Java 获取NSS错误-8156（SEC_error_CA_CERT_INVALID）颁发者证书在点击curl时对tomcat无效

我正在尝试在我的tomcat上为centos设备上的https请求启用SSL。（盒子ip为10.10.10.10）

我使用以下方法创建了密钥库文件：

./keytool -genkey -alias 10.10.10.10 -keyalg RSA -keystore /home/as5714/ipnew_keystore 

并创建一个密钥库文件

然后，我在server.xml文件中做了以下更改：

           <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           maxThreads="200"
           SSLEnabled="true" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS"
           keystoreFile="/etc/ssl/ipnew_keystore"
           keystorePass="password"/>

这是我得到的日志：

* About to connect() to 10.10.10.10 port 443 (#0)
*   Trying 10.10.10.10...
* Connected to 10.10.10.10 (10.10.10.10) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=10.10.10.10,OU=Web,O=Snapdeal,L=Delhi,ST=Delhi,C=IN
*       start date: Feb 24 13:03:34 2016 GMT
*       expire date: May 24 13:03:34 2016 GMT
*       common name: 10.10.10.10
*       issuer: CN=10.10.10.10,OU=Web,O=Snapdeal,L=Delhi,ST=Delhi,C=IN
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

---

请提供帮助。

除非另有说明，否则cURL不会使用不受信任或自签名的证书与网站交谈。如错误所示，在请求忽略不受信任的证书并允许连接时添加

--unsecure

选项。谢谢，那么如何检查SSL配置是否正确？请尝试

curl-v--unsecurehttps://10.41.66.69/service/getData

如果收到响应，SSL可能配置正确（使用不受信任的自签名证书）。

-v

选项将显示调试输出，以便您可以查看使用了哪个协议和密码。

* About to connect() to 10.10.10.10 port 443 (#0)
*   Trying 10.10.10.10...
* Connected to 10.10.10.10 (10.10.10.10) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=10.10.10.10,OU=Web,O=Snapdeal,L=Delhi,ST=Delhi,C=IN
*       start date: Feb 24 13:03:34 2016 GMT
*       expire date: May 24 13:03:34 2016 GMT
*       common name: 10.10.10.10
*       issuer: CN=10.10.10.10,OU=Web,O=Snapdeal,L=Delhi,ST=Delhi,C=IN
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.