java - 使用生成的 keystore 文件的 tomcat https 配置

Question

在开始之前，我只是按照 DZone 中的步骤操作。

Setting Up Tomcal SSL in 5 Minutes

我看过几个类似的教程，但我找不到问题的答案。

问题:

我可以访问 HTTP/8080，但无法访问 HTTPS/8443，它似乎一直在加载。
尝试使用出现错误的 HTTP/8443(如我所料)

我尝试使用 curl 命令:

borgymanotoy@ujease:/home/borgymanotoy$ curl -Iv https://localhost:8443
* Rebuilt URL to: https://localhost:8443/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* Operation timed out after 300495 milliseconds with 0 out of 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 300495 milliseconds with 0 out of 0 bytes received

注意:

我按照给定站点中的步骤操作。检查了以下内容:

1) 成功生成.keystore文件。
2) 使用生成的带密码的 keystore 文件的确切路径正确更新 tomcat 的 server.xml，并检查正确的情况。
3)查看tomcat日志，没有发现错误。

有人尝试按照链接中的步骤进行操作，发现错误并修复了吗？

Answer 1

感谢 nandsito 指向最新的 tomcat 指南。

顺便说一下，我使用的是在 Ubuntu Linux 上运行的 Tomcat 8.5。 本教程使用的是 Tomcat 7，因此我遇到了一些连接问题。

我只是在我的 tomcat 的 server.xml 文件上设置了 SSL 连接器设置。

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="/home/borgymanotoy/.keystore" keystorePass="bilat-savore"
       clientAuth="false" sslProtocol="TLS" />

重新启动我的 tomcat，并尝试 curl 命令:

$ curl -Iv https://localhost:8443

* Rebuilt URL to: https://localhost:8443/
*   Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 694 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

我现在可以访问 https://localhost:8443/