我使用下面的命令来运行 tomcat 9 docker 镜像,
docker run \
-p 8443:8443 \
-e KEYSTORE_PATH=/usr/local/tomcat/keystore.p12 \
-e KEYSTORE_PASSWORD=pskp \
-e KEYSTORE_TYPE=PKCS12 \
-e TOMCAT_SSL_PORT=8443 \
-e KEY_PASSWORD=pskp \
-e TOMCAT_SSL_CIPHERS="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_12
8_GCM_SHA256" \
-v /home/parikshit/certs/server.p12:/usr/local/tomcat/keystore.p12 \
tomcat:9
它正在启动,没有任何错误。但是当我尝试卷曲时,出现错误。
$ curl https://localhost:8443
curl: (35) error:0A000126:SSL routines::unexpected eof while reading
chatgpt 要求我运行以下命令,
$ openssl s_client -connect localhost:8443
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
首先,正确创建 pkcs12 证书,如下所示
# this command will ask info & password
openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365
openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in cert.pem
执行此命令后,您将拥有 3 个文件。我们关心
keyStore.p12
。
添加整个文件
server.xml
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443"
maxParameterCount="1000"
/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
maxParameterCount="1000"
keystoreFile="${keystore.file}"
keystorePass="${keystore.pass}"
keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS"
>
</Connector>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
在上面的文件中,我们有 2 个变量
keystore.file
(p12 文件的位置)和 keystore.pass
(您在创建证书时设置)。
我相信
keyStore.p12
和 server.xml
位于您计算机上的同一文件夹中。转到该文件夹并运行以下命令。如果您的服务器不是在 8443 上启动而是在 8080 上启动,请选中 CATALINA_HOME
。就我而言,是/usr/local/tomcat
docker run \
-p 8081:8443 \
-e CATALINA_OPTS="-Dkeystore.pass=<password_here> -Dkeystore.file=/certs/keystore.p12" \
-v .\keyStore.p12:/certs/keystore.p12 \
-v .\server.xml:/usr/local/tomcat/conf/server.xml \
tomcat:9