Tomcat hosting multiple virtual host with multiple SSL certificate

Question

I have a server hosting multiple websites using Tomcat 7, for example

a.abc.com
b.abc.com
c.def.com
d.def.com

Using tomcat's virtual hosting feature, so they each may belong to different webapps folder.

We're now trying to implement Https to each of the sites. So basically we got 2 wildcard certificates, *.abc.com, and *.def.com

I've been looking for the ways to setup and I found:

This where it taught me how to setup SSL with tomcat
This where it taught me how to setup multiple Host with different SSL pointing at different IP address

Second example is closest to what I need but the problem is all of my virtual hosts are of same IP address, the only difference is on the domain name itself, worse where most of them have a couple different alias even (eg: my d.def.com could have e.ghi.com as one of its alias).

So my question would be, is there anyway I could setup my multiple SSL certificates for all my virtual hosts?

Hi Chor, I've spent weeks trying to do this exact thing. I have 2 Hosts, 1 Tomcat, 1 IP just like you, I'm new to this, is there a detailed instruction on how to configure Tomcat, Apache step-by-step? Please help., — Gee, Sep 25 '21 at 11:42
@Gee hi I could find this https://examples.javacodegeeks.com/enterprise-java/tomcat/apache-tomcat-mod_jk-tutorial/, this is the closest guide to replicate what I've done previously. This helps you the first part, setup httpd > modjk > tomcat, after this is done, you can look for guide about setting up multiple cert per host on httpd's config file — Chor Wai Chun, Sep 26 '21 at 12:21
@Gee https://www.digicert.com/kb/ssl-support/apache-multiple-ssl-certificates-using-sni.htm this might help with second part — Chor Wai Chun, Sep 26 '21 at 12:23
The issue is with DocumentRoot, it is not www/html, all my file are located under Tomcat /data/1/tomcat/webapps/, I get a 403 Forbidden "You don't have permission to access this resource" — Gee, Sep 27 '21 at 15:44
I was able to access my site using Directory Require all granted tag, but now I'm not able to load my servlets, and .jsp shows the <%@ page language="java" %> tag, can I fix this for Apache? — Gee, Sep 28 '21 at 16:07

score 5 · Accepted Answer · answered Nov 28 '16 at 21:00

I'm afraid it's not possible to fulfill all your requirements with tomcat:

multiple domains
two SSL certificates
unique IP address
standard SSL port (I have assumed it)

Tomcat SSL Configuration is defined in <Connector> element at config.xml

<Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="${user.home}/.keystore" keystorePass="changeit"
       clientAuth="false" sslProtocol="TLS"/>

Each connector requires a port attribute. See definition in HTTP Connector documentation

The TCP port number on which this Connector will create a server socket and await incoming connections. Your operating system will allow only one server application to listen to a particular port number on a particular IP address.

Therefore you can't define two connectors using the same port, and then it is not possible to configure different SSL certificates.

Alternatives

Several IP's: The address attribute configures which address will be used for listening on the specified port. Set an IP per main domain using a SSL certificate and configure a Connector for it
Different ports: 443 for *.abc.com, 444 for *.def.com, and so on
SSL Proxy: Deploy a proxy server like Apache or Nginx in front of tomcat. The proxy only deals with SSL negotiation and virtual hosts. All the traffic is redirected to Tomcat in plain HTTP.

Just as an example using Apache mod_ssl + and the tomcat connector mod_JK your requested configuration is simple

listen 443

<VirtualHost *:443>
    ServerName a.abc.com:443
    SSLEngine on
    SSLProtocol all -SSLv2 
    SSLCertificateFile "/home/certs/abc.com.crt"
    SSLCertificateKeyFile "/home/certs/abc.com.key"
    SSLCertificateChainFile  "/home/certs/abc.com.ca-bundle"
    SSLOptions +StdEnvVars  +ExportCertData 
    ErrorLog "/var/logs/error_abc_443.log"
    TransferLog "/var/logs/error_abc_443.log"
    JkMount  /* worker1

</VirtualHost>


<VirtualHost *:443>
    ServerName c.def.com:443
    SSLEngine on
    SSLProtocol all -SSLv2
    SSLCertificateFile "/home/certs/def.com.crt"
    SSLCertificateKeyFile "/home/certs/def.com.key"
    SSLCertificateChainFile  "/home/certs/def.com.ca-bundle"
    SSLOptions +StdEnvVars  +ExportCertData
    ErrorLog "/var/logs/error_def.log"
    TransferLog "/var/logs/error_def.log"
    JkMount  /* worker2
</VirtualHost>

Thanks a lot for the answer mate, let me try this out, have to study apache httpd first, will definitely mark this as answer once I got it done =) — Chor Wai Chun, Nov 29 '16 at 11:02
ok. feel free to ask doubts. I have a similar service configured in this way — pedrofb, Nov 29 '16 at 11:16
I've just looked at many examples on setting up multiple tomcat, handled by httpd at the front. Just wondering, what you're showing is actually, I can maintain my one single tomcat, but discard the https connector part, serving http would suffice. Then I use httpd to listen to many domains, serving the cert right there, then forward all request to my one single tomcat instance. So in the end its just one tomcat instance running, and I should remain all the tomcat's virtual host setting, right? — Chor Wai Chun, Nov 30 '16 at 02:25
Yes, it is. You only need a tomcat instance. You can maintain the virtual host setting at tomcat, or move this configuration to `apache httpd`. Note also, you need to configure in the apache virtual host the `worker`. This file/files contain the details to connect to your tomcat using AJP connector — pedrofb, Nov 30 '16 at 08:33
all the sites are now up with just one tomcat instance, with quite simple configuration in httpd config, thanks a lot mate.. =) — Chor Wai Chun, Nov 30 '16 at 09:17
I have one ssl certificate, one ip address and multiple virtual hosts. Can tomcat host this configuration, all my virtual hosts with one single ssl certificate? Do I need SNI for that? — Kaj Risberg, Nov 19 '18 at 13:07
@KajRisberg we usually use virtual host to handle multiple domains, if you have only one ssl certificate, may I assume its wildcard or multi domain cert? If true, yes tomcat is able to handle that, but with the help of apache httpd, as what this answer states. — Chor Wai Chun, Nov 21 '18 at 00:44

Tomcat hosting multiple virtual host with multiple SSL certificate

1 Answers1

Alternatives

Linked