httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Akshay Sulakhe <kernelfr...@gmail.com>
Subject [users@httpd] LetsEncrypt not working with multiple domains managed by Apache web server running on Apache Tomcat.
Date Fri, 13 May 2016 09:12:30 GMT

Hello friends,

To start of with, my apologies for sending the mail to two lists, but
as the problem involves around both Tomcat and Apache, I am sending
this email on both lists.

Situation : I have a Debian X64 server running Apache Web-server which
is running a CMS on its own and also redirecting requests to Tomcat
based upon the URL. I have a single Tomcat, which hosts 3 webapps for 3
different domains. In Apache web-server I have set the ServerName and
ServerAlias, which will then redirect the request to Apache Tomcat, and
the proper webapp will be called.

Now, this all works when we are dealing only with HTTP, situation with
HTTPS is completely different though. WHenever I install SSL
certificate for one domain, redirect based on domain-name and port 443,
then I get a redirection error or I am simply redirected to the hosted
CMS. Other domains which are not on https keep working.

This setup works very nicely with port-80 or http, but with HTTPs it's
completely useless. What changes do I need to make such a setup work.
Thank you.

 Apache config :

workers.properties :

>  worker.list = worker_app1
> worker.worker_app1.type = lb
> worker.worker_app1.balance_workers = app1_instance1
> worker.worker_app1.sticky_session = true
> worker.worker_app1.sticky_session_force = false
> worker.worker_app1.method = busyness
> 
> worker.app1_instance1.type = ajp13
> worker.app1_instance1.host = 127.0.0.1
> worker.app1_instance1.port = 8010
> worker.app1_instance1.host = localhost
> worker.app1_instance1.lbfactor = 1
> worker.app1_instance1.socket_timeout = 40
> worker.app1_instance1.socket_keepalive = true
> worker.app1_instance1.reply_timeout = 30000
> 

000-default below :

> 
> Listen 443
> <VirtualHost *:80>
>         ServerAdmin webmaster@localhost
>         ServerName www.webserver-domain.com
>         ServerAlias webserver-domain.com
>         DocumentRoot /var/www
>         <Directory />
>                 Options FollowSymLinks
>                 AllowOverride None
>         </Directory>
>         <Directory /var/www/>
>                 Options Indexes FollowSymLinks MultiViews
>                 AllowOverride All
>                  Order allow,deny
>                 allow from all
>         </Directory>
> 
>         ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
>         <Directory "/usr/lib/cgi-bin">
>                 AllowOverride None
>                 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
>                 Order allow,deny
>                 Allow from all
>         </Directory>
> 
>         ErrorLog ${APACHE_LOG_DIR}/error.log
> 
>         # Possible values include: debug, info, notice, warn, error,
> crit,
>         # alert, emerg.
>         LogLevel warn
>         ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
>         <Directory "/usr/lib/cgi-bin">
>                 AllowOverride None
>                 Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
>                 Order allow,deny
>                 Allow from all
>         </Directory>
> 
>         ErrorLog ${APACHE_LOG_DIR}/error.log
> 
>         # Possible values include: debug, info, notice, warn, error,
> crit,
>         # alert, emerg.
>         LogLevel warn
> 
>         CustomLog ${APACHE_LOG_DIR}/access.log combined
> </VirtualHost>
> 
> <VirtualHost *:80>
> ServerName www.tomcat-domain1.de
> ServerAlias tomcat-domain1.de
> ProxyRequests off
> ProxyPreserveHost On
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> #ErrorDocument 503 /maintenance.html
> # ErrorDocument 404 /maintenance.html
> # ErrorDocument 500 /maintenance.html
> 
> #ProxyPass /maintenance.html !
> ProxyPass / http://localhost:8080/
> ProxyPassReverse / http://localhost:8080/
> 
> <Location / >
> Order allow,deny
> Allow from all
> </Location>
> </VirtualHost>
> 
> 
> 
> <VirtualHost *:443>
> ServerName www.tomcat-domain2.de
> ServerAlias tomcat-domain2.de
> ProxyRequests off
> ProxyPreserveHost On
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> SSLProxyCheckPeerExpire off
> SSLEngine on
> SSLCertificateFile /etc/letsencrypt/live/
> www.tomcat-domain2.de/ende.crt
> SSLCertificateKeyFile /etc/letsencrypt/live/
> www.tomcat-domain2.de/private.key
> 
> 
> ErrorDocument 503 /maintenance.html
>  ErrorDocument 404 /maintenance.html
>  ErrorDocument 500 /maintenance.html
> 
> ProxyPass /maintenance.html !
> 
> ProxyPass / http://localhost:8080/
> ProxyPassReverse / http://localhost:8080/
> 
> <Location / >
> Order allow,deny
> Allow from all
> </Location>
> </VirtualHost>
> 
> 
> <VirtualHost *:80>
> ServerName www.tomcat-domain3.de
> ServerAlias tomcat-domain3.de
> ProxyRequests off
> ProxyPreserveHost On
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> 
> ErrorDocument 503 /maintenance.html
>  ErrorDocument 404 /maintenance.html
>  ErrorDocument 500 /maintenance.html
> 
> ProxyPass /maintenance.html !
> 
> ProxyPass / http://localhost:8080/
> ProxyPassReverse / http://localhost:8080/
> 
> <Location / >
> Order allow,deny
> Allow from all
> </Location>
> </VirtualHost>
> 
> 
> <VirtualHost *:80>
> ServerName www.tomcat-domain4.com
> ServerAlias tomcat-domain4.com
> 
> ProxyRequests off
> ProxyPreserveHost On
> <Proxy *>
> Order deny,allow
> Allow from all
> </Proxy>
> 
> ErrorDocument 503 /maintenance.html
>  ErrorDocument 404 /maintenance.html
>  ErrorDocument 500 /maintenance.html
> 
> ProxyPass /maintenance.html !
> 
> ProxyPass / http://localhost:8080/
> ProxyPassReverse / http://localhost:8080/
> 
> <Location / >
> Order allow,deny
> Allow from all
> </Location>
> </VirtualHost>
> 


