在 Spring Boot 2.0 中使用自签名证书启用 HTTPS
[英]Enable HTTPS with self-signed certificate in Spring Boot 2.0
问题描述
I'm following this tutorial to enable HTTPS in Spring Boot 2.0 using a self-signed certificate, just for testing purpose.
我正在按照本教程使用自签名证书在 Spring Boot 2.0 中启用 HTTPS,仅用于测试目的。 In summary, that tutorial includes these steps:总之,该教程包括以下步骤:
1.Generate the keystore using keytool . 1.使用keytool生成密钥库。
keytool -genkey -alias tomcat
-storetype PKCS12 -keyalg RSA -keysize 2048
-keystore keystore.p12 -validity 3650
2.Enable HTTPS in Spring Boot by adding some properties in the application.properties file. 2.通过在application.properties文件中添加一些属性,在 Spring Boot 中启用 HTTPS。
server.port: 8443
server.ssl.key-store: keystore.p12
server.ssl.key-store-password: mypassword
server.ssl.keyStoreType: PKCS12
server.ssl.keyAlias: tomcat
3.Redirect HTTP to HTTPS (optional). 3.将 HTTP 重定向到 HTTPS(可选)。 I ignored this part.我忽略了这部分。
But when I start my application, I got these error:但是当我启动我的应用程序时,我收到了这些错误:
org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:255) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:197) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:300) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:162) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:552) [spring-context-5.0.4.RELEASE.jar:5.0.4.RELEASE]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:140) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:388) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:327) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1246) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1234) [spring-boot-2.0.0.RELEASE.jar:2.0.0.RELEASE]
at epic.gwdg.restgraph.RestgraphApplication.main(RestgraphApplication.java:10) [classes/:na]
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1021) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
... 13 common frames omitted
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:116) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:87) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1150) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:591) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1018) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
... 14 common frames omitted
Caused by: java.lang.IllegalArgumentException: Private key must be accompanied by certificate chain
at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1170) ~[na:na]
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:257) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) ~[tomcat-embed-core-8.5.28.jar:8.5.28]
... 19 common frames omitted
2018-03-16 16:42:30.917 INFO 970 --- [ main] o.apache.catalina.core.StandardService : Stopping service [Tomcat]
2018-03-16 16:42:30.931 INFO 970 --- [ main] ConditionEvaluationReportLoggingListener :
Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2018-03-16 16:42:30.933 ERROR 970 --- [ main] o.s.b.d.LoggingFailureAnalysisReporter :
***************************
APPLICATION FAILED TO START
***************************
Description:
The Tomcat connector configured to listen on port 8443 failed to start. The port may already be in use or the connector may be misconfigured.
Action:
Verify the connector's configuration, identify and stop any process that's listening on port 8443, or configure this application to listen on another port.
2018-03-16 16:42:30.934 INFO 970 --- [ main] ConfigServletWebServerApplicationContext : Closing org.springframework.boot.web.servlet.context.AnnotationConfigServletWebServerApplicationContext@58ce9668: startup date [Fri Mar 16 16:42:26 CET 2018]; root of context hierarchy
2018-03-16 16:42:30.936 INFO 970 --- [ main] o.s.j.e.a.AnnotationMBeanExporter : Unregistering JMX-exposed beans on shutdown
Process finished with exit code 1
Basically, the message is:基本上,消息是:
Private key must be accompanied by certificate chain.
This is a self-signed certificate, so it, of course, doesn't have the trusted chain.这是一个自签名证书,因此它当然没有可信链。 How can I fix it?我该如何解决?
Here is my current application.properties file:这是我当前的application.properties文件:
server.port=8443
server.ssl.enabled=true
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-password=123456
server.ssl.key-store-type=PKCS12
server.ssl.key-alias=tomcat
Thank you so much for your help.非常感谢您的帮助。
7 个解决方案
解决方案1
22 已采纳 2018-03-16 16:09:52
The problem is that in your generated keystore you dont have a key pair so there is no private key that's because your using the option -genkey you need to change it by the option -genkeypair :问题在于,在您生成的密钥库中,您没有密钥对,因此没有私钥,这是因为您使用选项 -genkey 需要通过选项 -genkeypair 更改它:
-genkey generates a Secret Key whereas the -genkeypair generates a key pair (a public key and a private key).
