tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jose MarĂ­a Zaragoza <demablo...@gmail.com>
Subject Re: Multiple SSL config with single IP on Tomat 8.5.4
Date Thu, 04 Aug 2016 19:49:40 GMT
2016-08-04 17:17 GMT+02:00 Kent Smotherman <kentsmotherman@gmail.com>:
> From: Mark Thomas <markt@apache.org>
> To: Tomcat Users List <users@tomcat.apache.org>
> Cc:
> Date: Wed, 3 Aug 2016 15:49:12 -0700
> Subject: Re: Multiple SSL config with single IP on Tomcat 8.5.4
> On 03/08/2016 15:05, Kent Smotherman wrote:
>> I'm trying to get multiple SSL certs configured on Tomcat 8.5 with a
> single
>> IP. My relevant server.xml looks like this:
>>
>> <Connector port="9090" protocol="HTTP/1.1"
>>            connectionTimeout="20000"
>>            URIEncoding="UTF-8"
>>            redirectPort="9443" />
>> <Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true"
>>            maxThreads="150" scheme="https" secure="true" hostName="
>> firstnationalsculpturepark.com"
>>            clientAuth="false" sslProtocol="TLS" defaultSSLHostConfigName="
>> firstnationalsculpturepark.com"
>>>
>>     <SSLHostConfig hostname="firstnationalsculpturepark.com">
>>         <Certificate
>>                 certificateKeystoreFile="/apache/conf/twinfeats.keystore"
>>                certificateKeystorePassword="xxxxxxx"
>>                certificateKeyAlias="firstnationalsculpturepark"
>>         />
>>      </SSLHostConfig>
>> </Connector>
>>
>> This gives me this error on startup:
>>
>> 03-Aug-2016 16:47:04.541 WARNING [main]
>> org.apache.catalina.startup.SetAllPropertiesRule.begin
>> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>> 'hostName' to 'firstnationalsculpturepark.com' did not find a matching
>> property.
>>
>> I'm not sure what I'm doing wrong, as the hostName property is indicated
> in
>> the Tomcat 8.5 docs as an attribute for SSLHostConfig. (The above error
>> then causes an error trying to find the default keystore file since it
>> isn't using the one I've specified, but that is expected.)
>
> Take another look at the error messge. It is complaining about an
> invalid attribute on the Connector, not the SSLHostConfig.
>
> Mark
>
> ---------------
>
> Thanks! I removed the hostName attribute from the Connector, and now all I
> have left is the same error complaining that it cannot find .keystore, when
> it should be looking for twinfeats.keystore:
>
>     <Connector port="9443" SSLEnabled="true"
>                 protocol="org.apache.coyote.http11.Http11NioProtocol"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                defaultSSLHostConfigName="www.twinfeats.com">
>       <SSLHostConfig hostName="www.firstnationalsculpturepark.com">
>       <Certificate
>        certificateKeystoreFile="/apache/conf/twinfeats.keystore"
>                    certificateKeystorePassword="takara36"
>                    certificateKeyAlias="firstnationalsculpturepark"
>       />
>       </SSLHostConfig>
>       <SSLHostConfig hostName="www.twinfeats.com">
>       <Certificate
>        certificateKeystoreFile="/apache/conf/twinfeats.keystore"
>                    certificateKeystorePassword="xxxxxxxxx"
>                    certificateKeyAlias="twinfeats"
>       />
>       </SSLHostConfig>
>     </Connector>
>
> And the error:
>
> 04-Aug-2016 10:01:16.755 SEVERE [main]
> org.apache.tomcat.util.net.SSLUtilBase.getStore Failed to load keystore
> type [JKS] with path [/home/twinfeats/.keystore] due to
> [/home/twinfeats/.keystore (No such file or directory)]
>  java.io.FileNotFoundException: /home/twinfeats/.keystore (No such file or
> directory)
>
> I've reviewed my server.xml as excerpted above, but I don't see any
> remaining silly mistakes.  Any clues?


According doc:

"certificateKeystoreFile

The pathname of the keystore file where you have stored the server
certificate and key to be loaded. By default, the pathname is the file
.keystore in the operating system home directory of the user that is
running Tomcat. If your keystoreType doesn't need a file use "" (empty
string) or NONE for this parameter. **Relative paths will be resolved
against $CATALINA_BASE**. A URL may also be used for this attribute."

I would try a relative path


PD: I wonder why the same keystore has got different
certificateKeystorePassword

>
> Thanks!
>
> Kent

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message