Install SSL on EC2 Tomcat server

问题

I'm trying to get a CA cert/SSL working on an AWS EC2 instance with Ubuntu and Tomcat 7.0.52. Browser's fail to connect. Here are the steps I went thru:

keytool -genkey -alias mydomain -keyalg RSA -keystore mydomain.keystore -keysize 2048
<fill out information>

keytool -certreq -keyalg RSA -alias mydomain -file certreq.csr -keystore ../mydomain.keystore

submit csr to ssls.com/Geotrust, and receive back: bundle.crt www.mydomain.net.crt

import certs into keystore:

keytool -import -trustcacerts -alias root -keystore ../mydomain.keystore -file bundle.crt
keytool -import -alias mydomain -keystore ../mydomain.keystore -file www.mydomain.net.crt

next, update $TOMCAT_HOME/config/server.xml:

<Connector port="8080" protocol="HTTP/1.1"
       connectionTimeout="20000"
       redirectPort="443" />
<Connector port="8443" SSLEnabled="true"
       maxThreads="150" scheme="https" secure="true"
       keystoreFile="/home/ubuntu/mydomain.keystore" 
       keystorePass="xxxxxxx"
       clientAuth="false" sslProtocol="TLS" />

and restart tomcat.

EC2 instance with security groups are set up to allow port 80 and 443.

ipables changes made to redirect 80->8080 and 443->8443:

sudo iptables -t nat -n -L PREROUTING --line-numbers
Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443 redir ports 8443
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80 redir ports 8080

DNS for www.mydomain.net is not yet in place, so I'm currently testing with a modified /etc/hosts:

54.200.126.130  www.mydomain.net
54.200.126.130  mydomain.net

sslscan does not return any valid ciphers. They are all listed as "Rejected".

openssl test:

openssl s_client -connect www.mydomain.net:443
CONNECTED(00000003)
64007:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:602:

switching to a self-signed cert generated with keytool works fine (other than the obligatory browser warning). So it seems the issue must be with the certs and/or keystore, but I'm not sure what the issue is.

回答1:

Tomat assumes a keystore alias of "tomcat" unless you specify the keyAlias attribute on the Connector. Just add keyAlias=mydomain, or rename your alias to "tomcat" with the keytool.

回答2:

Tomcat docs say of keyAlias: "If not specified the first key read in the keystore will be used.", but it's a good catch. However, it didn't solve all my issues. I contacted GeoTrust and they recommended downloading a PKCS #7 cert, which worked. Odd, given that tomcat docs say "Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores". In the end it was two support chats with the CA, stack overflow post with bounty, hours of openssl and keytool testing. Lesson learned: it appears the CA's, given they get the support calls, have the best documentation for this (not tomcat).

https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=SO15323

来源：https://stackoverflow.com/questions/22799947/install-ssl-on-ec2-tomcat-server