Tomcat SSL 证书颁发机构无效 [英] Tomcat SSL certificate authority invalid
问题描述
之前试过问,但不太擅长所以这里尝试两次
Tried asking before but wasn't too good at it so heres attempt two
我正在尝试在 RHEL 下的 tomcat 7 服务器上运行 SSL.服务器在 HTTP 下工作正常,但是当我尝试使用 HTTPS 访问它时,出现此错误.
I'm trying to get SSL running on a tomcat 7 server under RHEL. Sever works fine under HTTP but when I try to access it with HTTPS, I get this error.
进一步研究,chrome 告诉我这个
looking into it further, chrome tells me this
做了一些研究.将证书添加到/etc/pki/ca-trust/source/anchors,update-ca-trust,还是一样的问题.尝试从头开始重建密钥库并更改它们的导入顺序,但仍然没有.
did some research. Added the certs to /etc/pki/ca-trust/source/anchors, update-ca-trust, still the same problem. tried rebuilding the keystore from scratch and changing up the order in which they were imported, still nothing.
这是我的密钥库中当前的内容:
Heres whats currently in my keystore:
root, Dec 29, 2017, trustedCertEntry,
tomcat, Dec 29, 2017, PrivateKeyEntry,
intermed, Dec 29, 2017, trustedCertEntry,
crm2.mydomain.org, Jan 3, 2018, trustedCertEntry,
以及我的 server.xml 中的内容
and whats in my server.xml
<Connector
port="443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/apache-tomcat-7.0.82/conf/store" keystorePass=[pass]
clientAuth="false" sslProtocol="TLS"/>
其他信息:
从godaddy 获得的证书.安装使用指南此处
Certs obtained from godaddy. Used guide for installation here
godddy ssl 检查器说我缺少中间证书
godddy ssl checker says I'm missing the intermediate certificate
Tomcat 版本 7
Tomcat version 7
RHEL 7.4
Java 1.8
感谢任何帮助
推荐答案
很难确定,但您似乎没有正确遵循您引用的说明.您的密钥库显示了一个带有别名的 trustCertEntry,看起来像是您的域名的修订;这表明您将服务器证书导入到该条目,而不是导入名为tomcat"的 privateKeyEntry.
It's hard to be certain, but you appear to have NOT correctly followed the instructions you cite. Your keystore shows a trustedCertEntry with an alias that looks like a redaction of your domainname; this suggests you imported your server cert to that entry and not to the privateKeyEntry named 'tomcat'.
引用您链接的页面,并添加重点:
Quoting from the page you linked, emphasis added:
在 Tomcat 中安装您的 SSL [它们显然是指 SSL/TLS 服务器证书]
To Install Your SSL [they clearly mean SSL/TLS Server Certificate] in Tomcat
- 通过运行以下命令安装根证书:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [根证书名称] - 通过运行以下命令安装中间证书:
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [中间证书名称] - 通过运行以下命令将颁发的证书[为您的服务器]安装到密钥库中:
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [证书名称]
- Install the root certificate by running the following command:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file [name of the root certificate] - Install the intermediate certificate by running the following command:
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file [name of the intermediate certificate] - Install the issued certificate [for your server] into the keystore by running the following command:
keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file [name of the certificate]
在第 3 步中,别名是 'tomcat',它与您在过程中前面的 -genkey[pair] 和 -certreq 步骤中使用的别名相同,而不是您的域名称,通常也是文件名称包含您的服务器/EE 证书.
On step 3 the alias is 'tomcat' which is the same alias you used for the -genkey[pair] and -certreq steps earlier in the procedure, NOT the name of your domain which typically is also the name of the file containing your server/EE cert.
要验证正确的程序,keytool 对命令 1 和 2 的响应应该是
To verify the correct procedure, keytool's response to commands 1 and 2 should be
Certificate was added to keystore
但是对命令 3 的响应应该是不同的:
but the response to command 3 should be DIFFFERENT:
Certificate reply was installed in keystore
但是,如果您从头开始重新构建 [t] 密钥库"并且包括在获得证书后生成新的密钥对,那么证书现在毫无价值且无法使用,并且此过程将不起作用;相反,它会说类似
However, if you have 'rebuil[t] the keystore from scratch' and that includes generating a new keypair after obtaining the cert, the cert is now worthless and unusable and this procedure will not work; it will instead say something like
Public keys in reply and keystore don't match
服务器使用的证书必须与私钥匹配,因此这意味着您必须遵循该页面中指定的顺序以及其他数十亿个地方:生成密钥对,然后为that 密钥对,then 让 CA 从 that CSR 颁发证书,then import that cert 到相同的密钥库和别名,其链证书可在回复中(如某些 CA 所做的那样,通常使用p7b"格式)或信任库中的其他地方(如 GoDaddy 显然所做的那样).
The cert that a server uses must match the private key, so this means you must follow the sequence specified in that page, and billions of other places: generate the keypair, then generate the CSR for that keypair, then get the CA to issue a cert from that CSR, then import that cert into the same keystore and alias, with its chain certs available either in the reply (as some CAs do, often with 'p7b' format) or elsewhere in the truststore (as GoDaddy apparently does).
有效地欺骗将 CA 签名证书导入 JKS 以用于不同的 CA.
Effectively dupe Import CA signed certificates to JKS for a different CA.
这篇关于Tomcat SSL 证书颁发机构无效的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
