当前位置: 文江博客 话题详情

在Wildfly 17中启用SSL:浏览器正在显示证书无效

发布于 2025-02-04 19:46:32 字数 3516 浏览 2 评论 0 原文

我在Ubuntu 18.04 TLS上运行Wildfly 17服务器,并尝试如下所述启用SSL:

https://docs.oracle.com/cd/e19509-01/820-3503/ggfen/index.html

.com/esporate/26528617/How-To-Make-Make-wildfly-localhost-colnection-autopical-Into-into-https“>如何自动使野生蝇局部主机连接到https?

我已经发出了CSR请求,根据此CSR请求购买了CA证书,并将购买的证书安装到我创建的keimdi.jks中,我创建了我创建的证书,该证书是我创建的,该证书 在Wildfly的文件夹中生成了CSR请求后

/opt/wildfly/standalone/configuration

在创建附加的 security-realm 之后, ,并启用< https-listener 将其在我的 standalone.xml中使用,如上面的链接中所述,我启动了野生蝇,并试图通过端口8443上的https访问它。在浏览器的地址栏中,我收到了该站点不安全的消息。当我单击证书时,浏览器说:“证书无效”(见下文)

“在此处输入图像描述”

在我的浏览器的证书查看器中,我得到了:

i.sstatic.net/xe3o5.png“ rel =“ nofollow noreferrer 另外,

我的密钥库包含三个条目:

administrator@14980:/opt/wildfly/standalone/configuration$ sudo 

keytool -keystore heimdi.jks -list -v
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 3 entries

现在,第一个实体是我购买的服务器证书:

Alias name: server
Creation date: Jun 7, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=heimdi.at
Issuer: CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1, O="DigiCert, Inc.", C=US
Serial number: 2cd552dea82c2a783fee69d6f160d78
Valid from: Wed Jun 01 02:00:00 CEST 2022 until: Fri Jun 02 01:59:59 CEST 2023
Certificate fingerprints:
     SHA1: B9:D9:C6:E3:B9:41:0F:39:F7:63:FB:B7:5C:22:3C:39:66:E6:BA:C1
     SHA256: 64:4B:9B:FB:85:C2:EC:54:C2:1C:66:65:51:A9:3C:AB:33:C9:D3:F9:20:8B:F1:77:D9:B0:0F:02:D1:86:53:97
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

第二个是中级权威证书:

Certificate[2]:
Owner: CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1, O="DigiCert, Inc.", C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: a059b25f54b3d8794cc6631477538a3
Valid from: Wed May 04 02:00:00 CEST 2022 until: Mon Nov 10 00:59:59 CET 2031
Certificate fingerprints:
     SHA1: 68:F2:2B:1A:62:98:F7:DA:19:1E:61:49:ED:8D:E0:EF:FF:54:AD:8C
     SHA256: 92:A5:F5:15:AD:35:D3:A2:7C:49:0E:DB:13:5D:E7:04:4B:1E:39:9D:60:8A:C1:AB:E8:83:FC:82:FB:4B:16:BE
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

最后一个是根CA证书:

Certificate[3]:
Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 83be056904246b1a1756ac95991c74a
Valid from: Fri Nov 10 01:00:00 CET 2006 until: Mon Nov 10 01:00:00 CET 2031
Certificate fingerprints:
     SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
     SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
原文

I have a Wildfly 17 server running on Ubuntu 18.04 TLS and tried to enable SSL as described in the links below:

https://docs.oracle.com/cd/E19509-01/820-3503/ggfen/index.html

How to make wildfly localhost connection automatically into https?

https://medium.com/@hasnat.saeed/setup-ssl-https-on-jboss-wildfly-application-server-fde6288a0f40

I have issued a CSR request, purchased a CA certificate based on this CSR Request, and installed the purchased certificate into my keystore named heimdi.jks, which I created upon generating the CSR request in the folder of wildfly

/opt/wildfly/standalone/configuration

After creating an additional security-realm and enabling the <https-listener to use it in my standalone.xml, as described in the links above, I started my Wildfly and tried to access it via https on port 8443. In the address bar of the browser I got the the message that the site is not secure. When I clicked on the certificate, the browser said: "Certificate is not valid" (see below)

enter image description here

In the certificate viewer of my browser I' ve got :

enter image description here

and also

enter image description here

My keystore contains three entries:

administrator@14980:/opt/wildfly/standalone/configuration$ sudo 

keytool -keystore heimdi.jks -list -v
Enter keystore password:  
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 3 entries

Now, the first entity is the server certificate I bought:

Alias name: server
Creation date: Jun 7, 2022
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=heimdi.at
Issuer: CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1, O="DigiCert, Inc.", C=US
Serial number: 2cd552dea82c2a783fee69d6f160d78
Valid from: Wed Jun 01 02:00:00 CEST 2022 until: Fri Jun 02 01:59:59 CEST 2023
Certificate fingerprints:
     SHA1: B9:D9:C6:E3:B9:41:0F:39:F7:63:FB:B7:5C:22:3C:39:66:E6:BA:C1
     SHA256: 64:4B:9B:FB:85:C2:EC:54:C2:1C:66:65:51:A9:3C:AB:33:C9:D3:F9:20:8B:F1:77:D9:B0:0F:02:D1:86:53:97
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

The second one is the certificate of the intermediate authority:

