Tomcat Tomcat - User

Subdomain with SSL in same connector

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Maurice Poos
Reply | Threaded
Open this post in threaded view
|

Subdomain with SSL in same connector

Maurice Poos
Hi there,

This question (or the gist of it) was asked around 2009 but a lot can
happen in 10 years.
The question is as follows:

I've got tomcat 9.0.35 running on a server (no apache or anything else)
The connector and ssl are all running smoothly.

When I put an alias in the connector of course the SSL breaks because the
subdomain is not included in the certificate in the keystore nor are
wildcards used.

Is it possible to add the subdomain ssl to the first keystore and then use
the alias to secure the subdomain.
Or...do I need to set up a separate connector, different keystore etc.

Thank you all for reading and stay safe!

Maurice

As a keynote..I'm not up to all the RFC's

*Config (highlights):*
*--------------------*

<SSLHostConfig hostName="site1.nl">
        <Certificate
                certificateKeyAlias="site1.nl"
                certificateKeystoreFile="/etc/ssl/crt/site1.nl.jks"
                certificateKeystorePassword="whiterabbit"/>
</SSLHostConfig>
##########################

<Host name="site1.nl"  unpackWARs="true" appbase="/var/www/www.site1.nl"
autoDeploy="true">
         <Alias>www.site1.nl</Alias>
*-->*     <Alias>subdomain1.site1.nl</Alias> *<-- This is what I want to
add -->*
        <Context path="/" docBase="/var/www/www.site1.nl/html"
 privileged="true"
              reloadable="true" crossContext="false"/>
        <Context path="/calendar" docBase="/var/www/
www.site1.nl/webapp/calendar.war"  privileged="true"
                reloadable="true" crossContext="false"/>
</Host>
Christopher Schultz-2
Reply | Threaded
Open this post in threaded view
|

Re: Subdomain with SSL in same connector

Christopher Schultz-2
Maurice,

On 12/22/20 08:59, Maurice Poos wrote:

> Hi there,
>
> This question (or the gist of it) was asked around 2009 but a lot can
> happen in 10 years.
> The question is as follows:
>
> I've got tomcat 9.0.35 running on a server (no apache or anything else)
> The connector and ssl are all running smoothly.
>
> When I put an alias in the connector of course the SSL breaks because the
> subdomain is not included in the certificate in the keystore nor are
> wildcards used.
>
> Is it possible to add the subdomain ssl to the first keystore and then use
> the alias to secure the subdomain.
> Or...do I need to set up a separate connector, different keystore etc.
>
> Thank you all for reading and stay safe!
>
> Maurice
>
> As a keynote..I'm not up to all the RFC's
>
> *Config (highlights):*
> *--------------------*
>
> <SSLHostConfig hostName="site1.nl">
>          <Certificate
>                  certificateKeyAlias="site1.nl"
>                  certificateKeystoreFile="/etc/ssl/crt/site1.nl.jks"
>                  certificateKeystorePassword="whiterabbit"/>
> </SSLHostConfig>
> ##########################
>
> <Host name="site1.nl"  unpackWARs="true" appbase="/var/www/www.site1.nl"
> autoDeploy="true">
>           <Alias>www.site1.nl</Alias>
> *-->*     <Alias>subdomain1.site1.nl</Alias> *<-- This is what I want to
> add -->*
>          <Context path="/" docBase="/var/www/www.site1.nl/html"
>   privileged="true"
>                reloadable="true" crossContext="false"/>
>          <Context path="/calendar" docBase="/var/www/
> www.site1.nl/webapp/calendar.war"  privileged="true"
>                  reloadable="true" crossContext="false"/>
> </Host>

This isn't really a Tomcat thing, it's an X.509 thing. There is no way
your client is going to accept a certificate for www.site1.nl when
requesting a resource from subdomain1.site1.nl unless it's been
instructed (by the user) to ignore TLS hostname mismatches, which is a
pretty insecure practice.

So no matter which way you configure Tomcat, the client isn't going to
make the connection.

If you have two separate certificates (one for www, one for subdomain1),
then I would expect Tomcat to allow you to put them all into one
keystore and list each one in a separate <SSLHostConfig> under the
<Connector>. The <Host> just "accepts" requests once the TLS handshake
is complete, so using an <Alias> there should work.

If it's not working, please post your full <Connector> and <Host>
configurations (with any secrets removed) and also the output of this
command:

$ keytool -list -v -keystore /etc/ssl/crt/site1.nl.jks
$ keytool -list -v -keystore /etc/ssl/crt/subdomain.site1.nl.jks

Note: you might want to start using PKCS12 (.p12) files since (a)
OpenSSL can use them and (b) Javva is dropping support for JKS files.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Free forum by Nabble Edit this page