我正在运行 ubuntu 14.04 服务器。
我安装了glassfish 4.1。
我想从外部访问控制台,所以我这样做了
asadmin --host localhost --port 4848 enable-secure-admin
执行完该步骤后,www.myhost.com:4848/console/由于自签名证书,浏览器出现安全异常。好的,这很正常。我可以接受异常,一切正常。
现在我有一个针对 www.myhost.com 的 startssl 证书。
所以我做了
keytool -delete -alias s1as -keystore keystore.jks
keytool -importcert -keystore keystore.jks -storepass changeit -file www.myhost.com.crt -alias s1as
keytool -importcert -keystore keystore.jks -storepass changeit -file ca.crt -alias startcom.ca -trustcacerts
keytool -importcert -keystore keystore.jks -storepass changeit -file sub.class1.server.ca.crt -alias startcom.ca.sub -trustcacerts
但现在asadmin start-domain在日志中给了我
[2015-02-20T09:55:58.021+0100] [glassfish 4.1] [SEVERE] [] [] [tid: _ThreadID=57 _ThreadName=Thread-9] [timeMillis: 1424422558021] [levelValue: 1000] [[
java.io.IOException: Cannot bind to URL [rmi://www.myhost.com.be:8686/jmxrmi]: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
at javax.management.remote.rmi.RMIConnectorServer.newIOException(RMIConnectorServer.java:826)
at javax.management.remote.rmi.RMIConnectorServer.start(RMIConnectorServer.java:431)
at org.glassfish.admin.mbeanserver.RMIConnectorStarter.start(RMIConnectorStarter.java:319)
at org.glassfish.admin.mbeanserver.JMXStartupService$JMXConnectorsStarterThread.startConnector(JMXStartupService.java:313)
at org.glassfish.admin.mbeanserver.JMXStartupService$JMXConnectorsStarterThread.run(JMXStartupService.java:350)
Caused by: javax.naming.CommunicationException [Root exception is java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure]
at com.sun.jndi.rmi.registry.RegistryContext.rebind(RegistryContext.java:159)
at com.sun.jndi.toolkit.url.GenericURLContext.rebind(GenericURLContext.java:249)
at javax.naming.InitialContext.rebind(InitialContext.java:427)
at javax.naming.InitialContext.rebind(InitialContext.java:427)
at javax.management.remote.rmi.RMIConnectorServer.bind(RMIConnectorServer.java:641)
at javax.management.remote.rmi.RMIConnectorServer.start(RMIConnectorServer.java:426)
... 3 more
Caused by: java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is:
javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:304)
at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:202)
at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:341)
at sun.rmi.registry.RegistryImpl_Stub.rebind(Unknown Source)
at com.sun.jndi.rmi.registry.RegistryContext.rebind(RegistryContext.java:157)
... 8 more
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1979)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1086)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:709)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:122)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.DataOutputStream.flush(DataOutputStream.java:123)
at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:229)
... 12 more]]
我的服务器可以在端口 8080 上访问,但不能在 ssl 8181 和 4848 上访问。
答案1
我的建议是不要删除初始 s1as 证书并将其替换为您自己的证书。请记住,还有另一个 cacerts.jks keystone 文件必须同步...要进行干净的 glassfish 安装,请在此处检查:https://www.nabisoft.com/tutorials/glassfish/installing-glassfish-41-on-ubuntu 我的教程还会告诉您如何创建您自己的(自签名)s1as 和 glassfish-instace 证书(太长了,不便在此发布)。
之后,将您域名的证书导入 keystore.jks(如果您也从 CA 收到了中间证书,那么您可能需要先导入该证书)。无需将您的域名证书添加到 cacerts.jks 确保将您的 http-listener2(=https)更改为使用您的证书别名而不是 s1as,然后重新启动 Glassfish。这应该有效......
答案2
最后,经过大量搜索,我找到了一个适合我的解决方案(看这里)
因此,全新安装后,请前往/opt/glassfish4/glassfish/domains/domain1/connfig并下载 startssl 证书
wget https://www.startssl.com/certs/ca.pem
wget https://www.startssl.com/certs/sub.class1.server.ca.pem
然后将这两个证书与我的域名证书连接起来
cat mydomain.crt ca.pem sub.class1.server.ca.pem > all.crt
并导入 cacerts
keytool -import -trustcacerts -alias mycert -file all.crt -keystore cacerts.jks
使用我的域的私钥创建一个 p12 文件
openssl pkcs12 -export -in all.crt -inkey mydomain.key -out mydomain.p12 -name mycert -CAfile ca.pem -caname immed
并导入密钥库
keytool -importkeystore -deststorepass changeit -destkeypass changeit -destkeystore keystore.jks -srckeystore mydomain.p12 -srcstoretype PKCS12 -srcstorepass changeit -alias mycert
最后,s1as通过mycertin更改所有出现的内容domain.xml
sed -i 's|s1as|mycert|' domain.xml
好的,现在它可以正常工作了,即使我不明白自己在做什么!