Certificate[2]:
Owner: CN=RapidSSL Global TLS RSA4096 SHA256 2022 CA1, O="DigiCert, Inc.", C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: a059b25f54b3d8794cc6631477538a3
Valid from: Wed May 04 02:00:00 CEST 2022 until: Mon Nov 10 00:59:59 CET 2031
Certificate fingerprints:
     SHA1: 68:F2:2B:1A:62:98:F7:DA:19:1E:61:49:ED:8D:E0:EF:FF:54:AD:8C
     SHA256: 92:A5:F5:15:AD:35:D3:A2:7C:49:0E:DB:13:5D:E7:04:4B:1E:39:9D:60:8A:C1:AB:E8:83:FC:82:FB:4B:16:BE
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

And the last one is the root CA certificate:

Certificate[3]:
Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 83be056904246b1a1756ac95991c74a
Valid from: Fri Nov 10 01:00:00 CET 2006 until: Mon Nov 10 01:00:00 CET 2031
Certificate fingerprints:
     SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
     SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

昔梦 2025-02-11 19:46:32

HTTPS浏览器永远不会获取您的私人关键。您的是显示自我签名(虚拟)证书 在5月25日创建的,这显然是当您做 keytool -genkey [配对] 。该操作创建了一个私人键一个虚拟证书,该证书旨在在您获得真正的私有证书时被替换;它不是私有键,而是存储在 的privateKey entry 中,实际上包含privateKey 的证书链

您获得了“ Real”证书(来自Rapidssl/Digicert),但无法正确替换虚拟。您需要执行 KEYTOOL -IMPORTCERT -KEYSTORE X -FILE Y -ALIAS Z 其中X是您的密钥库 heimdi.jks ,y是包含您获得的服务器证书的文件, z是 server 的privateKey条目的别名

但是 您需要在密钥库中拥有复数的链条证书。您的服务器证书由中级 ca发行, aparpssl global tls rsa4096 sha256 2022 CA1 ,但您拥有的根证书是 digiCert global global global root ca 您可以看到的不同。您应该拥有(Rapidssl/Digicert应该为您提供)“链”或“中间”证书,该证书通过具有与前者和发行人相等的主题(Keytool调用“所有者”)来链接这些证书。您的列表显示 therootca client 的TrustedCert条目;前者与(已发布的)Digicert root匹配,但您不说后者的内容,并且与任何公开中间的中间体不匹配,而且通常在某个中拥有任何类型的“客户端”证书是没有意义的HTTPS服务器密钥库。

如果Rapidssl给您一个“捆绑包”文件,请使用任何文本工具(例如 cat More 或编辑器)查看它;它可能包含多个证书,但是如果您在 keytool -import [cert] 中使用它,仅读取 first 一个。拆分任何后续证书,然后单独查看每个证书(例如 keytool -printcert -file f )以找到中间体,或者尝试下载

PS:没有“ Linux 18.04”。您可能的意思是 ubuntu ,它标识了yy.mm格式的发行版,而偶数年份(如18.04)的4月份发行版是“ LTS”(长期支持),而不是TLS 。但是,即使是“长期”也只能在5年内免费,这将为您的系统即将到期。

An HTTPS browser never gets your privatekey. Yours is showing a self-signed (dummy) certificate created on May 25, which is apparently when you did keytool -genkey[pair]. That operation creates a privatekey and a dummy cert which is intended to be replaced when you get a real one; it is not the privatekey but is stored in the PrivateKey entry, which actually contains both the privatekey and a certificate chain.

You obtained a 'real' cert (from RapidSSL/Digicert), but did not correctly replace the dummy one. You need to do keytool -importcert -keystore x -file y -alias z where x is your keystore heimdi.jks, y is the file containing the server cert you got, and z is the alias of the PrivateKey entry which is server.

But before that you need to have the chain certs, plural, in your keystore. Your server cert is issued by an intermediate CA, RapidSSL Global TLS RSA4096 SHA256 2022 CA1, but the root cert you have is for DigiCert Global Root CA which you can see is different. You should have (RapidSSL/Digicert should have supplied you) a 'chain' or 'intermediate' certificate that links these by having subject (which keytool calls 'owner') equal to the former and issuer equal to the latter. Your list shows TrustedCert entries for therootca and client; the former matches the (published) Digicert root but you don't say what's in the latter and it doesn't match any publicly-logged intermediate, plus it doesn't normally make sense to have any kind of 'client' cert in an HTTPS server keystore.

If RapidSSL gave you a 'bundle' file, look at it with any text tool like cat or more or an editor; it probably contains more than one certificate, but if you used it in keytool -import[cert] that only read the first one. Split out any subsequent cert(s) and look at each individually (for example with keytool -printcert -file f) to find the intermediate, or alternatively try downloading this logged one. Import it to a different alias -- maybe themidca -- before importing the server cert to the privatekey alias server as above.

PS: there is no "Linux 18.04". You probably mean Ubuntu, which identifies releases with the yy.mm format, and the releases in April of even-numbered years, like 18.04, are "LTS" (Long-Term Support) -- not TLS. But even "long-term" is only free for 5 years, which expires next spring for your system.

回复 原文
~没有更多了~

关于作者

乙白

暂无简介

文章
评论
28 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

alipaysp_snBf0MSZIv

文章 0 评论 0

梦断已成空

文章 0 评论 0

瞎闹

文章 0 评论 0

凯凯我们等你回来

文章 0 评论 0

寄意

文章 0 评论 0

似梦非梦

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文