在SSL上访问JIRA时获取空白文件 [英] Getting a blank file when accessing JIRA on SSL
问题描述
我在JIRA上遇到SSL问题.我已按照说明在Ubuntu上设置Jira + SSL,但访问 http://domain.com时却得到了一个空白文件:8443/
I'm stuck on a SSL problem with JIRA. I've followed the instructions to setup Jira+SSL on Ubuntu but am getting a blank file when accessing http://domain.com:8443/
在空白文件中,我可以看到这些
In the blank file I can see these
1503 0300 0202 0a
1503 0300 0202 0a
我不确定我能做些什么,卡塔琳娜州日志不会报告任何问题.
I'm not sure what I can do the catalina logs don't report any problems.
推荐答案
如何添加SSL证书以保护JIRA安装:
假设:
- JIRA在Linux机器上的端口8080或其他打开的端口上运行
- JIRA使用的是tomcat服务器,并且独立于Apache HTTP Server
- 生成CSR和密钥后,您已经具有有效的CA签名的根证书和证书链.
- Apache HTTP Server配置中未启用反向代理设置
您将在/conf/server.xml中看到一些类似的配置
You will see little bit similar configuration in /conf/server.xml
<Service name="Catalina">
<!-- HTTP Connector with values for scheme, proxyName and proxyPort -->
<Connector port="8080"
acceptCount="100"
scheme="http"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
disableUploadTimeout="true"/>
<Engine name="Catalina" defaultHost="localhost">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="true">
<Context path="" docBase="${catalina.home}/atlassian-jira" reloadable="false" useHttpOnly="true">
<Resource name="UserTransaction" auth="Container" type="javax.transaction.UserTransaction"
factory="org.objectweb.jotm.UserTransactionFactory" jotm.timeout="60"/>
<Manager pathname=""/>
</Context>
</Host>
<Valve className="org.apache.catalina.valves.AccessLogValve"
pattern="%a %{jira.request.id}r %{jira.request.username}r %t "%m %U%q %H" %s %b %D "%{Referer}i" "%{User-Agent}i" "%{jira.request.assession.id}r""/>
</Engine>
</Service>
要添加SSL证书,您首先需要使用keytool java可执行文件在单个实体中包含密钥和根证书.该文件位于/bin/文件夹中.
To Add SSL certificate you first need to include your key and root certificate in a single entity using keytool java executable. This is present in /bin/ folder.
如果要使用keytool导入根证书或不带密钥的链式证书,这里要注意的主要事情是浏览器可能会给出SSL重叠或某些其他与SSL相关的错误.所以第一个要求是 用域密钥导入证书.
The main thing to note here if you use keytool to import the root certificate or chain certificate without key, the browser may give SSL overlap or some different SSL related error. So the first requirement is to import the certificates with domain key.
另一件事,我们需要将key和root .crt文件转换为pkcs12兼容,以便java keytool可以以其自己的格式读取它.否则,您将再次在浏览器上遇到SSL错误.
Another thing we need to convert key and root .crt files into pkcs12 compatible so that java keytool can read it in its own format. Otherwise you will again face SSL errors on browsers.
现在在Linux机器上使用openssl将pkcs格式的密钥和证书组合起来,比如说您在/bin/文件夹中.
Now combine key and certificate in pkcs format using openssl on you Linux Machine, say you are in /bin/ folder.
