使用生成的密钥存储文件进行tomcat https配置

Question

在开始之前，我只跟踪DZone的步骤。

5分钟内建立Tomcal SSL

我看过几个类似的教程，但我找不到问题的答案。

问题：

我可以访问HTTP/8080，但不能访问HTTPS/8443，而且它似乎永远都在加载。

尝试使用HTTP/8443，它得到了一个错误(正如我所预期的)

我尝试使用curl命令：

borgymanotoy@ujease:/home/borgymanotoy$ curl -Iv https://localhost:8443
* Rebuilt URL to: https://localhost:8443/
*   Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 697 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* Operation timed out after 300495 milliseconds with 0 out of 0 bytes received
* Closing connection 0
curl: (28) Operation timed out after 300495 milliseconds with 0 out of 0 bytes received

注：

我遵循给定站点中的步骤。检查了以下内容：

1)成功地生成了.keystore文件。

2)正确地更新了tomcat的server.xml，并对生成的密钥存储文件进行了正确的路径验证。

3)检查了tomcat日志，没有发现任何错误。

有人试着按照链接中的步骤，得到错误并修复它吗？

Answer 1

感谢南地斯托指点了最新的猫指南。

顺便说一下，我正在使用Tomcat8.5，运行在Ubuntu上。本教程使用Tomcat 7，因此我有一些连接问题。

我只是在tomcat的server.xml文件上设置了SSL连接器设置。

<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
       protocol="org.apache.coyote.http11.Http11NioProtocol"
       port="8443" maxThreads="200"
       scheme="https" secure="true" SSLEnabled="true"
       keystoreFile="/home/borgymanotoy/.keystore" keystorePass="bilat-savore"
       clientAuth="false" sslProtocol="TLS" />

重新启动我的tomcat，并尝试curl命令：

$ curl -Iv https://localhost:8443

* Rebuilt URL to: https://localhost:8443/
*   Trying ::1...
* Connected to localhost (::1) port 8443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 694 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_256_GCM_SHA384
* server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
* Closing connection 0
curl: (60) server certificate verification failed. CAfile: /etc/ssl/certs/ca-certificates.crt CRLfile: none
More details here: https://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
 of Certificate Authority (CA) public keys (CA certs). If the default
 bundle file isn't adequate, you can specify an alternate file
 using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
 the bundle, the certificate verification probably failed due to a
 problem with the certificate (it might be expired, or the name might
 not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
 the -k (or --insecure) option.

我现在可以访问https://localhost:8443/了