So I think this should work :所以我认为这应该有效:
keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
In your spring boot configuration change ":" by "=" and add the path to your keystore I suppose that your keystore.p12 is in your resources folder so :在您的 Spring Boot 配置中,将“:”更改为“=”并将路径添加到您的密钥库中,我想您的 keystore.p12 位于您的资源文件夹中,因此:
server.ssl.key-store = classpath:keystore.p12
server.ssl.key-store-password = mypassword
server.ssl.key-store-type = PKCS12
server.ssl.key-alias = tomcat
解决方案2
9 2018-06-14 19:04:08
I was getting this horrible Private key must be accompanied by certificate chain error as well on my Spring Boot application with an embedded Tomcat server.在我的带有嵌入式 Tomcat 服务器的 Spring Boot 应用程序中,我得到了这个可怕的Private key must be accompanied by certificate chain错误。 It was making me insane .这让我发疯了。
It turns out a simple typo was my problem:原来一个简单的错字是我的问题:
@Override
public void customize(ConfigurableServletWebServerFactory server) {
Ssl ssl = new Ssl();
ssl.setEnabled(true);
ssl.setKeyStore(keystoreFile);
ssl.setKeyPassword(keystorePass); // << Should be `setKeyStorePassword` !!!!
ssl.setKeyStoreType(keystoreType);
ssl.setKeyAlias(keystoreAlias);
server.setSsl(ssl);
server.setPort(sslPort);
}
So the error message is not helpful at all for this case.因此,该错误信息是不是为这种情况下很有帮助。 I hope this helps someone else.我希望这对其他人有帮助。 Just be sure to verify that you're putting the right passwords (key vs keystore) in the right place.请务必确认您将正确的密码(密钥与密钥库)放在正确的位置。 The same issue can happen in a properties based setup - it depends on what you are working with.同样的问题可能发生在基于属性的设置中 - 这取决于您正在使用的内容。
解决方案3
7 2019-09-11 12:58:53
You made a small mistake in the application.properties file.您在application.properties文件中犯了一个小错误。 Please change请更改
server.ssl.key-password=your_password
to到
server.ssl.key-store-password=your_password
It will work fine then.然后它会正常工作。 Hope it helps!希望有帮助! Thank you!谢谢!
解决方案4
2 2018-12-25 09:34:35
1.use " -genkeypair" 1.使用“-genkeypair”
keytool -genkeypair -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
- change "server.ssl.key-password" to "server.ssl. key-store-password "将“server.ssl.key-password”更改为“server.ssl.key -store-password ”
解决方案5
1 2019-11-21 04:24:41
Spring Boot 2.2.1.RELEASE Spring Boot 2.2.1.RELEASE
keytool -genkeypair -keystore myKeystore2.p12 -storetype PKCS12 -storepass 123456 -alias ks-localhost -keyalg RSA -keysize 2048 -validity 99999 -dname "CN=My SSL Certificate, OU=My Team, O=My Company, L=My City, ST=My State, C=SA" -ext san=dns:localhost,ip:127.0.0.1
application.yml应用程序.yml
server:
tomcat:
accesslog:
enabled: true
ssl:
key-store-type: PKCS12
key-store: classpath:myKeystore.p12
key-alias: ks-localhost
enabled: true
protocol: TLS
key-store-password: 123456
解决方案6
1 2021-01-05 10:56:50
I had a similar problem, in my case i was missing the trustAnchors in the trust store.我遇到了类似的问题,就我而言,我缺少信任商店中的 trustAnchors。
One solution is to use the java built-in keytool, like explained in the other answers.一种解决方案是使用 java 内置的 keytool,如其他答案中所述。 But there is an even simplest approach using KeyStore Explorer GUI, so i'll explain the complete steps with both tools.但是还有一种使用KeyStore Explorer GUI 的最简单方法,因此我将解释使用这两种工具的完整步骤。
1. First of all, as described in the answer, we need to enable SSL in the application.properties file: 1.首先,如答案所述,我们需要在application.properties文件中启用SSL:
# <======= SSL Security ===========>
# Keystore config
server.ssl.key-store-type=PKCS12
server.ssl.key-store-password=change_it!
