开发者社区 问答 正文

Tomcat7配置SSL证书之后浏览器访问显示连接被重置

netstat -ntlp 之后 8080 和 443端口 都有 8080可以正常访问 443端口出现 无法访问此网站 连接已重置 ERR_CONNECTION_RESET 证书是阿里云购买的 下载下来两个文件 一个.pfx 一个是密码 server.xml文件如下

<?xml version='1.0' encoding='utf-8'?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
     define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
  <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
  <Listener className="org.apache.catalina.core.JasperListener" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
       Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
         UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share
       a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
    <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->


    <!-- A "Connector" represents an endpoint by which requests are received
         and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL HTTP/1.1 Connector on port 8080
    -->
    <Connector port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    <!-- A "Connector" using the shared thread pool-->
    <!--
    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the BIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->

    <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
               keystoreFile="/home/tomcat/apache-tomcat-7.0.94/cert/2095350_www.rumination.tech.pfx" keystoreType="PKCS12" keystorePass="hWD5bIfg" clientAuth="false" sslProtocol="TLS" />


    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />


    <!-- An Engine represents the entry point (within Catalina) that processes
         every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
    <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
          /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
      <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
      </Realm>

      <Host name="localhost"  appBase="webapps"
            unpackWARs="true" autoDeploy="true">

        <!-- SingleSignOn valve, share authentication between web applications
             Documentation at: /docs/config/valve.html -->
        <!--
        <Valve className="org.apache.catalina.authenticator.SingleSignOn" />
        -->

        <!-- Access log processes all example.
             Documentation at: /docs/config/valve.html
             Note: The pattern used is equivalent to using pattern="common" -->
        <Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
               prefix="localhost_access_log." suffix=".txt"
               pattern="%h %l %u %t "%r" %s %b" />

      </Host>
    </Engine>
  </Service>
</Server>

遇到了同样的问题,在CSDN看到了,希望阿里云团队能够给出正确、标准的答案~请查看

展开
收起
西门小刚刚9630297551 2020-05-23 21:10:57 3498 分享 版权
阿里云 AI 助理回答

根据您的描述,您在使用netstat -ntlp命令检查端口时发现8080和443端口都在监听状态,但443端口无法正常访问,出现“连接已重置 ERR_CONNECTION_RESET”的错误。这通常意味着虽然服务已经在监听443端口,但是由于某种原因(如配置错误、防火墙限制或SSL证书问题)导致外部请求无法成功建立连接。

考虑到您提到已经从阿里云购买了SSL证书,并且有两个文件:一个.pfx文件和一个密码,这里提供一些排查和解决步骤:

  1. 确认HTTPS配置: 确保您的服务器软件(如Apache、Nginx或Tomcat等)正确配置了SSL证书。以Tomcat为例,您需要将.pfx文件转换为JKS或PKCS12格式(如果Tomcat不直接支持.pfx),然后在server.xml中指定正确的SSL证书路径和密码。如果是其他Web服务器,请参照相应文档进行配置。

  2. 证书导入与配置

    • 如果您还没将.pfx证书导入到服务器,您可能需要先将其转换并导入。对于Tomcat,可以使用如下命令将.pfx转换为JKS格式(假设已安装Java):
      keytool -importkeystore -srckeystore your_certificate.pfx -srcstoretype pkcs12 -destkeystore your_certificate.jks -deststoretype JKS
      

      在执行此命令时,会要求输入源密钥库(即.pfx的密码)和目标密钥库的密码。

    • 然后,在Tomcat的server.xml中,确保SSL连接器配置正确指向新生成的JKS文件,例如:
      <Connector port="443" protocol="HTTP/1.1"
             maxThreads="150" scheme="https" secure="true" SSLEnabled="true"
             keystoreFile="/home/admin/.keystore" keystorePass="your_keystore_password"
             clientAuth="false" sslProtocol="TLS"/>
      

      注意替换keystoreFilekeystorePass为实际的路径和密码。

  3. 检查防火墙设置: 确认服务器的防火墙没有阻止443端口的入站连接。在Linux系统中,可以通过ufwiptables命令查看和修改规则。

  4. SSL/TLS协议与加密套件: 检查您的SSL/TLS配置是否符合当前的安全标准。某些旧的或不安全的协议及套件可能会被浏览器拒绝,导致连接失败。

  5. 域名绑定与DNS解析: 确保您的域名已经正确解析到了服务器的IP地址,并且在Web服务器配置中绑定了正确的域名。

  6. 重启服务: 完成所有配置更改后,记得重启您的Web服务器服务,以便让更改生效。

如果以上步骤都确认无误,但问题依旧存在,建议检查服务器日志(如Tomcat的日志、系统日志、网络日志等),这些日志中可能包含更详细的错误信息,有助于进一步定位问题。

有帮助
无帮助
AI 助理回答生成答案可能存在不准确,仅供参考
0 条回答
写回答
取消 提交回答