.xml

<Connector

       address=" two.domain.loc"
That looks wrong. address should be an IP address. I suspect this is being ignored and the connector is listening on all IP addresses. If that is what you want, just remove this setting 



       port="8443"

       protocol="org.apache.coyote.http11.Http11Nio2Protocol"

       maxThreads="150"

       scheme="https"

          enableLookups="false"

       SSLEnabled="true" defaultSSLHostConfigName="10.100.142.32" >


You want to use host names here, not IP addresses.
         <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" /> 

          <SSLHostConfig hostName="10.100.142.32"


Same here. Host name, not IP address.


protocols="TLSv1.2,+TLSv1.1,+TLSv1">

         <Certificate

           certificateKeystoreFile="/apps/vr_apps/keystore/jlib.jks.2020.11"

           certificateKeystorePassword="changeit"

           type="RSA" />

       </SSLHostConfig>
You have only configured one SSLHost so all requests will go to that host and use that certificate.
You need 2 more HostConfig sections. 5 more if you want Tomcat to respond to requests that use hostnames and requests that use IP addresses. 




     </Connector>
If you want Tomcat to respond to requests that use hostnames and requests that use IP addresses you'd be better off with 3 Connectors each with address set for the IP and an SSLHostConfig section that configured the appropriate certificate.
If you wanted to share a thread pool across those connectors then you could use an Executor. 

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to