关于java：Tomcat：为https安装LetsEncrypt证书，不能正常工作

Tomcat : Installing LetsEncrypt certificate for https, not working

我有一个运行在我们服务器上的ApacheTomcat实例，我正尝试使用letsencrypt进行HTTPS。我找到了一些脚本来导入证书，我可以签入证书导入的密钥库。

不幸的是，https不起作用。每当我尝试连接时，它总是在等待(进度条旋转)。我不知道我做错了什么。

脚本：

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

cd /var/git/letsencrypt
#git pull origin master
iptables -I INPUT -p tcp -m tcp --dport 9999 -j ACCEPT
iptables -t nat -I PREROUTING -i $networkdevice -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9999

./letsencrypt-auto certonly --standalone --test-cert --break-my-certs -d $mydomain --renew-by-default --email $myemail --agree-tos

iptables -t nat -D PREROUTING -i $networkdevice -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 9999
iptables -D INPUT -p tcp -m tcp --dport 9999 -j ACCEPT

$keytooldir/keytool -delete -alias root -storepass NEWPASS -keystore $keystoredir
$keytooldir/keytool -delete -alias tomcat -storepass NEWPASS -keystore $keystoredir

openssl pkcs12 -export -in $certdir/fullchain.pem -inkey $certdir/privkey.pem -out $certdir/cert_and_key.p12 -name tomcat -CAfile $certdir/chain.pem -caname root -password pass:aaa

$keytooldir/keytool -importkeystore -srcstorepass aaa -deststorepass NEWPASS -destkeypass changeit -srckeystore $certdir/cert_and_key.p12 -srcstoretype PKCS12 -alias tomcat -keystore $keystoredir
$keytooldir/keytool -import -trustcacerts -alias root -deststorepass NEWPASS -file $certdir/chain.pem -noprompt -keystore $keystoredir

输出：

1
2
3
4
5
6
7
8
9
10
11
12
13

iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Checking for new version...
Requesting root privileges to run letsencrypt...

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/domina-name/fullchain.pem.
Your cert will expire on 2016-07-27. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
iptables v1.4.21: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Certificate was added to keystore

号

Apache Tomcat连接器：

1
2
3

OpenSSL连接输出：

1 2	openssl s_client -connect domain_name.de:443 CONNECTED(00000003)

。

它卡在连接处。

我做错什么了。有什么想法吗？谢谢您。

更新

正如我所检查的，我得到了一个无法恢复的密钥异常。我想这可能是因为Tomcat需要密钥传递，所以我用以下命令更改了密钥的密码，但错误仍然存在：

1	openssl rsa -aes192 -in yourprivatekeywithoutpassword.pem -out newprivatekeywithpassword.pem

错误日志：

1
2
3
4
5
6
7
8
9
10
11

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-nio-443"]
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
at java.security.KeyStore.getKey(KeyStore.java:1023)
at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)

。

我最终通过更改从中检索证书的服务器URL来解决这个问题。如您所见，我收到一个错误，证书不可信。发生这种情况是因为证书来自临时服务器。

我将更新时使用server参数的配置文件更改为

1	https://acme-v01.api.letsencrypt.org/directory

之后，我从LetsEncrypt中检索到所有证书，并重新安装它们。

输出：

1
2
3
4
5
6
7
8
9
10

openssl s_client -connect domain.de:443
CONNECTED(00000003)
depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
verify return:1
depth=0 CN = domain.de
verify return:1
---
Verify return code: 0 (ok)

。

这个问题就这样解决了。谢谢你抽出时间来。

对于你的问题，我想模块化你的问题。

一开始，

iptables v1.4.21: can't initialize iptables table `nat': Table does
not exist (do you need to insmod?) Perhaps iptables or your kernel
needs to be upgraded.

号

对于这个问题，可以通过改变IP表的位置来解决。命令如下：

1 2	sudo modprobe ip_tables sudo echo 'ip_tables' >> /etc/modules

对于完整部分，您可以浏览以下链接：iptables:表不存在(是否需要insmod？)

资源链接：

iptables v1.4.14:无法初始化iptables表"nat"：表不存在(是否需要insmod？)

iptables nat不存在

第二，我想修一下这部分

java.security.UnrecoverableKeyException: Cannot recover key

号

当keymanager使用错误/错误的密码(实际上不匹配)，或者有时出现大小写问题，或者keystore可能已损坏时，就会发生此问题。必须确保密钥库密码和密钥密码相同。

对此，您可以通过两种方式进行检查-

您可以使用相同或其他密码更改/列出keytool中的密钥

1	keytool -keypasswd -new changeit -keystore cacerts -storepass changeit -alias someapp -keypass password

号

上面的示例将密码从password更改为changeit。如果私钥密码是密码，则此命令将成功。

也可以使用别名。您需要在自定义的X509KeyManager中实现getPrivateKey(String alias)，以便考虑到这一点。特别是，它必须使用每个别名的正确密码从keystore实例中加载密钥(请参见getkey(string alias，char[]password))。

信贷转到@bruno

下一步，

我看到的另一件事是，您有时在命令模式下使用NEWPASS，在tomcat连接器中使用NEWPASS作为密码。希望有一些不匹配。请核实。

准备证书密钥库的Tomcat建议：

The default password used by Tomcat is"changeit" (all lower case),
although you can specify a custom password if you like. You will also
need to specify the custom password in the server.xml configuration
file

You MUST use the same password here as was used for the keystore
password itself. This is a restriction of the Tomcat implementation.

The port attribute is the TCP/IP port number on which Tomcat will
listen for secure connections. You can change this to any port number
you wish (such as to the default port for https communications, which
is 443). However, special setup (outside the scope of this document)
is necessary to run Tomcat on port numbers lower than 1024 on many
operating systems.

After completing configuration changes, you must restart Tomcat

号

您还可以通过SSL支持

资源链接：

无法从密钥库获取密钥

更新：

如果第一部分工作不正常，请按照@douglas's service provider的回答如下：

This is a limitation of the virtualization system we use (OpenVZ),
basic iptables rules are possible but not those who use the nat table.

If this really is a problem, we can offer you to migrate to a other
system virtualization (KVM) as we begin to offer our customers.

号

所以您必须将服务器迁移到新系统。如果可能的话，你可以试试。