错误代码:SEC_ERROR_BAD_SIGNATURE 安装在Tomcat上的SSL证书

huangapple go评论94阅读模式
英文:

Error code: SEC_ERROR_BAD_SIGNATURE installed SSL Certificate on Tomcat

问题

我已经从Comodo为我的域名购买了SSL证书。Comodo提供给我的文件如下:

  1. SSL_PrivateKEY_www_my-domain_com.txt
  2. SSL_CSR_www_my-domain_com.txt
  3. AddTrustExternalCARoot.crt
  4. USERTrustRSAAddTrustCA.crt
  5. SectigoRSADomainValidationSecureServerCA.crt
  6. www_my-domain_com.crt

经过研究,我找到了这个使用.key和.crt文件创建.jks密钥库的步骤,我使用了第3、4和5个.crt文件,并创建了cert.pem,然后我使用第1个.crt创建了key.pem。之后,我按照指南创建了jks。接下来,我将第6个.crt文件导入密钥库,如下所示:

keytool -import -alias mykey -file www_my-domain_com.crt -keystore www_my-domain_com.jks

然后,我使用密钥库资源管理器将密钥库转换为PKCS12格式。最后,我将文件上传到我的服务器,并且以下是我的Tomcat 8连接器配置:

<Connector port="9443" maxHttpHeaderSize="8192" maxThreads="100"
           minSpareThreads="25" maxSpareThreads="75"
           enableLookups="false" disableUploadTimeout="true"
           acceptCount="100" scheme="https" secure="true"
           protocol="org.apache.coyote.http11.Http11Protocol"
           SSLEnabled="true" clientAuth="false"
           keyAlias="server" sslProtocol="TLS" sslEnabledProtocols="TLSv1.2,TLSv1.1,TLSv1"
           keystoreFile="/home/test/ssls/www_my-domain_com.jks"
           keystorePass="password" />

重新启动Tomcat后,我在Firefox中遇到的错误是:

错误代码:SEC_ERROR_BAD_SIGNATURE

我还使用密钥库资源管理器检查了SSL,并且显示的错误如下:

javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
    at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.<init>(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker.process_record(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
    at org.kse.utilities.ssl.SslUtils.readSSLConnectionInfos(SslUtils.java:116)
    at org.kse.gui.dialogs.DExaminingSsl$ExamineSsl.run(DExaminingSsl.java:207)
    at java.lang.Thread.run(Unknown Source)
英文:

I have bought a SSL Certificate from Comodo for my domain. The files which Comodo had provide me is:

  1. SSL_PrivateKEY_www_my-domain_com.txt
  2. SSL_CSR_www_my-domain_com.txt
  3. AddTrustExternalCARoot.crt
  4. USERTrustRSAAddTrustCA.crt
  5. SectigoRSADomainValidationSecureServerCA.crt
  6. www_my-domain_com.crt

After a research, I found this Steps to create a .jks keystore using .key and .crt files..., I using the 3,4 and 5 crt files and I am creating the cert.pem, then I am using the 1 crt to create the key.pem. After that, I am creating the jks as the guide says. Next, I am importing the 6 crt file in the keystore, like that:

keytool -import -alias mykey -file www_my-domain_com.crt -keystore www_my-domain_com.jks

Afterwards, I am using the keystore explorer to convert my keystore to PKCS12. Finally I am uploading the file at my server and here is my tomcat 8, connector:

&lt;Connector port=&quot;9443&quot; maxHttpHeaderSize=&quot;8192&quot; maxThreads=&quot;100&quot;
           minSpareThreads=&quot;25&quot; maxSpareThreads=&quot;75&quot;
           enableLookups=&quot;false&quot; disableUploadTimeout=&quot;true&quot;
           acceptCount=&quot;100&quot; scheme=&quot;https&quot; secure=&quot;true&quot;
           protocol=&quot;org.apache.coyote.http11.Http11Protocol&quot;
           SSLEnabled=&quot;true&quot; clientAuth=&quot;false&quot;
           keyAlias=&quot;server&quot; sslProtocol=&quot;TLS&quot; sslEnabledProtocols=&quot;TLSv1.2,TLSv1.1,TLSv1&quot;
           keystoreFile=&quot;/home/test/ssls/www_my-domain_com.jks&quot;
           keystorePass=&quot;password&quot; /&gt;

