证书安装不正确

时间:2015-08-21 22:48:40

标签: openssl certificate tomcat7 centos5

我们在CentOS工作,具有以下特点:

操作系统CentOS Linux 5.5 Webmin版本1.510 i686上的内核和CPU Linux 2.6.18-194.3.1.el5xen 处理器信息Intel(R)Xeon(TM)CPU 3.20GHz,1个核心

在这个操作系统中,我们有tomcat 7在路径中运行多个域:

Using CATALINA_BASE:   /usr/local/software/tomcat7
Using CATALINA_HOME:   /usr/local/software/tomcat7

我们有一些应用程序在运行。

密钥是作为PKCS#12文件生成的,并使用keytool转换为Java KeyStore:

keytool -importkeystore -deststorepass keystorepass -destkeypass addkeypass -destkeystore myKeyStore.jks -srckeystore serverabcdj0.p12 -srcstoretype PKCS12 -srcstorepass PKCS12pass -alias latiendamiga.com

CSR生成:

keytool -certreq -alias latiendamiga.com -file csraj0s.txt -keystore myKeyStore.jks

然后我安装了从CA GoDaddy获得的SSL证书。这个安装是由于误解而以错误的方式进行的,我已经以root身份安装了错误的证书,然后我删除了证书(root,intermediate和Primary),之后我安装了正确的证书,当我列出我的密钥库时可以看到:

    ***CMD***:-list -keystore myKeyStore.jks

    ***ASW***:Keystore type: JKS
    Keystore provider: SUN

    Your keystore contains 3 entries

    root, Aug 21, 2015, trustedCertEntry,
    Certificate fingerprint (SHA1): XXXXXXX
    tomcat, Aug 21, 2015, trustedCertEntry,
    Certificate fingerprint (SHA1): XXXXXXX
    intermed, Aug 21, 2015, trustedCertEntry,
    Certificate fingerprint (SHA1): XXXXXXX

但是当我尝试检查证书是否正常工作时,我遇到了一些我不理解的错误。

我的测试证书安装如下(命令CMD / answer ASW):

    ***CMD***: echo "" | openssl s_client -state -showcerts -connect www.latiendamiga.com:443

    ***ASW[/u][/b]: CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    4721:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

    ***CMD***: echo "" | openssl s_client -nbio_test -showcerts -connect www.latiendamiga.com:443

    ***ASW[/u][/b]: CONNECTED(00000003)
    write W BLOCK
    write W BLOCK
    write W BLOCK
    write W BLOCK
    write W BLOCK
    write W BLOCK
    4728:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

    ***CMD***: echo "" | openssl s_client -msg -showcerts -connect www.latiendamiga.com:443

    ***ASW***: CONNECTED(00000003)
    >>> SSL 2.0 [length 0077], CLIENT-HELLO
        01 03 01 00 4e 00 00 00 20 00 00 39 00 00 38 00
        00 35 00 00 16 00 00 13 00 00 0a 07 00 c0 00 00
        33 00 00 32 00 00 2f 03 00 80 00 00 05 00 00 04
        01 00 80 00 00 15 00 00 12 00 00 09 06 00 40 00
        00 14 00 00 11 00 00 08 00 00 06 04 00 80 00 00
        03 02 00 80 00 00 ff 93 fc 24 f4 45 d0 ec bf 2d
        3d 4d ae 59 e8 77 1d 6c 04 5f 59 0d 5b 19 a2 c3
        78 74 06 fc ab 4a 72
    4732:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

