在 EC2 Tomcat 服务器上安装 SSL [英] Install SSL on EC2 Tomcat server
问题描述
我正在尝试使用 Ubuntu 和 Tomcat 7.0.52 在 AWS EC2 实例上运行 CA 证书/SSL.浏览器连接失败.以下是我经历的步骤:
I'm trying to get a CA cert/SSL working on an AWS EC2 instance with Ubuntu and Tomcat 7.0.52. Browser's fail to connect. Here are the steps I went thru:
keytool -genkey -alias mydomain -keyalg RSA -keystore mydomain.keystore -keysize 2048
<fill out information>
keytool -certreq -keyalg RSA -alias mydomain -file certreq.csr -keystore ../mydomain.keystore
将 csr 提交到 ssls.com/Geotrust,并收到回复:包.crtwww.mydomain.net.crt
submit csr to ssls.com/Geotrust, and receive back: bundle.crt www.mydomain.net.crt
将证书导入密钥库:
keytool -import -trustcacerts -alias root -keystore ../mydomain.keystore -file bundle.crt
keytool -import -alias mydomain -keystore ../mydomain.keystore -file www.mydomain.net.crt
接下来,更新 $TOMCAT_HOME/config/server.xml:
next, update $TOMCAT_HOME/config/server.xml:
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="8443" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/home/ubuntu/mydomain.keystore"
keystorePass="xxxxxxx"
clientAuth="false" sslProtocol="TLS" />
并重启tomcat.
带有安全组的 EC2 实例设置为允许端口 80 和 443.
EC2 instance with security groups are set up to allow port 80 and 443.
ipables 对重定向 80->8080 和 443->8443 所做的更改:
ipables changes made to redirect 80->8080 and 443->8443:
sudo iptables -t nat -n -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 redir ports 8443
2 REDIRECT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 redir ports 8080
www.mydomain.net 的 DNS 尚未到位,因此我目前正在使用修改后的/etc/hosts 进行测试:
DNS for www.mydomain.net is not yet in place, so I'm currently testing with a modified /etc/hosts:
54.200.126.130 www.mydomain.net
54.200.126.130 mydomain.net
sslscan 不返回任何有效的密码.它们都被列为已拒绝".
sslscan does not return any valid ciphers. They are all listed as "Rejected".
openssl 测试:
openssl test:
openssl s_client -connect www.mydomain.net:443
CONNECTED(00000003)
64007:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:602:
切换到使用 keytool 生成的自签名证书工作正常(除了强制性浏览器警告).所以看起来问题一定出在证书和/或密钥库上,但我不确定是什么问题.
switching to a self-signed cert generated with keytool works fine (other than the obligatory browser warning). So it seems the issue must be with the certs and/or keystore, but I'm not sure what the issue is.
推荐答案
Tomat 假定密钥库别名为tomcat",除非您在 Connector 上指定
只需添加 keyAlias
属性.keyAlias=mydomain
,或使用 keytool 将您的别名重命名为tomcat".
Tomat assumes a keystore alias of "tomcat" unless you specify the keyAlias
attribute on the Connector.
Just add keyAlias=mydomain
, or rename your alias to "tomcat" with the keytool.
这篇关于在 EC2 Tomcat 服务器上安装 SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!