Restarting my tomcat and then the error which I am getting at the firefox

> Error code: SEC_ERROR_BAD_SIGNATURE

I also use the KeyStore Explorer to examine the ssl and the error which are showing there is:

javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message
	at sun.security.ssl.HandshakeMessage$ECDH_ServerKeyExchange.&lt;init&gt;(Unknown Source)
	at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
	at sun.security.ssl.Handshaker.processLoop(Unknown Source)
	at sun.security.ssl.Handshaker.process_record(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
	at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
	at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
	at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(Unknown Source)
	at org.kse.utilities.ssl.SslUtils.readSSLConnectionInfos(SslUtils.java:116)
	at org.kse.gui.dialogs.DExaminingSsl$ExamineSsl.run(DExaminingSsl.java:207)
	at java.lang.Thread.run(Unknown Source)

答案1

得分: 2

我找到了解决方案,在与SSL证书提供商联系后,如下所示:

  1. 首先,我必须创建一个名为my.bundle的捆绑文本文件,顺序如下:

    • SectigoRSADomainValidationSecureServerCA.crt
    • USERTrustRSAAddTrustCA.crt
    • AddTrustExternalCARoot.crt
  2. 其次,您必须使用OpenSSL运行以下命令:

    openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle -out my.pfx
    

    这里的my.crt是www_my-domain_com.crt,my.key是您的私钥,my.bundle是我们在前一步中创建的文件。

  3. 下一步是运行以下命令:

    keytool -importkeystore -srckeystore pkcs12FileName.p12 -srcstoretype pkcs12 -destkeystore jksFileName.jks -deststoretype jks
    

    这里的pkcs12FileName.p12是从前一步生成的文件,请将其重命名为p12(将pfx格式转换为p12)。

  4. 接下来,只需使用KeyStore Explorer将从前一步导出的jks类型的文件转换为pkcs12类型。

  5. 最后,在conf/server.xml中的Tomcat连接器如下:

    <Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
        minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
        disableUploadTimeout="true" SSLEnabled="true" acceptCount="100"
        scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
        keystoreFile="/opt/sslcertificates/www_my-domain_com.jks"
        keystorePass="mypassword" />
    

    它可以正常工作!

英文:

I find the solution, after made contact with the SSL Certificate provider, which is:

  1. Firstly, I must create a bundle text file with name my.bundle with the following order:

> - SectigoRSADomainValidationSecureServerCA.crt
> - USERTrustRSAAddTrustCA.crt
> - AddTrustExternalCARoot.crt

  1. Secondly, you must run with OpenSSL the following command:

> openssl pkcs12 -export -in my.crt -inkey my.key -certfile my.bundle
> -out my.pfx

Where the my.crt is the www_my-domain_com.crt, the my.key is your private key and the my.bundle is the file which we have made in the previous step.

  1. Next step is to run the command:

> keytool -importkeystore -srckeystore pkcs12FileName.p12
> -srcstoretype pkcs12 -destkeystore jksFileName.jks -deststoretype jks

Here the pkcs12FileName.p12 is the file which produced from the previous step, rename it to p12(convert pfx format to p12)

  1. Following step just convert the jks, which exported from the previous step to type pkcs12 with the help of the KeyStore Explorer.

  2. Finally, the tomcat connector in the conf/server.xml is:

    > Connector port="8443" maxHttpHeaderSize="8192" maxThreads="150"
    > minSpareThreads="25" maxSpareThreads="75" enableLookups="false"
    > disableUploadTimeout="true" SSLEnabled="true" acceptCount="100"
    > scheme="https" secure="true" clientAuth="false" sslProtocol="TLS"
    > keystoreFile="/opt/sslcertificates/www_my-domain_com.jks"
    > keystorePass="mypassword"

And it works fine!

huangapple
  • 本文由 发表于 2020年1月6日 18:22:07
  • 转载请务必保留本文链接:https://go.coder-hub.com/59610337.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定