root @ mail bin]# openssl pkcs12 -export -in/opt/certificate_store/root.crt -inkey/home/certificate_store/domain.key -out server.p12 -name jira_alias -CAfile/home/certificate/gd_bundle.crt -caname根
输入导出密码:
验证-输入导出密码:
此命令将创建一个文件server.p12(u可以给它起任何名字).别忘了别名(U可以提供任何别名,这是一个标识符,可以从列表中获取有关证书的信息,如果有的话)
This command will create a file server.p12 (u can give it any name). Dont forget alias name (U can give any alias name, which is an identifier to get information about certifcate from a list, if any)
[root @ mail bin]#ls
[root@mail bin]# ls
java jjs keytool orbd pack200 policytool rmid rmiregistry server.p12 servertool tnameserv unpack200
java jjs keytool orbd pack200 policytool rmid rmiregistry server.p12 servertool tnameserv unpack200
现在使用keytool将其转换为Java可读
Now use keytool to convert it to java readable
[root @ mail bin]#keytool -importkeystore -deststorepass -destkeypass -destkeystore server.keystore -srckeystore server.p12 -srcstoretype PKCS12 -srcstorepass -alias jira_aliased
(为了对称起见,U可以在任何地方尝试使用相同的密码,需要在server.xml中进一步提供此密码)
(For symmetry, U can try same password every where, this password is required to be given in server.xml further)
以上命令将使用给定的选项创建文件server.keystore
Above command will create a file server.keystore using given options
[root @ mail bin]#ls
[root@mail bin]# ls
java jjs keytool orbd pack200 policytool rmid rmiregistry server.keystore server.p12 servertool tnameserv unpack20
java jjs keytool orbd pack200 policytool rmid rmiregistry server.keystore server.p12 servertool tnameserv unpack20
现在您的证书密钥库已准备好保护JIRA.
Now your certificate keystore is ready to secure JIRA.
打开/conf/server.xml并在旧连接器之后添加以下新连接器
Open /conf/server.xml and Add following new connector after old connector
<!-- Standard HTTPS Connector -->
<Connector
acceptCount="100"
SSLEnabled="true"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
port="<PORT_NUMBER_ON_WHICH_YOU_WANT_TO_RUN_JIRA_ON_SSL>"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
clientAuth="false"
keystoreType="JKS"
keystoreFile="/opt/atlassian/jira/jre/bin/server.keystore"
keystorePass="same password here that you had given in keytool"
useBodyEncodingForURI="true"/>
注释掉旧的HTTP连接器,现在保存server.xml文件并重新启动jira.在指定的端口号上打开您的jira网站,例如:http(s)://domain.com :,检查其是否正常工作. 另外,在Linux控制台上,您可以尝试使用以下命令来检查SSL是否在该端口上运行.
Comment out old HTTP connector, Save server.xml file now and restart jira. Open your jira site on specified port number like : http(s)://domain.com:, check its working or not. Alternatively on linux console you can try following command to check if SSL working on that port.
$ openssl s_client -connect localhost:
$openssl s_client -connect localhost:
它将产生所有证书链,如果工作正常,否则将不显示任何证书,并且将引发错误.
It will produce all certificate chain , if working properly otherwise will not show any certifcate and error will be thrown.
如果您仍然想同时在HTTP和HTTPS上访问JIRA,请打开server.xml文件,取消注释旧的HTTP连接器,然后从HTTP到HTTPS插入一个密码.说您的HTTP连接器正在侦听8080,而HTTPS连接器正在侦听 在端口号9000上,则server.xml连接器应如下所示.
If you still want to access JIRA on both HTTP and HTTPS, open server.xml file , uncomment old HTTP connector and put a forwader from HTTP to HTTPS. say your HTTP connector is listening on 8080 and HTTPS connector is listening on port number 9000, then your server.xml connectors should look like this.
<!-- HTTP Connector with values for scheme, proxyName and proxyPort -->
<!--<Connector port="8080"
acceptCount="100"
scheme="http"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="9000"
disableUploadTimeout="true"/>-->
<!-- Standard HTTPS Connector -->
<Connector
acceptCount="100"
SSLEnabled="true"
connectionTimeout="20000"
disableUploadTimeout="true"
enableLookups="false"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
port="9000"
protocol="org.apache.coyote.http11.Http11NioProtocol"
scheme="https"
secure="true"
clientAuth="false"
keystoreType="JKS"
keystoreFile="/opt/atlassian/jira/jre/bin/server.keystore"
keystorePass="<PASSWORD_HERE>"
useBodyEncodingForURI="true"/>
享受SSL !!
别忘了在/atlassian-jira/WEB-INF/web.xml中添加以下行
Don't Forget to add following lines in /atlassian-jira/WEB-INF/web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>all-except-attachments</web-resource-name>
<url-pattern>*.jsp</url-pattern>
<url-pattern>*.jspa</url-pattern>
<url-pattern>/browse/*</url-pattern>
<url-pattern>/issues/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
这篇关于在SSL上访问JIRA时获取空白文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
