Let's Encrypt可提供免费公共的SSL证书
环境:
Windows Server 2008R2, Tomcat 8.5.29
部署步骤:
- 下载并解压Let's Encrypt Windows认证客户端
地址 http://files.cnblogs.com/files/teamblog/letsencrypt-win-simple.V1.9.1.zip
这里我解压到了tomcat根目录
解压路径
- Let's Encrypt需要认证你的网站,首先就需要访问到你的网站,并为网站提供证书等相关的认证文件(请先确保用域名能访问到你的网站),这里利用java springMVC的项目(作为tomcat中webapps下的ROOT项目)提供访问,代码如下:
@RequestMapping("/.well-known/acme-challenge/*")
public ResponseEntity<String> check(HttpServletRequest request, HttpServletResponse response){
HttpHeaders responseHeaders = new HttpHeaders();
responseHeaders.set("Content-Type", "application/json;charset=UTF-8");
String result="";
try {
String URI=request.getRequestURI().replace("/","\\");
//文件路径自行替换一下就行,就是上图中生成验证文件的路径,因为URI中已经包含了/.well-known/acme-challenge/,所以这里不需要
File file=new File("D:\\apache-tomcat-8.5.29\\letsencrypt-win-simple.V1.9.1\\wgms.zhkx.com.cn\\"+URI);
InputStream is = new FileInputStream(file);
// 设置response参数,可以打开下载页面
response.reset();
response.setContentType("application/vnd.ms-excel;charset=utf-8");
response.setHeader("Content-Disposition", "attachment;filename="+ new String(("验证文件").getBytes(), "iso-8859-1"));
ServletOutputStream out = response.getOutputStream();
BufferedInputStream bis = null;
BufferedOutputStream bos = null;
try {
bis = new BufferedInputStream(is);
bos = new BufferedOutputStream(out);
byte[] buff = new byte[2048];
int bytesRead;
// Simple read/write loop.
while (-1 != (bytesRead = bis.read(buff, 0, buff.length))) {
bos.write(buff, 0, bytesRead);
}
} catch (final IOException e) {
throw e;
} finally {
if (bis != null)
bis.close();
if (bos != null)
bos.close();
}
}catch (Exception e){
}
return new ResponseEntity<>(result, responseHeaders, HttpStatus.OK);
}
- 启动letsencrypt-win-simple文件夹内的letsencrypt.exe
- 设置提醒邮箱
- 同意条款按Y
- 认证方式选择M
- 输入你想转为https的域名
- 验证文件的域名(如果用我的代码,就还输入你的域名就行,验证原理是访问你输入的值+/.well-known/acme-challenge/+生成的随机码)
- 证书到这里就生成成功了(中间出现了error开头的红字报错“Error saving certificate: 拒绝访问。”,我选择了忽略)
- 由于Let's Encrypt是免费的SSL证书,90天就过期了,需要再次认证,贴心的Let's Encrypt客户端程序会自动帮你生成验证脚本,不要关闭窗口,继续往下走就行
- 确认帮你创建定时任务(不确定的话90天后SSL证书过期,就不是https了)
- 输入该计算机(服务器)的管理员帐号密码
- 证书部分完成,可以关闭该窗口了
- 找到生成的证书文件,默认路径在 C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\ ,主要使用下图三个文件:
- 装ARP环境(没有这一步Tomcat启不起来(未验证))
http://tomcat.apache.org/download-native.cgi
解压缩,把服务器对应位数(32/64位)的tcnative-1.dll粘贴至jdk的bin路径下
- 修改tomcat的conf目录下server.xml文件的以下部分代码:
<Connector port="443" protocol="org.apache.coyote.http11.Http11AprProtocol" maxThreads="150" SSLEnabled="true">
<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
<SSLHostConfig>
<Certificate certificateKeyFile="C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\wgms.zhkx.com.cn-key.pem"
certificateFile="C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\wgms.zhkx.com.cn-crt.pem"
certificateChainFile="C:\Users\Administrator\AppData\Roaming\letsencrypt-win-simple\httpsacme-v01.api.letsencrypt.org\wgms.zhkx.com.cn-chain.pem" type="RSA" />
</SSLHostConfig>
</Connector>
<Connector port="80" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
<Connector port="8009" enableLookups="false" protocol="AJP/1.3" redirectPort="443" />
- 修改tomcat中conf文件夹下的web.xml
在wellcome-file-list结束后添加如下代码:
<security-constraint>
<web-resource-collection >
<web-resource-name >SSL</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
- 重启tomcat,完成
网友评论