本文档指导您如何在 Jetty 服务器中安装 SSL 证书。
说明:
cloud.tencent.com
为例。jetty-distribution-9.4.28.v20200408
为例。注意:
/usr/local/jetty
目录下。cloud.tencent.com
证书文件包到本地目录。
解压缩后,可获得相关类型的证书文件。其中包含 Tomcat 文件夹和 CSR 文件:cloud.tencent.com.jks
密钥库keystorePass.txt
密码文件(若已设置私钥密码,则无 keystorePass.txt
密码文件)cloud.tencent.com.csr
文件说明:
CSR 文件是申请证书时由您上传或系统在线生成的,提供给 CA 机构。安装时可忽略该文件。/usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc
目录下执行命令 mkdir cert
创建 cert 文件夹。cloud.tencent.com.jks
密钥库文件从本地目录拷贝至 cert 文件夹。/usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc
目录下的 jetty-ssl-context.xml
文件,如下所示:说明:
<?xml version="1.0"?><!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> <!-- ============================================================= --><!-- SSL ContextFactory configuration --><!-- ============================================================= --> <!-- To configure Includes / Excludes for Cipher Suites or Protocols see tweak-ssl.xml example at https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#configuring-sslcontextfactory-cipherSuites --> <Configure id="sslContextFactory" http://www.sina.com.cn/mid/search.shtml?q=%E7%99%BE%E5%BA%A6%E6%8E%92%E5%90%8D%E4%BB%A3%E5%81%9A%E6%89%A3120280279class="org.eclipse.jetty.util.ssl.SslContextFactory$Server"> <Set name="Provider"><Property name="jetty.sslContext.provider"/></Set> <Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.keyStorePath" deprecated="jetty.keystore" default="etc/cert/cloud.tencent.com.jks"/></Set> <Set name="KeyStorePassword"><Property name="jetty.sslContext.keyStorePassword" deprecated="jetty.keystore.password" default="4d5jtdq238j1l"/></Set> <Set name="KeyStoreType"><Property name="jetty.sslContext.keyStoreType" default="JKS"/></Set> <Set name="KeyStoreProvider"><Property name="jetty.sslContext.keyStoreProvider"/></Set> <Set name="KeyManagerPassword"><Property name="jetty.sslContext.keyManagerPassword" deprecated="jetty.keymanager.password" default="4d5jtdq238j1l"/></Set> <Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.sslContext.trustStorePath" deprecated="jetty.truststore" default="etc/cert/cloud.tencent.com.jks"/></Set> <Set name="TrustStorePassword"><Property name="jetty.sslContext.trustStorePassword" deprecated="jetty.truststore.password"/></Set> <Set name="TrustStoreType"><Property name="jetty.sslContext.trustStoreType"/></Set> <Set name="TrustStoreProvider"><Property name="jetty.sslContext.trustStoreProvider"/></Set> <Set name="EndpointIdentificationAlgorithm"><Property name="jetty.sslContext.endpointIdentificationAlgorithm"/></Set> <Set name="NeedClientAuth"><Property name="jetty.sslContext.needClientAuth" deprecated="jetty.ssl.needClientAuth" default="false"/></Set> <Set name="WantClientAuth"><Property name="jetty.sslContext.wantClientAuth" deprecated="jetty.ssl.wantClientAuth" default="false"/></Set> <Set name="useCipherSuitesOrder"><Property name="jetty.sslContext.useCipherSuitesOrder" default="true"/></Set> <Set name="sslSessionCacheSize"><Property name="jetty.sslContext.sslSessionCacheSize" default="-1"/></Set> <Set name="sslSessionTimeout"><Property name="jetty.sslContext.sslSessionTimeout" default="-1"/></Set> <Set name="RenegotiationAllowed"><Property name="jetty.sslContext.renegotiationAllowed" default="true"/></Set> <Set name="RenegotiationLimit"><Property name="jetty.sslContext.renegotiationLimit" default="5"/></Set> <Set name="SniRequired"><Property name="jetty.sslContext.sniRequired" default="false"/></Set> <!-- Example of how to configure a PKIX Certificate Path revocation Checker <Call id="pkixPreferCrls" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>PREFER_CRLS</Arg></Call> <Call id="pkixSoftFail" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>SOFT_FAIL</Arg></Call> <Call id="pkixNoFallback" class="java.security.cert.PKIXRevocationChecker$Option" name="valueOf"><Arg>NO_FALLBACK</Arg></Call> <Call class="java.security.cert.CertPathBuilder" name="getInstance"> <Arg>PKIX</Arg> <Call id="pkixRevocationChecker" name="getRevocationChecker"> <Call name="setOptions"> <Arg> <Call class="java.util.EnumSet" name="of"> <Arg><Ref refid="pkixPreferCrls"/></Arg> <Arg><Ref refid="pkixSoftFail"/></Arg> <Arg><Ref refid="pkixNoFallback"/></Arg> </Call> </Arg> </Call> </Call> </Call> <Set name="PkixCertPathChecker"><Ref refid="pkixRevocationChecker"/></Set> --> </Configure>
/usr/local/jetty/jetty-distribution-9.4.28.v20200408/etc
目录下的 jetty-ssl.xml
文件,修改端口为443。如下所示:
<Call name="addConnector"> <Arg> <New id="sslConnector" class="org.eclipse.jetty.server.ServerConnector"> <Arg name="server"><Ref refid="Server" /></Arg> <Arg name="acceptors" type="int"><Property name="jetty.ssl.acceptors" deprecated="ssl.acceptors" default="-1"/></Arg> <Arg name="selectors" type="int"><Property name="jetty.ssl.selectors" deprecated="ssl.selectors" default="-1"/></Arg> <Arg name="factories"> <Array type="org.eclipse.jetty.server.ConnectionFactory"> <!-- uncomment to support proxy protocol <Item> <New class="org.eclipse.jetty.server.ProxyConnectionFactory"/> </Item>--> </Array> </Arg> <Set name="host"><Property name="jetty.ssl.host" deprecated="jetty.host" /></Set> <Set name="port"><Property name="jetty.ssl.port" deprecated="ssl.port" default="443" /></Set> <Set name="idleTimeout"><Property name="jetty.ssl.idleTimeout" deprecated="ssl.timeout" default="30000"/></Set> <Set name="acceptorPriorityDelta"><Property name="jetty.ssl.acceptorPriorityDelta" deprecated="ssl.acceptorPriorityDelta" default="0"/></Set> <Set name="acceptQueueSize"><Property name="jetty.ssl.acceptQueueSize" deprecated="ssl.acceptQueueSize" default="0"/></Set> <Get name="SelectorManager"> <Set name="connectTimeout"><Property name="jetty.ssl.connectTimeout" default="15000"/></Set> </Get> </New> </Arg> </Call>/usr/local/jetty/jetty-distribution-9.4.28.v20200408
目录下的 start.ini
文件,添加如下内容:
etc/jetty-ssl.xml etc/jetty-ssl-context.xml etc/jetty-https.xmljava -jar start.jar
,即可使用 https://cloud.tencent.com
访问。证书部署成功后,使用 https://cloud.tencent.com
访问若显示如下:
解决方案:您可以将 /usr/local/jetty/jetty-distribution-9.4.28.v20200408/demo-base/webapps
目录下的 ROOT 文件复制到 /usr/local/jetty/jetty-distribution-9.4.28.v20200408/webapps
目录下,重启 jetty,即可访问成功。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。