Debian 9 Tomcat 9 让我们加密 SSL 配置
[英]Debian 9 Tomcat 9 Let's Encrypt SSL config
问题描述
It drives me nuts now.
它现在让我发疯。
I have created sym links to the PEM files.我已经创建了指向 PEM 文件的符号链接。 I made the PEM files readable for the tomcat user.我使 tomcat 用户可以读取 PEM 文件。 I set the server.xml to use SSL.我将 server.xml 设置为使用 SSL。 And the connector fails to start.并且连接器无法启动。
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
clientAuth="false"
sslProtocol="TLS"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
defaultSSLHostConfigName="mydomain.com"
>
<SSLHostConfig hostName="mydomain.com" protocols="+TLSv1,+TLSv1.1,+TLSv1.2">
<Certificate
certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="UNDEFINED"
/>
</SSLHostConfig>
</Connector>
I did try to change the type to RSA, to no avail.我确实尝试将类型更改为 RSA,但无济于事。 All I see in the log is:我在日志中看到的是:
02-Jan-2021 17:40:54.398 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-openssl-nio-8443"]
02-Jan-2021 17:40:54.466 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Protocol handler initialization failed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1013)
... some lines removed
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
Caused by: java.lang.IllegalArgumentException
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99)
... some lines are removed
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
... 13 more
Caused by: java.io.IOException
at org.apache.tomcat.util.net.SSLUtilBase.getKeyManagers(SSLUtilBase.java:302)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getKeyManagers(OpenSSLUtil.java:98)
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97)
... 20 more
I've checked the SSLUtilBase.java code (tomcat 9.0.33):我检查了 SSLUtilBase.java 代码(tomcat 9.0.33):
if (certificate.getCertificateFile() == null) {
throw new IOException(sm.getString("jsse.noCertFile"));
}
I did try to copy the files instead of using sym links.我确实尝试复制文件而不是使用符号链接。 No avail.徒劳无功。 Removed the comments from the cert files.从证书文件中删除了注释。 No avail.徒劳无功。 It seems tomcat cannot find the files I've specified in the server.xml.似乎 tomcat 找不到我在 server.xml 中指定的文件。
What do I miss?我想念什么?
2 个解决方案
解决方案1
1 已采纳 2021-09-05 19:47:49
Whenever you use one of the deprecated properties on a connector, Tomcat creates an <SSLHostConfig> element with hostName="_default_" and a <Connector> element inside it.每当您在连接器上使用已弃用的属性之一时,Tomcat 都会创建一个<SSLHostConfig>元素,其中包含hostName="_default_"和一个<Connector>元素。 The error is caused by the lack of the certificateFile on this particular element.该错误是由于此特定元素上缺少certificateFile引起的。
Remove the deprecated attributes ( clientAuth , sslProtocol ) from the <Connector> element and everything should work.从<Connector>元素中删除不推荐使用的属性( clientAuth , sslProtocol ),一切都应该正常工作。
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
SSLEnabled="true"
sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
defaultSSLHostConfigName="mydomain.com">
<SSLHostConfig hostName="mydomain.com" protocols="TLSv1+TLSv1.1+TLSv1.2">
<Certificate
certificateKeyFile="conf/privkey.pem"
certificateFile="conf/cert.pem"
certificateChainFile="conf/chain.pem"
type="UNDEFINED"
/>
</SSLHostConfig>
</Connector>
Remark: the sslProtocol attribute is a characteristic of JSSE and should always be left at the default value ( TLS ).备注: sslProtocol属性是 JSSE 的一个特性,应该始终保持默认值( TLS )。
解决方案2
0 2021-09-02 23:44:34
I had the same issue with Ubuntu 20.04 and Tomcat 9.0.52.我对 Ubuntu 20.04 和 Tomcat 9.0.52 有同样的问题。
Tomcat - server.xml - certificateKeyFile
<Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true" >
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
certificateFile="conf/localhost-rsa-cert.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
I also tried everything that you described above and I also was not able to make the Tomcat Connector with certificateKeyFile to work.我还尝试了您上面描述的所有方法,但我也无法使带有 certificateKeyFile 的 Tomcat 连接器正常工作。
Note, on RedHat Linux 7/8 it works fine though..!请注意,在 RedHat Linux 7/8 上它可以正常工作..! I only got this issue in Ubuntu 20.04.我只在 Ubuntu 20.04 中遇到了这个问题。
The good news is it works fine in Ubuntu 20.04 if you use a keystore instead of the certificateKeyFile.好消息是,如果您使用密钥库而不是证书密钥文件,它在 Ubuntu 20.04 中运行良好。
You will need to create the keystore as the user that runs tomcat, in my case the user named "tomcat", then created the CSR using the keystore, issue the certificate, and imported the certificate into the keystore.您需要以运行 tomcat 的用户身份创建密钥库,在我的例子中,用户名为“tomcat”,然后使用密钥库创建 CSR,颁发证书,并将证书导入密钥库。
--Create the keystore folder and grant the proper permissions: --创建密钥库文件夹并授予适当的权限:
su - root
mkdir /rhdata/sslcert
chown -R tomcat:tomcat /rhdata/sslcert
su - tomcat
cd /rhdata/sslcert
--Create the PKCS12 keystore (must do the previous step): --创建PKCS12密钥库(必须做上一步):
su - tomcat
/usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keystore /rhdata/sslcert/.keystore
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -validity 3600 -keysize 2048 -keystore /rhdata/sslcert/.keystore
Enter keystore password: key$tom@2021
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool --list --keystore /rhdata/sslcert/.keystore -storepass 'key$tom@2021'
--Create the CSR: --创建企业社会责任:
su - tomcat
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -certreq -keyalg RSA -alias tomcat -file /rhdata/sslcert/keytool_cert/certreq.csr -keystore /rhdata/sslcert/.keystore -storepass 'key$tom@2021'
--Create the new certificate from the certificate authority using the CSR --使用 CSR 从证书颁发机构创建新证书
--Import the new certificate into the keystore: --将新证书导入密钥库:
su - tomcat
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -import -alias tomcat -keystore /rhdata/sslcert/.keystore -storepass 'key$tom@2021' -file /rhdata/sslcert/keytool_cert/certnew.p7b
$ /usr/lib/jvm/java-11-openjdk-amd64/bin/keytool -import -alias tomcat -keystore /rhdata/sslcert/.keystore -storepass 'key$tom@2021' -file /rhdata/sslcert/keytool_cert/certnew.cer
--This is the new Tomcat connector: --这是新的 Tomcat 连接器:
Tomcat - server.xml - keystore
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/rhdata/sslcert/.keystore" keystorePass="key$tom@2021"
clientAuth="false" sslProtocol="TLS"/>
--Verify the new Tomcat server.xml file --验证新的Tomcat server.xml文件
su - tomcat
cd /usr/local/tomcat9/conf
/usr/local/tomcat9/bin/configtest.sh
--Then, stop/start Tomcat. --然后,停止/启动 Tomcat。
su - root
systemctl stop tomcat.service
systemctl start tomcat.service
systemctl status tomcat.service
vi /usr/local/tomcat9/logs/catalina.out <-- shall not have any errors!!!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.