主页 / server / 问题 / 877914
Accepted
Tobia
Asked: 2017-10-11 23:28:37 +0800 CST

让我们加密tomcat8 ubuntu服务器的证书权限

  • 772

我正在尝试为我的 ubuntu 服务器 VPS 的 Apache HTTPD 和 TOMCAT 服务使用 let's encrypt 证书。

我发现在哪里有letsencrypt存储的证书来查看apache配置,它是由certboot脚本编写的,Apache可以很好地使用这个证书。

我对 tomcat server.xml 配置使用相同的链接,但在其日志中出现权限被拒绝错误:

SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"]
java.lang.Exception: Unable to load certificate key /etc/letsencrypt/live/mysite.org/privkey.pem (error:0200100D:system library:fopen:Permission denied)
        at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:657)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)

Oct 11, 2017 9:40:07 AM org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]]
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:580)
        at org.apache.catalina.startup.Catalina.load(Catalina.java:603)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:964)
        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)
        ... 12 more
Caused by: java.lang.Exception: Unable to load certificate key /etc/letsencrypt/live/mysite.org/privkey.pem (error:0200100D:system library:fopen:Permission denied)
        at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method)
        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:657)
        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742)
        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458)
        at org.apache.catalina.connector.Connector.initInternal(Connector.java:960)
        ... 13 more

Oct 11, 2017 9:40:07 AM org.apache.catalina.startup.Catalina load

调查许可我发现了这个:

root@myvps:~# ls -la /etc/letsencrypt/live/mysite.org/
total 12
drwxr-xr-x 2 root root 4096 Sep 20 06:30 .
drwx------ 4 root root 4096 May 23 07:27 ..
lrwxrwxrwx 1 root root   39 Sep 20 06:30 cert.pem -> ../../archive/mysite.org/cert3.pem
lrwxrwxrwx 1 root root   40 Sep 20 06:30 chain.pem -> ../../archive/mysite.org/chain3.pem
lrwxrwxrwx 1 root root   44 Sep 20 06:30 fullchain.pem -> ../../archive/mysite.org/fullchain3.pem
lrwxrwxrwx 1 root root   42 Sep 20 06:30 privkey.pem -> ../../archive/mysite.org/privkey3.pem
-rw-r--r-- 1 root root  543 May 23 07:27 README
root@myvps:~# ls -la /etc/letsencrypt/archive/mysite.org/
total 56
drwxr-xr-x 2 root root 4096 Sep 20 06:30 .
drwx------ 4 root root 4096 May 23 07:27 ..
-rw-r--r-- 1 root root 1818 May 23 07:27 cert1.pem
-rw-r--r-- 1 root root 1814 Jul 22 06:30 cert2.pem
-rw-r--r-- 1 root root 1814 Sep 20 06:30 cert3.pem
-rw-r--r-- 1 root root 1647 May 23 07:27 chain1.pem
-rw-r--r-- 1 root root 1647 Jul 22 06:30 chain2.pem
-rw-r--r-- 1 root root 1647 Sep 20 06:30 chain3.pem
-rw-r--r-- 1 root root 3465 May 23 07:27 fullchain1.pem
-rw-r--r-- 1 root root 3461 Jul 22 06:30 fullchain2.pem
-rw-r--r-- 1 root root 3461 Sep 20 06:30 fullchain3.pem
-rw-r--r-- 1 root root 1704 May 23 07:27 privkey1.pem
-rw-r--r-- 1 root root 1704 Jul 22 06:30 privkey2.pem
-rw-r--r-- 1 root root 1704 Sep 20 06:30 privkey3.pem

据我所知,这个对 ls 命令的回答表明每个人都有符号链接和真实文件的 READ 权限。我对吗?那么,如果我将其证书指向,为什么 tomcat 会抱怨权限/etc/letsencrypt/live/mysite.org/cert.pem

ubuntu

1 个回答

  1. Best Answer

    问题是 /etc/letsencrypt/live/etc/letsencrypt/archive 文件夹只能由具有权限700的 root 访问。然后,如果内部文件是可访问的,tomcat 在遍历它时由于父文件夹权限而无法读取它们。

    我必须将 /etc/letsencrypt/live 和 /etc/letsencrypt/archive 的文件夹权限更改为750并将 tomcat 添加到用户组根目录,现在它可以工作了。

    也许最好将这些文件夹的组所有者更改为根组以外的其他组,例如 ssl-cert。

    • 2

相关问题