我正在使用 JDK 1.6、tomcat 7.0.32 和 Red Hat Linux。
我需要帮助在我的本地 tomcat 实例上设置 SSL。
看了tomcat 7官网的说明后:
[url=http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html[/网址]
我遵循了这样的指示:
(1) cd $CATALINA_HOME/conf
(2) 创建证书并将其存储在新的 keystore 中。
keytool -genkey -alias tomcat -keyalg RSA -keystore keystore.jks
(3) 取消注释 Tomcat 的 conf/server.xml 中的 SSL 连接器配置,指定您的 keystore 文件和密码。
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="./conf/keystore.jks"
keystorePass="mypassword"
/>
(4) 从 keystore 中导出证书。
keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks
当我尝试(这应该是第 5 步)将证书导入信任库时。
keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts
我收到以下输入密码的提示(之后我输入“mypassword”): 输入 keystore 密码:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
(顺便说一句,我忽略了这一步,因为我在 Google 上找到了它,但没有在官方 Tomcat7-SSL-Howto 文档中找到 - 如果有必要,请告诉我)。
我的完整 server.xml 文件(位于 $CATALINA_HOME/conf 下):
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener SSLEngine="on" className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<GlobalNamingResources>
<Resource auth="Container"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase"
pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector connectionTimeout="20000" port="8080" protocol="HTTP/1.1" redirectPort="8443"/>
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="./conf/keystore.jks"
keystorePass="mypassword"
/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"/>
</Realm>
<Host appBase="webapps" autoDeploy="true" name="localhost" unpackWARs="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs"
pattern="%h %l %u %t "%r" %s %b"
prefix="localhost_access_log."
suffix=".txt"/>
</Host>
</Engine>
</Service>
</Server>
Tomcat 的服务器输出:
INFO: Initializing ProtocolHandler ["http-bio-8080"]
Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
INFO: Server startup in 9611 ms
当我进入我的 bash shell 并输入:
curl -X GET https://localhost:8443
我得到以下错误输出:
curl: (60) Peer certificate cannot be authenticated with known CA certificates
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
我是不是漏掉了一步?
我只想在 Tomcat 7 上启用 SSL 并使用 curl 对其进行测试。
如果有人能指出正确的方向,我将不胜感激。
最佳答案
要导入证书,您应该尝试“更改它”,这是 cacerts keystore 的默认密码
关于linux - 如何在 Linux 上的 Tomcat 7 上启用 SSL 并使用 curl 进行测试?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/13925146/