    ***CMD***: echo "" | openssl s_client -debug -showcerts -connect www.latiendamiga.com:443

    ***ASW***: CONNECTED(00000003)
    write to 0x90372f8 [0x90b5528] (121 bytes => 121 (0x79))
    0000 - 80 77 01 03 01 00 4e 00-00 00 20 00 00 39 00 00   .w....N... ..9..
    0010 - 38 00 00 35 00 00 16 00-00 13 00 00 0a 07 00 c0   8..5............
    0020 - 00 00 33 00 00 32 00 00-2f 03 00 80 00 00 05 00   ..3..2../.......
    0030 - 00 04 01 00 80 00 00 15-00 00 12 00 00 09 06 00   ................
    0040 - 40 00 00 14 00 00 11 00-00 08 00 00 06 04 00 80   @...............
    0050 - 00 00 03 02 00 80 00 00-ff 97 5c 69 fd 61 9d 2e   ..........\i.a..
    0060 - e5 58 60 d5 83 9b 1a 70-ce 3c b2 0e b3 3b 03 31   .X`....p.<...;.1
    0070 - 0d 02 16 09 1f 76 eb d2-7f                        .....v...
    read from 0x90372f8 [0x90baa88] (7 bytes => 0 (0x0))
    4737:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

    ***CMD***: echo "" | openssl s_client -showcerts -showcerts -connect www.latiendamiga.com:443

    ***ASW***: CONNECTED(00000003)
    4742:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

    ***CMD***: echo "" | openssl s_client -key myKeyStore.jks -state -showcerts -connect www.latiendamiga.com:443

    ***ASW***: unable to load client certificate private key file
    4762:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: ANY PRIVATE KEY
    -bash: echo: write error: Broken pipe

    ***CMD***: echo "" | openssl s_client -verify depth -state -showcerts -connect www.latiendamiga.com:443

    ***ASW[/u][/b]: verify depth is 0
    CONNECTED(00000003)
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    4770:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:188:

    ***CMD***: echo "" | openssl s_client -nbio -state -showcerts -connect www.latiendamiga.com:443

    ***ASW***: CONNECTED(00000003)
    turning on non blocking io
    SSL_connect:before/connect initialization
    SSL_connect:SSLv2/v3 write client hello A
    SSL_connect:error in SSLv2/v3 read server hello A
    write R BLOCK
    4774:error:140780E5:SSL routines:SSL23_READ:ssl handshake failure:s23_lib.c:142:

    ***CMD***: openssl s_client -ssl3 -connect www.latiendamiga.com:443 -prexit

    ***ASW***: CONNECTED(00000003)
    4810:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:536:
    ---
    no peer certificate available
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 0 bytes and written 0 bytes
    ---
    New, (NONE), Cipher is (NONE)
    Secure Renegotiation IS NOT supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : SSLv3
        Cipher    : 0000
        Session-ID:
        Session-ID-ctx:
        Master-Key:
        Key-Arg   : None
        Krb5 Principal: None
        Start Time: 1440220364
        Timeout   : 7200 (sec)
        Verify return code: 0 (ok)
    ---

关于环境配置,如下:

/usr/local/software/tomcat7/conf/server.xml 

    <Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" />

    <Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25" port="443" keystoreFile="/etc/webmin/myKeyStore.jks" keystorePass="mypass" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />

    <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />

/usr/local/software/tomcat7/conf/web.xml 

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Automatic SSL Forward</web-resource-name>
            <url-pattern>/*</url-pattern>
        </web-resource-collection>
        <user-data-constraint>
            <transport-guarantee>
                CONFIDENTIAL
            </transport-guarantee>
        </user-data-constraint>
    </security-constraint>

我需要一些帮助才能理解错误以及我必须采取哪些措施来解决问题。

拜托,有人可以告诉我是否有任何文件可以搜索解决方案或者我如何检查错误?

提前致谢。

1 个答案:

答案 0 :(得分:0)

问题是属于SSL证书的私钥不在密钥库中(不再)。它只包含三个受信任的证书条目,但没有密钥对条目。

因此,您必须重复从PKCS#12到Java KeyStore(keytool -importkeystore ...)的转换步骤。完成此步骤后,您可以在别名'latiendamiga.com'下再次使用myKeyStore.jks中的密钥。您应该使用keytool -list ...验证这一点。

然后再次从GoDaddy导入证书。第一个根CA和中间CA作为可信证书:

keytool -importcert -alias root -file <root ca file>
keytool -importcert -alias intermed -file <intermediate ca file>

然后是SSL证书:

keytool -importcert -alias latiendamiga.com -trustcacerts -file <ssl cert file>
相关问题
最新问题