Chor Wai Chun Chor Wai Chun - 5 days ago 5
Apache Configuration Question

Tomcat hosting multiple virtual host with multiple SSL certificate

I have a server hosting multiple websites using Tomcat 7, for example


  • a.abc.com

  • b.abc.com

  • c.def.com

  • d.def.com



Using tomcat's virtual hosting feature, so they each may belong to different webapps folder.

We're now trying to implement Https to each of the sites. So basically we got 2 wildcard certificates, *.abc.com, and *.def.com

I've been looking for the ways to setup and I found:


  • This where it taught me how to setup SSL with tomcat

  • This where it taught me how to setup multiple Host with different SSL pointing at different IP address



Second example is closest to what I need but the problem is all of my virtual hosts are of same IP address, the only difference is on the domain name itself, worse where most of them have a couple different alias even (eg: my d.def.com could have e.ghi.com as one of its alias).

So my question would be, is there anyway I could setup my multiple SSL certificates for all my virtual hosts?

Answer

I'm afraid it's not possible to fulfill all your requirements with tomcat:

  • multiple domains
  • two SSL certificates
  • unique IP address
  • standard SSL port (I have assumed it)

Tomcat SSL Configuration is defined in <Connector> element at config.xml

<Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS"/>

Each connector requires a port attribute. See definition in HTTP Connector documentation

The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address.

Therefore you can't define two connectors using the same port, and then it is not possible to configure different SSL certificates.

Alternatives

  • Several IP's: The address attribute configures which address will be used for listening on the specified port. Set an IP per main domain using a SSL certificate and configure a Connector for it

  • Different ports: 443 for *.abc.com, 444 for *.def.com, and so on

  • SSL Proxy: Deploy a proxy server like Apache or Nginx in front of tomcat. The proxy only deals with SSL negotiation and virtual hosts. All the traffic is redirected to Tomcat in plain HTTP.

Just as an example using Apache mod_ssl + and the tomcat connector mod_JK your requested configuration is simple

listen 443

<VirtualHost *:443>
    ServerName a.abc.com:443
    SSLEngine on
    SSLProtocol all -SSLv2 
    SSLCertificateFile "/home/certs/abc.com.crt"
    SSLCertificateKeyFile "/home/certs/abc.com.key"
    SSLCertificateChainFile  "/home/certs/abc.com.ca-bundle"
    SSLOptions +StdEnvVars  +ExportCertData 
    ErrorLog "/var/logs/error_abc_443.log"
    TransferLog "/var/logs/error_abc_443.log"
    JkMount  /* worker1

</VirtualHost>


<VirtualHost *:443>
    ServerName c.def.com:443
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCertificateFile "/home/certs/def.com.crt"
    SSLCertificateKeyFile "/home/certs/def.com.key"
    SSLCertificateChainFile  "/home/certs/def.com.ca-bundle"
    SSLOptions +StdEnvVars  +ExportCertData
    ErrorLog "/var/logs/error_def.log"
    TransferLog "/var/logs/error_def.log"
    JkMount  /* worker2
</VirtualHost> 
Comments