Shulou(Shulou.com)06/01 Report--

This article introduces how to use Https certificate to encrypt the website in Tomcat9, the content is very detailed, interested friends can use it for reference, I hope it can be helpful to you.

. Obtain a certificate

For the Https certificate, it is equivalent to adding a third-party authentication mechanism, referred to as CA (Certificate Authority), in the transmission process to ensure the security of the transmission. For most certificates, there is a certain fee to issue. This paragraph mainly introduces the free certificate provider: FreeSSL.

Official address: https://freessl.org/

The prerequisite for SSL free certificate application is that there must be a domain name first. Users without a domain name can first go to domain name trading sites such as Aliyun or Tencent Cloud to purchase a domain name. In this case, I use my existing domain name: letcafe.cn as an example.

Here's how to get a free domain name Https certificate

Step 1. Enter the domain name you purchased

Step 2. By default, if there is no special need, enter the mailbox step by step and create it:

Step 3. After the creation is completed, wait a few seconds, and a verification session for domain name resolution DNS will be generated. In this regard, you need to go to the domain name provider website to add resolution. For example, I am using Aliyun, I am in: Aliyun-> console-> Domain name and website, find the corresponding domain name to add resolution.

The schematic diagram of the analysis is as follows:

After parsing and adding, wait for nearly a minute to go back to FreeSSL to verify the DNS. After clicking the "Click verify" button, your CA certificate and public key will be returned.

Then click to download the certificate to get the file with full_chain.pem and the private key called private.key. At this point, the free certificate has been applied for, and the next step is to add the corresponding content of Tomcat to HTTPS.

3. Configure Tomcat

3.1 generate jks files

Since the Tomcat certificate does not support the direct use of pem+ private key, you need to use Openssl to convert full_chain.pem+private.key to jks. First, upload full_chain.pem and private.key to any directory on the server. My directory is: / root/apache-tomcat-ssl, as shown below:

Then use the following command to generate a file named freeSSL.jks in the current directory, and if you cannot use the following command, try to consider upgrading Openssl to the latest version:

The copy code is as follows:

Openssl pkcs12-export-out / root/apache-tomcat-ssl/freeSSL.jks-in. / full_chain.pem-inkey. / private.key

During the command, you will be asked to enter the keystore password, make sure it is consistent twice, and remember the password. In order to demonstrate, the password I entered is: 123456 (in the product environment, please ensure that it is securely replaced with another complex password)

3.2 configure server.xml

Edit the server.xml file in the Tomcat directory, the file path is at: $CATALINA_HOME/conf/server.xml, depending on where your Tomcat is installed.

In Connector, add the following Connector:

The code is attached:

The keystoreFile in this step fills in the jks file generated using Openssl, and keystorePass uses the password entered earlier.

In addition, in order for Tomcat to listen on port 80 and forward HTTPS requests to port 443, which is the default port for SSL, the original Connector in the server.xml file needs to be modified as follows:

Change port= "8080" to port= "80" and redirectPort= "8443" to redirectPort= "443"

Modify, save and exit, restart Tomcat, visit the public network and enter the address: letcafe.cn, and find that although:

By entering https://letcafe.cn. Realized the display of the small lock on the website

But when you enter letcafe.cn, you lose the encryption of Https:

However, users cannot click whether HTTPS is correct every time. At this time, Tomcat will continue to use HTTP by default, so if you need to encrypt all access under this domain name with HTTPS, you need to forward all THHP access to Tomcat to HTTPS access by default, so that whether you enter letcafe.cn or https://letcafe.cn, you are accessing HTTPS (if this is not required, you do not need to take the next step)

4. Forward the Http request to Https

This step is very simple. Edit the $CATALINA_HOME/conf/web.xml file and add the following code to it:

The code is as follows:

SSL / * CONFIDENTIAL

Restart Tomcat after saving to achieve the goal.

5. Access test

Enter letcafe.cn or https://letcafe.cn or http://letcafe.cn in the browser to direct access to https://letcafe.cn

6. Problems that may be encountered

If the access is not available, confirm whether the following issues have been resolved:

1. Whether the firewall has open ports, firewalld in CentOS, and ports 443and 80 have been added.

Solution: add ports and reload firewall rule commands as follows:

Firewall-cmd-zone=public-add-port=80/tcp-permanentfirewall-cmd-zone=public-add-port=443/tcp-permanentfirewall-cmd-reload

Check that the server has opened the port command to confirm that ports 80 and 443 have been opened:

Firewall-cmd-zone=public-list-ports

two。 Open ports are set when the interception rules of cloud service providers are set, for example:

Ali Cloud-> console-> CVM ECS- > your server-> more-> Security group configuration

On how to use Https certificate encryption website in Tomcat9 to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.