On 21/01/2022 09:29, Jaebo Nah wrote:
Dear all,
I want to use a Tomcat apache-tomcat-10.0.14 with https .
The Linux Server have multiple ip Address with different Domain Names
10.100.142.30 = one.domain.loc
10.100.142.31 = two.domain.loc
10.100.142.32 = three.domain.loc
When I try to connect to the Tomcat with https://two.domain.loc:8443
<https://two.domain.loc:8443>
I get the following Error
NET::ERR_CERT_COMMON_NAME_INVALID
This server could not prove that it is two.domain.loc. Its security
certificate is from three.domain.loc. Possible reasons are a
misconfiguration or an attacker intercepting your connection.
The connection to one.domain.loc is similar as two.domain.loc .
Only the connection to three.domain.loc is working.
Thx for your answer
What do the logs show for this connector when Tomcat starts?
server.xml
<Connector
address=" two.domain.loc"
That looks wrong. address should be an IP address. I suspect this is
being ignored and the connector is listening on all IP addresses. If
that is what you want, just remove this setting
port="8443"
protocol="org.apache.coyote.http11.Http11Nio2Protocol"
maxThreads="150"
scheme="https"
enableLookups="false"
SSLEnabled="true" defaultSSLHostConfigName="10.100.142.32" >
You want to use host names here, not IP addresses.
<UpgradeProtocol
className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig hostName="10.100.142.32"
Same here. Host name, not IP address.
protocols="TLSv1.2,+TLSv1.1,+TLSv1">
<Certificate
certificateKeystoreFile="/apps/vr_apps/keystore/jlib.jks.2020.11"
certificateKeystorePassword="changeit"
type="RSA" />
</SSLHostConfig>
You have only configured one SSLHost so all requests will go to that
host and use that certificate.
You need 2 more HostConfig sections. 5 more if you want Tomcat to
respond to requests that use hostnames and requests that use IP addresses.
</Connector>
If you want Tomcat to respond to requests that use hostnames and
requests that use IP addresses you'd be better off with 3 Connectors
each with address set for the IP and an SSLHostConfig section that
configured the appropriate certificate.
If you wanted to share a thread pool across those connectors then you
could use an Executor.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org