Linux
無法在 AWS EC2 上的 Tomcat 9 上設置 SSL
我正在按照本指南在 AWS EC2(Ubuntu 16.04.5 LTS)上託管的 Tomcat 9 上設置 ssl。
版本:java-8-oracle,apache-tomcat-9.0.10
密鑰創建於
/home/ubuntu
:ubuntu@ip-x-x-x-x:~$ sudo keytool -genkey -alias tomcat -keyalg RSA -keystore ./test Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: Tester What is the name of your organizational unit? [Unknown]: Test What is the name of your organization? [Unknown]: Tester ltd What is the name of your City or Locality? [Unknown]: City What is the name of your State or Province? [Unknown]: State What is the two-letter country code for this unit? [Unknown]: US Is CN=Tester, OU=Test, O=Tester ltd, L=City, ST=State, C=US correct? [no]: yes Enter key password for <tomcat> (RETURN if same as keystore password): Re-enter new password: Warning: The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ./test -destkeystore ./test -deststoretype pkcs12".
將密鑰轉換為 PKCS12 :
ubuntu@ip-x-x-x-x:~$ sudo keytool -importkeystore -srckeystore ./test -destkeystore ./test -deststoretype pkcs12 Enter source keystore password: Entry for alias tomcat successfully imported. Import command completed: 1 entries successfully imported, 0 entries failed or cancelled Warning: Migrated "./test" to Non JKS/JCEKS. The JKS keystore is backed up as "./test.old". ubuntu@ip-x-x-x-x:~$ keytool -list -keystore ./test Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Aug 5, 2018, PrivateKeyEntry, Certificate fingerprint (SHA1): E7:F9:46:D4:F8:91:E6:A9:68:54:98:6C:22:CF:EE:6D:C5:6A:FF:17
修改
/opt/tomcat/conf/server.xml
:<Connector port="80" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="443" /> <Connector SSLEnabled="true" acceptCount="100" clientAuth="false" disableUploadTimeout="true" enableLookups="false" maxThreads="25" port="443" keystoreFile="/home/ubuntu/test" keystorePass="password" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" sslProtocol="TLS" />
啟用防火牆:
ubuntu@ip-x-x-x-x:~$ sudo ufw status Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere 80 ALLOW Anywhere 8443 ALLOW Anywhere 443 ALLOW Anywhere 8080 ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 8443 (v6) ALLOW Anywhere (v6) 443 (v6) ALLOW Anywhere (v6) 8080 (v6) ALLOW Anywhere (v6)
結果:
使用 Chrome 連接我沒有問題
http://x-x-x-x
(我會看到 Apache Tomcat/9.0.10 首頁)。但是當我嘗試時https://x-x-x-x
,我會得到This site connot be reached
,ERR_CONNECTION_TIMED_OUT
我要回答我自己的問題。我得到的原因
ERR_CONNECTION_TIMED_OUT
是 AWS EC2 防火牆阻止了所有傳入的 https 埠(443)。編輯 AWS EC2 實例安全組的入站規則以允許傳入埠 443,這將解決問題。