server.ssl.key-store=classpath:keystore.p12
server.ssl.key-alias=alias
server.ssl.enabled=true
# Trust Store Certificates
server.ssl.trust-store=classpath:trust_store.p12
server.ssl.trust-store-type=PKCS12
server.ssl.trust-store-password=07123e1f482356c415f684407
# <=====================>
The Keystore is the container of the Public - Private Key pair that is used by the server to communicate securely with the clients. Keystore 是公钥-私钥对的容器,服务器使用它与客户端进行安全通信。 The client of course must have the Public Key to be able to communicate with the server.客户端当然必须拥有公钥才能与服务器通信。
The Trust Store is simply a container for the certificates. Trust Store 只是证书的容器。 (the Public Keys). (公钥)。 In our case it will contain only one certificate, the one used by the server.在我们的例子中,它将只包含一个证书,即服务器使用的证书。
2.1 Create the keystore with the java keytool : 2.1使用 java keytool创建密钥库:
keytool -genkeypair -alias alias -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore keystore.p12 -validity 3650
2.2 Export the certificate so we can use it to create the Trust Store Keystore 2.2导出证书,以便我们可以使用它来创建 Trust Store Keystore
keytool -export -keystore keystore.p12 -alias alias -file certificate.cer
2.3 This step will automatically create a new keystore with the imported trusted certificate. 2.3此步骤将使用导入的可信证书自动创建一个新的密钥库。 (The tool will ask you a password for the new keystrore and when it asks "Trust this certificate?" of course you should type "yes") (该工具会询问您新密钥库的密码,当它询问“信任此证书?”时,您当然应该输入“是”)
keytool -importcert -file certificate.cer -keystore trust_store.p12 -alias alias
Finally save both keystores inside the resources folder of your Spring Boot App (as shown in the alternative approach).最后将两个密钥库保存在 Spring Boot 应用程序的资源文件夹中(如替代方法所示)。
Alternative approach with KeyStore Explorer KeyStore Explorer 的替代方法
2.1 Create the keystore with the KeyStore Explorer, as shown in the screenshots: 2.1使用 KeyStore Explorer 创建密钥库,如截图所示:
Then save the keystore inside the resources folder of your Spring Boot App:然后将密钥库保存在 Spring Boot 应用程序的资源文件夹中:
2.2 Now we need to create the trust store, that can be given to the client that needs to communicate with our server. 2.2现在我们需要创建信任库,它可以提供给需要与我们的服务器通信的客户端。 First of all extract the certificate chain created by the KeyStore Explorer and then create a new KeyStore importing the certificate inside it, as shown in the screenshots:首先提取KeyStore Explorer创建的证书链,然后创建一个新的KeyStore,将证书导入其中,如截图所示:
Then to create our trust store, click on "Create a new KeyStore" with the PKCS12 format as in the previous steps, the click the red icon "Import trusted certificate", choose the certificate saved in the preceding step, and finally save the keystore inside the resources folder like we did in the first keystore creation.然后创建我们的信任库,与前面的步骤一样点击PKCS12格式的“Create a new KeyStore”,点击红色图标“Import trust certificate”,选择上一步保存的证书,最后保存keystore在资源文件夹中,就像我们在第一次创建密钥库时所做的那样。
Now your server will be enabled to communicate with SSL security.现在您的服务器将能够与 SSL 安全通信。 Remember that your clients must be configured to load the trust store you've created .请记住,您的客户端必须配置为加载您创建的信任库。
解决方案7
0 2018-10-12 12:39:28
I had the same problem.我有同样的问题。 I made the changes from 2nd answer.我从第二个答案中进行了更改。 But problem wasn't gone.但问题并没有消失。 After all I've made, I just included my keystore.p12 certificate to pom.xml in profiles section毕竟我已经做了,我只是在配置文件部分将我的keystore.p12证书包含到 pom.xml 中
<profiles>
<!-- DEVELOPMENT PROFILE -->
<profile>
<id>dev</id>
<activation>
<activeByDefault>true</activeByDefault>
</activation>
<build>
<resources>
<resource>
<directory>src/main/resources</directory>
<includes>
<include>application.properties</include>
<include>keystore.p12</include>
<include>data/**</include>
</includes>
</resource>
</resources>
</build>
</profile>
</profiles>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.