在Debian上配置Tomcat以使用SSL证书涉及几个步骤。以下是一个详细的指南:
首先,你需要一个SSL证书。你可以从Let’s Encrypt免费获取,或者购买一个商业证书。
安装Certbot:
sudo apt update
sudo apt install certbot
获取证书:
sudo certbot certonly --standalone -d yourdomain.com -d www.yourdomain.com
按照提示完成证书的获取。
接下来,你需要配置Tomcat以使用SSL证书。
找到Tomcat的server.xml文件,通常位于/etc/tomcat9/server.xml或/etc/tomcat8/server.xml。
打开server.xml文件:
sudo nano /etc/tomcat9/server.xml
找到以下注释掉的SSL连接器配置:
<!--
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
-->
取消注释并修改为以下内容:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/etc/letsencrypt/live/yourdomain.com/fullchain.pem"
type="RSA" />
<Certificate certificateKeystorePassword="your_keystore_password"
certificateKeyAlias="tomcat"
certificateKeyFile="/etc/letsencrypt/live/yourdomain.com/privkey.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
请确保替换yourdomain.com、your_keystore_password等占位符为实际值。
为了让Tomcat信任Let’s Encrypt的CA证书,你需要将CA证书添加到Tomcat的信任库中。
下载Let’s Encrypt的CA证书:
sudo apt install ca-certificates-java
将CA证书复制到Tomcat的信任库目录:
sudo cp /etc/ssl/certs/letsencrypt-ca.pem /usr/share/tomcat9/conf/truststore.jks
修改Tomcat的server.xml文件,添加信任库配置:
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="/etc/letsencrypt/live/yourdomain.com/fullchain.pem"
type="RSA" />
<Certificate certificateKeystorePassword="your_keystore_password"
certificateKeyAlias="tomcat"
certificateKeyFile="/etc/letsencrypt/live/yourdomain.com/privkey.pem"
type="RSA" />
</SSLHostConfig>
</Connector>
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" />
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log" suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
最后,重启Tomcat以应用更改:
sudo systemctl restart tomcat9
打开浏览器并访问https://yourdomain.com:8443,你应该能够看到Tomcat的默认页面,并且浏览器地址栏应该显示安全锁标志。
通过以上步骤,你应该能够在Debian上成功配置Tomcat以使用SSL证书。
