无法让 PFX/SSL 在 Tomcat 中工作

【问题标题】:Can't get PFX/SSL to work in Tomcat无法让 PFX/SSL 在 Tomcat 中工作
【发布时间】:2016-12-07 02:07:59
【问题描述】:

我在 Tomcat7 上设置 SSL 时遇到问题。我有一个使用私钥导出的 PFX 文件,但是我尝试了,在启动 Tomcat 时我不断收到以下错误,说:

密钥库密码不正确

我已经在 IIS 和 OpenSSL 中验证了密码确实正确。

我正在运行 Windows Server 2012 R2,并让 Tomcat 作为 Windows 服务运行,作为本地系统运行(默认安装)

Server.xml

      <Connector port="8443"  scheme="https" secure="true"
                 protocol="org.apache.coyote.http11.Http11NioProtocol"
                 maxThreads="150" SSLEnabled="true">
            <SSLHostConfig>
                <Certificate certificateKeystoreFile="conf/mypfx.pfx"
                             keystoreType="PKCS12" keystorePass="mypass" />
            </SSLHostConfig>
        </Connector>

catalina.log

07-Dec-2016 01:56:25.253 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
    at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
    at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
    at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:970)
    at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
    ... 12 more
Caused by: java.lang.IllegalArgumentException: java.io.IOException: keystore password was incorrect
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:245)
    at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:875)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:213)
    at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:558)
    at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:65)
    at org.apache.catalina.connector.Connector.initInternal(Connector.java:968)
    ... 13 more
Caused by: java.io.IOException: keystore password was incorrect
    at sun.security.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source)
    at sun.security.provider.KeyStoreDelegator.engineLoad(Unknown Source)
    at sun.security.provider.JavaKeyStore$DualFormatJKS.engineLoad(Unknown Source)
    at java.security.KeyStore.load(Unknown Source)
    at org.apache.tomcat.util.net.SSLUtilBase.getStore(SSLUtilBase.java:136)
    at org.apache.tomcat.util.net.SSLHostConfigCertificate.getCertificateKeystore(SSLHostConfigCertificate.java:187)
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:185)
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101)
    ... 20 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded

【问题讨论】:

    标签: java tomcat windows-server-2012-r2 pfx server.xml


    【解决方案1】:

    你的配置应该说 "certificateKeystorePassword" 而不是 "keystorePass"

    "keystoreType" 也不是 的有效参数,它应该只是 "type"

    请参阅 tomcat 文档以获取正确的参数名称:

    https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

    【讨论】:

    • “keystoreType”实际上应该是“certificateKeystoreType”,而不是“type”。 “certificateKeystoreType”是keystore文件的类型,“type”是证书的类型。
    【解决方案2】:

    你可以试试下面的代码:

    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12" keystoreFile="conf/mypfx.pfx" keystorePass="mypass" 
                           ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
        />

    【讨论】:

      猜你喜欢
      • 2016-06-19
      • 2012-10-01
      • 1970-01-01
      • 1970-01-01
      • 2016-02-11
      • 2016-07-11
      • 1970-01-01
      • 1970-01-01
      • 2012-07-14
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode