使用多个证书存储的 Tomcat 8.5 多个域
[英]Tomcat 8.5 multiple domains using multiple certificate stores
问题描述
We had a working setup using multiple domains sharing a certificate.
我们有一个使用多个域共享证书的工作设置。 But now the setup is changed to use different certificates for the the different domains.但是现在设置已更改为对不同的域使用不同的证书。
<server>
<!-- other non-changed stuff -->
<Service name="Catalina">
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector
port="443"
clientAuth="false"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
enableLookups="false"
SSLEnabled="true"
scheme="https"
secure="true"
defaultSSLHostConfigName="stuff.company.com">
<SSLHostConfig hostName="stuff.company.com">
<Certificate
certificateKeyAlias="stuff"
certificateKeystoreType="JKS"
certificateKeystoreFile="/conf/certs/stuff.company.com.jks"
certificateKeystorePassword="[redacted]"
certificateKeyPassword="[redacted]"
type="RSA"
/>
</SSLHostConfig>
<SSLHostConfig hostName="things.company2.com">
<Certificate
certificateKeystoreFile="conf/certs/things.company2.com.jks"
certificateKeystorePassword="[redacted]"
certificateKeyPassword="[redacted]"
type="RSA"
/>
</SSLHostConfig>
</Connector>
<Engine>
<Host name="stuff.company.com" appBase="webapps/stuff-company-com">
<Context path="" cookies="false" docBase=""/>
<alias>stuff.company.com</alias>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="stuff.company.com_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
<Host name="things.company2.com" appBase="webapps/things-company2-com">
<Context path="" cookies="false" docBase=""/>
<alias>things.company2.com</alias>
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="things.company2.com_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
Notes:笔记:
- Does not seems matter if there is a / or not before conf in certificateKeystoreFile.如果在certificateKeystoreFile 中的conf 之前有/ 或没有,似乎无关紧要。
- Between the config of the Connector with the information and the Host parts there are things like Realm and Engine.在带有信息的连接器配置和主机部分之间,有诸如领域和引擎之类的东西。 These are not changed since the the previous working setup.自之前的工作设置以来,这些都没有改变。
- No changes was made in the section between now and the previously working setup.从现在到以前的工作设置之间的部分没有进行任何更改。
- If we relax the rules.如果我们放宽规则。 The hosts are reachable over http.主机可以通过 http 访问。 But not reachable at all over https但根本无法通过 https 访问
- Version of Tomcat is 8.5.53 (latest available at the time of writing) Tomcat 的版本是 8.5.53(在撰写本文时可用的最新版本)
- Windows Server 2012 is the OS Windows Server 2012 是操作系统
1 个解决方案
解决方案1
0 2020-03-20 13:47:36
We changed clientAuth (deprecated) to certificateVerification (current way of doing things) which prevents all problems that can emerge from "If this SSLHostConfig element is not explicitly defined, it will be created", that has been discussed elsewhere on Stack Overflow.我们将 clientAuth(已弃用)更改为 certificateVerification(当前的处理方式),以防止“如果未明确定义此 SSLHostConfig 元素,它将被创建”可能出现的所有问题,这已在 Stack Overflow 的其他地方讨论过。
Lessons learned are probably to first make sure everything is ported to the new way of doing things.吸取的教训可能是首先确保一切都移植到新的做事方式。 In this case the new way of setting up a Connector .在这种情况下,设置连接器的新方法。 And after that proceed with whatever feature should be implemented.之后继续执行应该实现的任何功能。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.