使用.keystore文件使用tomcat 8.5配置SSL - 无法存储非私钥

时间:2017-09-28 05:26:43

标签: java tomcat ssl

我有一个文件tomcat(2).keystore文件,我放在/opt/tomcat/conf目录中。目录权限设置如下:

root@xxxxxxxxxx:/opt/tomcat# ls -l
total 112
drwxr-x--- 2 root   tomcat  4096 Sep 10 03:04 bin
drwxr-x--- 2 root   tomcat  4096 Sep 28 05:12 conf
drwxr-x--- 2 root   tomcat  4096 Sep 10 03:04 lib
-rw-r----- 1 root   tomcat 57092 Aug  2 21:36 LICENSE
drwxr-x--- 2 tomcat tomcat  4096 Sep 28 05:15 logs
-rw-r----- 1 root   tomcat  1723 Aug  2 21:36 NOTICE
-rw-r----- 1 root   tomcat  7064 Aug  2 21:36 RELEASE-NOTES
-rw-r----- 1 root   tomcat 15946 Aug  2 21:36 RUNNING.txt
drwxr-x--- 2 tomcat tomcat  4096 Sep 28 05:15 temp
drwxr-x--- 8 tomcat tomcat  4096 Sep 28 03:52 webapps
drwxr-x--- 3 tomcat tomcat  4096 Sep 10 03:19 work

server.xml有以下连接符:

<Connector 
    port="8080" 
    maxThreads="1000"

    protocol="org.apache.coyote.http11.Http11NioProtocol"
    maxHttpHeaderSize="8192"
    emptySessionPath="true"
    connectionTimeout="20000"  
    minSpareThreads="20"  
    acceptCount="100" 
    disableUploadTimeout="true" 
    enableLookups="false" 
    tcpNoDelay="true"

    scheme="https" 
    secure="true" 
    SSLEnabled="true"
    keystoreFile="/opt/tomcat/conf/tomcat (2).keystore" 
    keystorePass="xxxxxx"
    clientAuth="false" 
    sslProtocol="TLS" 
    maxPostSize="97589953"
    URIEncoding="UTF-8"/>

我还注释了以下内容:

<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->

但是,我在catalina.out中一直收到以下错误:

java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
        at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
        at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
        at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
        at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
        at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
        ... 20 more

有人可以帮忙吗?我还需要从server.xml删除其他任何内容吗?

编辑:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

root, Dec 19, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): xxxx
tomcat, Dec 19, 2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): xxxx
intermed, Dec 19, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): xxxxx

当我运行./keytool -list -keystore "/opt/tomcat/conf/tomcat (2).keystore"

时,我得到了上述内容

3 个答案:

答案 0 :(得分:5)

有点晚了,但在迁移到tomcat 8.5.20之后我遇到了类似的问题。经过一些研究,我找到了一个单独的,合理的解决方案。许多情况下,证书不在我们的生产环境中,并且不建议篡改它。 实际上看看实现,看起来tomcat尝试使用密钥存储文件中提到的第一个密钥,除非我们提供密钥别名。因此,在这种情况下,如果我们在连接器中提供密钥别名,它就可以正常工作。

{keyAlias =&#34; tomcat&#34; }

答案 1 :(得分:4)

我终于弄明白了这个问题。正如例外所暗示的那样,tomcat (2).keystore本身存在一些问题。所以我检查了密钥库中的证书,$JAVA_HOME/bin/keytool -list -keystore tomcat (2).keystore输出为:

密钥库类型:JKS 密钥库提供商:SUN

您的密钥库包含3个条目

root, Dec 19, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): xxxx
tomcat, Dec 19, 2016, PrivateKeyEntry, 
Certificate fingerprint (SHA1): xxxx
intermed, Dec 19, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): xxxxx

由于异常表明私钥以外的任何密钥都有问题,我使用以下内容删除了trustedCertEntry

$JAVA_HOME/bin/keytool -delete -noprompt -alias intermed -keystore tomcat\ \(2\).keystore -storepass xxxxxx
$JAVA_HOME/bin/keytool -delete -noprompt -alias root -keystore tomcat\ \(2\).keystore -storepass xxxxx

并重新启动tomcat。这解决了这个问题。感谢@Gautam和@EJP的帮助。

答案 2 :(得分:2)

我相信您正在尝试在服务器上设置SSL支持。如果是这样,您的密钥库应该只包含您的私有证书。看起来那里有一些第三方公钥,或者你正在使用带对称密钥的JKS密钥库。最好的办法是查看密钥库的内容。使用命令

keytool -list -keystore yourkeystorefilename

看看那里有什么。