Tomcat7配置SSL证书之后浏览器访问显示连接被重置
netstat -ntlp 之后 8080 和 443端口 都有 8080可以正常访问 443端口出现 无法访问此网站 连接已重置 ERR_CONNECTION_RESET 证书是阿里云购买的 下载下来两个文件 一个.pfx 一个是密码 server.xml文件如下
<?xml version='1.0' encoding='utf-8'?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!-- Note: A "Server" is not itself a "Container", so you may not
define subcomponents such as "Valves" at this level.
Documentation at /docs/config/server.html
-->
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener" />
<!-- Security listener. Documentation at /docs/config/listeners.html
<Listener className="org.apache.catalina.security.SecurityListener" />
-->
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
<!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener" />
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />
<!-- Global JNDI resources
Documentation at /docs/jndi-resources-howto.html
-->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users
-->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<!-- A "Service" is a collection of one or more "Connectors" that share
a single "Container" Note: A "Service" is not itself a "Container",
so you may not define subcomponents such as "Valves" at this level.
Documentation at /docs/config/service.html
-->
<Service name="Catalina">
<!--The connectors can use a shared executor, you can define one or more named thread pools-->
<!--
<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
maxThreads="150" minSpareThreads="4"/>
-->
<!-- A "Connector" represents an endpoint by which requests are received
and responses are returned. Documentation at :
Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
Java AJP Connector: /docs/config/ajp.html
APR (HTTP/AJP) Connector: /docs/apr.html
Define a non-SSL HTTP/1.1 Connector on port 8080
-->
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<!-- A "Connector" using the shared thread pool-->
<!--
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the BIO implementation that requires the JSSE
style configuration. When using the APR/native implementation, the
OpenSSL style configuration is required as described in the APR/native
documentation -->
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
keystoreFile="/home/tomcat/apache-tomcat-7.0.94/cert/2095350_www.rumination.tech.pfx" keystoreType="PKCS12" keystorePass="hWD5bIfg" clientAuth="false" sslProtocol="TLS" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<!-- An Engine represents the entry point (within Catalina) that processes
every request. The Engine implementation for Tomcat stand alone
analyzes the HTTP headers included with the request, and passes them
on to the appropriate Host (virtual host).
Documentation at /docs/config/engine.html -->
<!-- You should set jvmRoute to support load-balancing via AJP ie :
<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-->
<Engine name="Catalina" defaultHost="localhost">
<!--For clustering, please take a look at documentation at:
/docs/cluster-howto.html (simple how to)
/docs/config/cluster.html (reference documentation) -->
<!--
<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-->
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<!-- SingleSignOn valve, share authentication between web applications
Documentation at: /docs/config/valve.html -->
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn" />
-->
<!-- Access log processes all example.
Documentation at: /docs/config/valve.html
Note: The pattern used is equivalent to using pattern="common" -->
<Valve className="org.apache.catalina.valves.AccessLogValve" directory="logs"
prefix="localhost_access_log." suffix=".txt"
pattern="%h %l %u %t "%r" %s %b" />
</Host>
</Engine>
</Service>
</Server>
遇到了同样的问题,在CSDN看到了,希望阿里云团队能够给出正确、标准的答案~请查看
展开
收起
版权声明:本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《阿里云开发者社区用户服务协议》和《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
阿里云 AI 助理回答
根据您的描述,您在使用netstat -ntlp命令检查端口时发现8080和443端口都在监听状态,但443端口无法正常访问,出现“连接已重置 ERR_CONNECTION_RESET”的错误。这通常意味着虽然服务已经在监听443端口,但是由于某种原因(如配置错误、防火墙限制或SSL证书问题)导致外部请求无法成功建立连接。
考虑到您提到已经从阿里云购买了SSL证书,并且有两个文件:一个.pfx文件和一个密码,这里提供一些排查和解决步骤:
-
确认HTTPS配置: 确保您的服务器软件(如Apache、Nginx或Tomcat等)正确配置了SSL证书。以Tomcat为例,您需要将.pfx文件转换为JKS或PKCS12格式(如果Tomcat不直接支持.pfx),然后在server.xml中指定正确的SSL证书路径和密码。如果是其他Web服务器,请参照相应文档进行配置。
-
证书导入与配置:
- 如果您还没将.pfx证书导入到服务器,您可能需要先将其转换并导入。对于Tomcat,可以使用如下命令将.pfx转换为JKS格式(假设已安装Java):
keytool -importkeystore -srckeystore your_certificate.pfx -srcstoretype pkcs12 -destkeystore your_certificate.jks -deststoretype JKS在执行此命令时,会要求输入源密钥库(即.pfx的密码)和目标密钥库的密码。
- 然后,在Tomcat的
server.xml中,确保SSL连接器配置正确指向新生成的JKS文件,例如:<Connector port="443" protocol="HTTP/1.1" maxThreads="150" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/home/admin/.keystore" keystorePass="your_keystore_password" clientAuth="false" sslProtocol="TLS"/>注意替换
keystoreFile和keystorePass为实际的路径和密码。
- 如果您还没将.pfx证书导入到服务器,您可能需要先将其转换并导入。对于Tomcat,可以使用如下命令将.pfx转换为JKS格式(假设已安装Java):
-
检查防火墙设置: 确认服务器的防火墙没有阻止443端口的入站连接。在Linux系统中,可以通过
ufw或iptables命令查看和修改规则。 -
SSL/TLS协议与加密套件: 检查您的SSL/TLS配置是否符合当前的安全标准。某些旧的或不安全的协议及套件可能会被浏览器拒绝,导致连接失败。
-
域名绑定与DNS解析: 确保您的域名已经正确解析到了服务器的IP地址,并且在Web服务器配置中绑定了正确的域名。
-
重启服务: 完成所有配置更改后,记得重启您的Web服务器服务,以便让更改生效。
如果以上步骤都确认无误,但问题依旧存在,建议检查服务器日志(如Tomcat的日志、系统日志、网络日志等),这些日志中可能包含更详细的错误信息,有助于进一步定位问题。
有帮助
无帮助
AI 助理回答生成答案可能存在不准确,仅供参考
相关问答