Tomcat 8.5 server.xml - Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique
Tomcat 8.5 server.xml - Multiple SSLHostConfig elements were provided for the host name [_default_]. Host names must be unique
I am trying to change server.xml with Tomcat 8.5 and get the following error when trying to start tomcat:
09-Feb-2017 06:23:25.278 WARNING [main] org.apache.catalina.startup.Catalina.load Catalina.start using conf/server.xml: Error at (135, 20) : Multiple SSLHostConfig elements were provided for the host name [default]. Host names must be unique.
Relevant server.xml code:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" >
<SSLHostConfig>
keystoreFile="/saswork/sasadmin/tomcat/certs/eccerts"
keystorePass="xxxxxxxx"
storepass="xxxxxxxx"
truststoreFile="/saswork/sasadmin/tomcat/certs/eccerts"
sslProtocol="TLS"
</SSLHostConfig>
Advice appreciated on what the error means and suggestions on a solution welcome.
3 Answers
3
First, your syntax is incorrect for <SSLHostConfig>.
It should be:
<SSLHostConfig>
<SSLHostConfig>
<Certificate ... />
</SSLHostConfig>
Also, I've had much better luck putting keystorePass inside of <Connector>.
keystorePass
<Connector>
The only <Connector> that works without failing for me is:
<Connector>
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="keystore.jks" keyAlias="alias"
keystorePass="password"
clientAuth="false" sslProtocol="TLS" />
Otherwise these MultipleSSLHostConfig element errors occur.
MultipleSSLHostConfig
By using clientAuth="false" you were accidentally creating a default SSL host config in addition to the one you explicitly declared. This made 2, hence the error. See @muttonUp's excellent answer below.
– Richard Brightwell
Jan 30 at 22:55
A quite confusing error "Multiple SSLHostConfig elements" when you clearly only have one.
Turns out this is caused by using deprecated directives.
If you put any of these deprecated attributes in the Connector directive, tomcat assumes you are using the old way and auto creates a SSLHostConfig itself, which then conflicts with the one you are creating.
Connector
SSLHostConfig
In your particular case you were using clientAuth="false" on the Connector directive which has become certificateVerification="none" on the SSLHostConfig directive
clientAuth="false"
Connector
certificateVerification="none"
SSLHostConfig
This is the correct answer.
– Richard Brightwell
Jan 30 at 22:50
This is the correct answer.
– Will
May 24 at 20:49
Here's my configure that works:
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" defaultSSLHostConfigName="your.hostname.com">
<SSLHostConfig hostName="your.hostname.com" protocols="TLSv1.2,TLSv1.1,TLSv1">
<Certificate certificateKeystoreFile="conf/keystore"
type="RSA" xpoweredBy="false" server="Apache TomEE"
certificateKeystorePassword="xxx"/>
</SSLHostConfig>
</Connector>
I had to set the defaultSSLHostConfigName attribute of the connector and the hostName attribute of the SSLHostConfig.
defaultSSLHostConfigName
hostName
By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.
Thanks v much. I had tried the <Connector> approach initially but was getting errors so ventured down the <SSLHostConfig> route. Based on your feedback I tweaked my <Connector> to replicate yours and all is working now.
– Ecu
Feb 13 '17 at 9:43