我有一个文件tomcat(2).keystore文件,我放在/opt/tomcat/conf目录中。目录权限设置如下:
root@xxxxxxxxxx:/opt/tomcat# ls -l
total 112
drwxr-x--- 2 root tomcat 4096 Sep 10 03:04 bin
drwxr-x--- 2 root tomcat 4096 Sep 28 05:12 conf
drwxr-x--- 2 root tomcat 4096 Sep 10 03:04 lib
-rw-r----- 1 root tomcat 57092 Aug 2 21:36 LICENSE
drwxr-x--- 2 tomcat tomcat 4096 Sep 28 05:15 logs
-rw-r----- 1 root tomcat 1723 Aug 2 21:36 NOTICE
-rw-r----- 1 root tomcat 7064 Aug 2 21:36 RELEASE-NOTES
-rw-r----- 1 root tomcat 15946 Aug 2 21:36 RUNNING.txt
drwxr-x--- 2 tomcat tomcat 4096 Sep 28 05:15 temp
drwxr-x--- 8 tomcat tomcat 4096 Sep 28 03:52 webapps
drwxr-x--- 3 tomcat tomcat 4096 Sep 10 03:19 work
而server.xml有以下连接器:
<Connector
port="8080"
maxThreads="1000"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="8192"
emptySessionPath="true"
connectionTimeout="20000"
minSpareThreads="20"
acceptCount="100"
disableUploadTimeout="true"
enableLookups="false"
tcpNoDelay="true"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/opt/tomcat/conf/tomcat (2).keystore"
keystorePass="xxxxxx"
clientAuth="false"
sslProtocol="TLS"
maxPostSize="97589953"
URIEncoding="UTF-8"/>
我还评论了以下内容:
<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> -->
但是,我在catalina.out中不断收到以下错误:
java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:982)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:620)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.security.KeyStoreException: Cannot store non-PrivateKeys
at sun.security.provider.JavaKeyStore.engineSetKeyEntry(JavaKeyStore.java:258)
at sun.security.provider.JavaKeyStore$JKS.engineSetKeyEntry(JavaKeyStore.java:56)
at sun.security.provider.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:117)
at sun.security.provider.JavaKeyStore$DualFormatJKS.engineSetKeyEntry(JavaKeyStore.java:70)
at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:226)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
... 20 more
有人可以帮忙吗?我需要从server.xml中删除任何其他东西吗?
编辑:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 3 entries
root, Dec 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): xxxx
tomcat, Dec 19, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): xxxx
intermed, Dec 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): xxxxx
当我运行./keytool -list -keystore "/opt/tomcat/conf/tomcat (2).keystore"时,我得到了上述内容
这有点晚了,但在迁移到tomcat 8.5.20之后我遇到了类似的问题。经过一些研究,我找到了一个单独的,合理的解决方案。许多情况下,证书不在我们的生产环境中,并且不建议篡改它。实际上看看实现,看起来tomcat尝试使用密钥存储文件中提到的第一个密钥,除非我们提供密钥别名。因此,在这种情况下,如果我们在连接器中提供密钥别名,它将正常工作。
{keyAlias =“tomcat”}
我终于找到了解决问题的方法。正如Exception所暗示的那样,tomcat (2).keystore本身存在一些问题。所以我检查了密钥库中的证书,其中$JAVA_HOME/bin/keytool -list -keystore tomcat (2).keystore输出为:
密钥库类型:JKS密钥库提供商:SUN
您的密钥库包含3个条目
root, Dec 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): xxxx
tomcat, Dec 19, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): xxxx
intermed, Dec 19, 2016, trustedCertEntry,
Certificate fingerprint (SHA1): xxxxx
由于异常表明私钥以外的任何密钥都是冒犯的,我使用以下方法删除了trustedCertEntry:
$JAVA_HOME/bin/keytool -delete -noprompt -alias intermed -keystore tomcat\ \(2\).keystore -storepass xxxxxx
$JAVA_HOME/bin/keytool -delete -noprompt -alias root -keystore tomcat\ \(2\).keystore -storepass xxxxx
并重新启动tomcat。这解决了这个问题。感谢@Gautam和@EJP的帮助。
我相信你正试图在服务器上设置SSL支持。如果是这样,您的密钥库应该只包含您的私有证书。看起来那里有一些第三方公钥,或者你正在使用带对称密钥的JKS密钥库。最好的办法是查看密钥库的内容。使用命令
keytool -list -keystore yourkeystorefilename
看看那里有什么。