由于我的网站ssl证书已过期,我已将其更新并将新证书添加到密钥库,但在此之后,当我调用网站URL时,我得到502。下面你可以看到ssl的nginx配置和tomcat配置。
我在nginx错误日志中遇到的错误是
SSL_do_handshake()失败(SSL:错误:14077410:SSL例程:SSL23_GET_SERVER_HELLO:sslv3警报握手失败),而SSL握手到上游,客户端:120.6.20.134,服务器:app.somewhere.com,请求:& #34; GET /favicon.ico HTTP / 2.0",上游:" https://53.10.10.10:8443/favicon.ico",主持人:" app.somewhere.com",推荐人:& #34; https://app.somewhere.com/board/index.jsp"
服务器nginx版本:nginx / 1.12.1
nginx config
server {
listen 443;
server_name app.somewhere.com;
root /usr/share/tomcat8/webapps;
ssl on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_certificate /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.pem;
ssl_certificate_key /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.key;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
proxy_ssl_server_name on;
location / {
proxy_read_timeout 120s;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://app.somewhere.com:8443;
}
}
tomcat server.xml
<Connector port="8443"
maxThreads="100"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystorePass="mypass"
clientAuth="false"
sslProtocol="TLS"
proxyPort="443"/>
答案 0 :(得分:0)
发现问题后,证书被导入错误的密钥库。所以我使用证书和私钥创建了新的密钥库,我使用了以下命令。
创建新密钥库
openssl pkcs12 -export -in cert.crt -inkey private-key.key -certfile cert.crt -name "tomcat" -out keystore.p12
将密钥库转换为jks格式
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
然后在tomcat server.xml中设置 keystore.jks 路径