无法在 AWS EC2 上的 Tomcat 9 上设置 SSL

无法在 AWS EC2 上的 Tomcat 9 上设置 SSL

我正在关注本指南在托管于 AWS EC2(Ubuntu 16.04.5 LTS)的 Tomcat 9 上设置 ssl。

版本: java-8-oracle , apache-tomcat-9.0.10

密钥创建于/home/ubuntu

ubuntu@ip-x-x-x-x:~$ sudo keytool -genkey -alias tomcat -keyalg RSA -keystore ./test
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  Tester
What is the name of your organizational unit?
  [Unknown]:  Test  
What is the name of your organization?
  [Unknown]:  Tester ltd
What is the name of your City or Locality?
  [Unknown]:  City
What is the name of your State or Province?
  [Unknown]:  State
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=Tester, OU=Test, O=Tester ltd, L=City, ST=State, C=US correct?
  [no]:  yes

Enter key password for <tomcat>
    (RETURN if same as keystore password):  
Re-enter new password: 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore ./test -destkeystore ./test -deststoretype pkcs12".

将密钥转换为 PKCS12:

ubuntu@ip-x-x-x-x:~$ sudo keytool -importkeystore -srckeystore ./test -destkeystore ./test -deststoretype pkcs12
Enter source keystore password:  
Entry for alias tomcat successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

Warning:
Migrated "./test" to Non JKS/JCEKS. The JKS keystore is backed up as "./test.old".

ubuntu@ip-x-x-x-x:~$ keytool -list -keystore ./test
Enter keystore password:  
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, Aug 5, 2018, PrivateKeyEntry, 
Certificate fingerprint (SHA1): E7:F9:46:D4:F8:91:E6:A9:68:54:98:6C:22:CF:EE:6D:C5:6A:FF:17

调整/opt/tomcat/conf/server.xml

<Connector port="80" protocol="HTTP/1.1"
           connectionTimeout="20000"
           redirectPort="443" />

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false" maxThreads="25"
    port="443" keystoreFile="/home/ubuntu/test" keystorePass="password"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true" sslProtocol="TLS" />

启用防火墙:

ubuntu@ip-x-x-x-x:~$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
OpenSSH                    ALLOW       Anywhere                  
80                         ALLOW       Anywhere                  
8443                       ALLOW       Anywhere                  
443                        ALLOW       Anywhere                  
8080                       ALLOW       Anywhere                  
OpenSSH (v6)               ALLOW       Anywhere (v6)             
80 (v6)                    ALLOW       Anywhere (v6)             
8443 (v6)                  ALLOW       Anywhere (v6)             
443 (v6)                   ALLOW       Anywhere (v6)             
8080 (v6)                  ALLOW       Anywhere (v6)         

结果:

使用 Chrome 时,我可以轻松连接到http://x-x-x-x(我会看到 Apache Tomcat/9.0.10 主页)。但是当我尝试时https://x-x-x-x,我会看到This site connot be reachedERR_CONNECTION_TIMED_OUT

答案1

我要自己回答这个问题。我收到的原因ERR_CONNECTION_TIMED_OUT是 AWS EC2 防火墙阻止了所有传入的 https 端口 (443)。编辑 AWS EC2 实例安全组的入站规则以允许传入端口 443,这将解决问题。

相关内容