Apache tomcat configuration :

> 
>  <Connector port="8080" proxyPort="80"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> compression="force" compressionMinSiz$
>                connectionTimeout="20000"  maxPostSize="5242880"
>                URIEncoding="utf-8"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/
> javascript,application/x-javascript,application/javascript"/>
> 
> 
> 
>  <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol" 
>  maxPostSize="5242880" SSLEnabled="true" maxThreads=$
>               compressionMinSize="1024" scheme="https" secure="true"
> clientAuth="false" sslProtocols="TLS"
>                 sslEnabledProtocols="TLSv1+TLSv1.1+TLSv1.2"
>                keystoreFile="/etc/letsencrypt/live/
> www.tomcat-domain2.de/MyDSKeyStore.jks"
> keystorePass="PASS" keyPass="PASS" keyAlias="tomcat"  // keystorePass
> = keyPass
>  URIEncoding="utf-8"
>  compressableMimeType="text/html,text/xml,text/plain,text/css,text/
> javascript,application/x-javascript,application/javascript"/>
> 
> 
>    <Host name="localhost"  appBase="webapps" unpackWARs="true"
> autoDeploy="true"/>
> 
>         <Host name="tomcat-domain1.de" autoDeploy="true"
> unpackWARs="true" appBase="domain1_webapps">
>                 <Alias>www.tomcat-domain1.de</Alias>;
>                 <Context path=""/>
>         </Host>
> 
>         <Host name="tomcat-domain3.com" autoDeploy="true"
> unpackWARs="true" appBase="domain3_webapps">
>                 <Alias>www.tomcat-domain3.com</Alias>;
>                 <Context path=""/>
>         </Host>
> 
>         <Host name="tomcat-domain4.de" autoDeploy="true"
> unpackWARs="true" appBase="domain4_webapps">
>                 <Alias>www.tomcat-domain4.de</Alias>;
>                 <Context path=""/>
>         </Host>
> 
>         <Host name="www.tomcat-domain2.de" autoDeploy="true"
> unpackWARs="true" appBase="domain2_webapps">
>                 <Alias>tomcat-domain2.de</Alias>
>                 <Context path=""/>
>         </Host>
> 


The certificates given by LetsEncrypt are in PEM format, so I am
converting them and adding them to the keystore, with these commands :

> ./letsencrypt-auto certonly --standalone --break-my-certs -d
> $mydomain -d $myOtherDomain --renew-by-default --email $myemail -
> -agree-tos
> 
> 
> 
> openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -CAfile
> chain.pem -caname root -out fullchain_and_key.p12 -name tomcat
> 
> keytool -importkeystore -deststorepass PASS -destkeypass PASS 
> -destkeystore MyDSKeyStore.jks -srckeystore fullchain_and_key.p12 
> -srcstoretype pkcs12 -srcstorepass PASS -alias tomcat
> 
> keytool -import -trustcacerts -alias root -file chain.pem -keystore
> MyDSKeyStore.jks
> 

After this, I converted the key and cert file which were .pem to .crt
and .key files for Apache web-server with following command :

> // Convert key to aes192 and set new password, important foor
> letsencrypt as the keys generated have no password.
> openssl rsa -aes192 -in yourprivatekeywithoutpassword.pem -out
> newprivatekeywithpassword.pem
> 
> // Convert pem to crt. 
> openssl x509 -outform der -in your-cert.pem -out your-cert.crt
> 

So, now as I have the web-server domain running, any request to HTTPS
site are redirected to web-server domain. And basically HTTPs doesn't
work. Any idea how I can proceed. Thank you. 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message