尝试续订本月早些时候到期的证书,我似乎无法让它发挥作用。
我一步一步做了什么
keytool -certreq -keyalg RSA -alias tomcat -file csr.csr -keystore tomcat.keystore
keytool -delete -alias root -keystore tomcat.keystore
(这也是用中间体和tomcat完成的)keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file newrootfile.crt
(我再次使用intermed和tomcat执行此操作)server.xml
(它仍然指向正确的密钥库,因为我重用了一个)(服务器是一个已保存状态的虚拟机,因此当我打破它时,我可以回到它工作时) 使用旧SHA1(已过期):
$ openssl s_client -connect myhost:443
CONNECTED(00000003)
---
Certificate chain
...
...
-----BEGIN CERTIFICATE-----
...
...
-----END CERTIFICATE-----
.....
.....
----
No client certificate CA names sent
----
SSL handshake has read 4586 bytes and written 461 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
server public key is 2048 bit
....
SSL-Session:
Protocol : TLSv1.2
Cipher : DHE-RSA-AES256-SHA256
....
Verify return code: 10 (certificate has expired)
---
closed
使用新的SHA2:
$ openssl s_client -connect myhost:443
CONNECTED(00000003)
140219291584328:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:741
---
no peer certificate available
--
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 263 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation is NOT supported
Compression: NONE
Expansion: NONE
server.xml中
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.security.SecurityListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" "SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container" type="org.apache.catalina.UserDatabase" description="User database that can be updated and saved" factory="org.apache.catalina.users.MemoryUserDatabaseFactory" pathname="path/to/users" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector executor="tomcatThreadPool" port="8080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="200" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" keystoreFile="path/to/keystore"
keystorePass="mykeystorepass" compression="on" />
在我多年前开始工作之前,开发人员之前已经设置了所有内容,因此我假设他正确设置了server.xml,因为它已经在过去两年中运行了。
有关如何纠正此问题的任何想法?
答案 0 :(得分:1)
哦,天哪,我觉得自己很傻,我想在创建密钥库时,当它要求tomcat的密码时,它需要我的tomcat管理员密码,nope只是保持与密钥库一样。
此外, gdroot-g2.crt 是根别名所需的正确crt,您可以从其存储库中获取它。
由于某种原因,爸爸给你一捆。
这是一个愚蠢的错误。