英文:
Error code: SEC_ERROR_BAD_SIGNATURE installed SSL Certificate on Tomcat
问题
我已经从Comodo为我的域名购买了SSL证书。Comodo提供给我的文件如下:
- SSL_PrivateKEY_www_my-domain_com.txt
- SSL_CSR_www_my-domain_com.txt
- AddTrustExternalCARoot.crt
- USERTrustRSAAddTrustCA.crt
- SectigoRSADomainValidationSecureServerCA.crt
- www_my-domain_com.crt
经过研究,我找到了这个使用.key和.crt文件创建.jks密钥库的步骤,我使用了第3、4和5个.crt文件,并创建了cert.pem,然后我使用第1个.crt创建了key.pem。之后,我按照指南创建了jks。接下来,我将第6个.crt文件导入密钥库,如下所示:
keytool -import -alias mykey -file www_my-domain_com.crt -keystore www_my-domain_com.jks
然后,我使用密钥库资源管理器将密钥库转换为PKCS12格式。最后,我将文件上传到我的服务器,并且以下是我的Tomcat 8连接器配置:
<Connector port="9443" maxHttpHeaderSize="8192" maxThreads="100"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true" clientAuth="false"
keyAlias="server" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
keystoreFile="/home/test/ssls/www_my-domain_com.jks"
keystorePass="password" />
重新启动Tomcat后,我在Firefox中遇到的错误是:
错误代码:SEC_ERROR_BAD_SIGNATURE
我还使用密钥库资源管理器检查了SSL,并且显示的错误如下:
javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at org.kse.utilities.ssl.SslUtils.readSSLConnectionInfos(SslUtils.java:116)
at org.kse.gui.dialogs.DExaminingSsl$ExamineSsl.run(DExaminingSsl.java:207)
at java.lang.Thread.run(Unknown Source)
英文:
I have bought a SSL Certificate from Comodo for my domain. The files which Comodo had provide me is:
- SSL_PrivateKEY_www_my-domain_com.txt
- SSL_CSR_www_my-domain_com.txt
- AddTrustExternalCARoot.crt
- USERTrustRSAAddTrustCA.crt
- SectigoRSADomainValidationSecureServerCA.crt
- www_my-domain_com.crt
After a research, I found this Steps to create a .jks keystore using .key and .crt files..., I using the 3,4 and 5 crt files and I am creating the cert.pem, then I am using the 1 crt to create the key.pem. After that, I am creating the jks as the guide says. Next, I am importing the 6 crt file in the keystore, like that:
keytool -import -alias mykey -file www_my-domain_com.crt -keystore www_my-domain_com.jks
Afterwards, I am using the keystore explorer to convert my keystore to PKCS12. Finally I am uploading the file at my server and here is my tomcat 8, connector:
<Connector port="9443" maxHttpHeaderSize="8192" maxThreads="100"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
protocol="org.apache.coyote.http11.Http11Protocol"
SSLEnabled="true" clientAuth="false"
keyAlias="server" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
keystoreFile="/home/test/ssls/www_my-domain_com.jks"
keystorePass="password" />
Restarting my tomcat and then the error which I am getting at the firefox
> Error code: SEC_ERROR_BAD_SIGNATURE
I also use the KeyStore Explorer to examine the ssl and the error which are showing there is:
javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
at org.kse.utilities.ssl.SslUtils.readSSLConnectionInfos(SslUtils.java:116)
at org.kse.gui.dialogs.DExaminingSsl$ExamineSsl.run(DExaminingSsl.java:207)
at java.lang.Thread.run(Unknown Source)
答案1
得分: 2
我找到了解决方案,在与SSL证书提供商联系后,如下所示:
-
首先,我必须创建一个名为my.bundle的捆绑文本文件,顺序如下:
- SectigoRSADomainValidationSecureServerCA.crt
- USERTrustRSAAddTrustCA.crt
- AddTrustExternalCARoot.crt
-
其次,您必须使用OpenSSL运行以下命令:
openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx这里的my.crt是www_my-domain_com.crt,my.key是您的私钥,my.bundle是我们在前一步中创建的文件。
-
下一步是运行以下命令:
keytool -importkeystore -srckeystore pkcs12FileName.p12 -srcstoretype pkcs12 -destkeystore jksFileName.jks -deststoretype jks这里的pkcs12FileName.p12是从前一步生成的文件,请将其重命名为p12(将pfx格式转换为p12)。
-
接下来,只需使用KeyStore Explorer将从前一步导出的jks类型的文件转换为pkcs12类型。
-
最后,在conf/server.xml中的Tomcat连接器如下:
<Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" SSLEnabled="true" acceptCount="100" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="/opt/sslcertificates/www_my-domain_com.jks" keystorePass="mypassword" />它可以正常工作!
英文:
I find the solution, after made contact with the SSL Certificate provider, which is:
- Firstly, I must create a bundle text file with name my.bundle with the following order:
> - SectigoRSADomainValidationSecureServerCA.crt
> - USERTrustRSAAddTrustCA.crt
> - AddTrustExternalCARoot.crt
- Secondly, you must run with OpenSSL the following command:
> openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle
> -out my.pfx
Where the my.crt is the www_my-domain_com.crt, the my.key is your private key and the my.bundle is the file which we have made in the previous step.
- Next step is to run the command:
> keytool -importkeystore -srckeystore pkcs12FileName.p12
> -srcstoretype pkcs12 -destkeystore jksFileName.jks -deststoretype jks
Here the pkcs12FileName.p12 is the file which produced from the previous step, rename it to p12(convert pfx format to p12)
-
Following step just convert the jks, which exported from the previous step to type pkcs12 with the help of the KeyStore Explorer.
-
Finally, the tomcat connector in the conf/server.xml is:
> Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
> minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
> disableUploadTimeout="true" SSLEnabled="true" acceptCount="100"
> scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
> keystoreFile="/opt/sslcertificates/www_my-domain_com.jks"
> keystorePass="mypassword"
And it works fine!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论