Java nginx和tomcat ssl问题-SSL23\u GET\u SERVER\u HELLO:sslv3警报握手失败
由于我的站点ssl证书已过期,我已将其续订并将新证书添加到密钥库,但在此之后,当调用站点url时,我将获得502。下面您可以看到nginx配置和tomcat配置用于ssl 我在nginx错误日志中得到的错误是 SSL_do_handshake()失败(SSL:error:14077410:SSL例程:SSL23_GET_SERVER\u HELLO:sslv3警报握手失败),同时SSL握手到上游,客户端:120.6.20.134,服务器:app.somewhere.com,请求:“GET/favicon.ico HTTP/2.0”,上游:,主机:“app.somewhere.com”,参考者:“ 服务器nginx版本:nginx/1.12.1 nginx配置Java nginx和tomcat ssl问题-SSL23\u GET\u SERVER\u HELLO:sslv3警报握手失败,java,tomcat,ssl,nginx,nginx-reverse-proxy,Java,Tomcat,Ssl,Nginx,Nginx Reverse Proxy,由于我的站点ssl证书已过期,我已将其续订并将新证书添加到密钥库,但在此之后,当调用站点url时,我将获得502。下面您可以看到nginx配置和tomcat配置用于ssl 我在nginx错误日志中得到的错误是 SSL_do_handshake()失败(SSL:error:14077410:SSL例程:SSL23_GET_SERVER\u HELLO:sslv3警报握手失败),同时SSL握手到上游,客户端:120.6.20.134,服务器:app.somewhere.com,请求:“GET/fav
server {
listen 443;
server_name app.somewhere.com;
root /usr/share/tomcat8/webapps;
ssl on;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
ssl_certificate /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.pem;
ssl_certificate_key /opt/jdk1.8.0_45/jre/lib/security/app_somewhere_com.key;
ssl_dhparam /etc/nginx/certs/dhparam.pem;
proxy_ssl_server_name on;
location / {
proxy_read_timeout 120s;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass https://app.somewhere.com:8443;
}
}
tomcat server.xml
<Connector port="8443"
maxThreads="100"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystorePass="mypass"
clientAuth="false"
sslProtocol="TLS"
proxyPort="443"/>
发现问题,证书被导入错误的密钥存储。因此,我使用证书和私钥创建了新的密钥存储,我使用以下命令创建了这些密钥存储 创建新密钥库
openssl pkcs12 -export -in cert.crt -inkey private-key.key -certfile cert.crt -name "tomcat" -out keystore.p12
将密钥库转换为jks格式
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
然后在tomcat server.xml中设置keystore.jks路径tomcat中的配置出现问题,使得nginx无法再与tomcat进行SSL握手。如果您只更改了密钥存储,那么问题可能是您弄乱了密钥存储。仅此问题没有提供有关此部分配置的足够信息。此命令的结果
keytool7-list-keystore”/opt/jdk1.8.045/jre/lib/security/my keystore.jks“
密钥库类型:jks密钥库提供程序:SUN您的密钥库包含1个条目myapp,2018年2月1日,trustedCertEntry,证书指纹(SHA1):B1…要将证书导入密钥库,我在下面的命令中运行。keytool7-import-trustcacerts-alias myapp-file“mycert.crt”-keystore”/opt/jdk1.8.045/jre/lib/security/my keystore.jks”
除此之外,我确信我什么也没做。@steffen ullrich得到了@steffen ullrich。我发现了问题,我在您突出显示时将证书添加到了错误的密钥库(弄乱了密钥库)。
<Connector port="8443"
maxThreads="100"
scheme="https"
secure="true"
SSLEnabled="true"
keystoreFile="/opt/jdk1.8.0_45/jre/lib/security/my-keystore.jks"
protocol="org.apache.coyote.http11.Http11NioProtocol"
keystorePass="mypass"
clientAuth="false"
sslProtocol="TLS"
proxyPort="443"/>