我正在尝试使用我们的ubuntu服务器VPS的Apache HTTPD和TOMCAT服务的encryption证书。
我发现letsencrypt存储的证书在Apacheconfiguration中的位置,它是由certboot脚本编写的,Apache正在使用这个证书。
我为tomcat server.xmlconfiguration使用相同的链接,但是我的日志中有一个权限被拒绝的错误:
SEVERE: Failed to initialize end point associated with ProtocolHandler ["http-apr-8443"] java.lang.Exception: Unable to load certificate key /etc/letsencrypt/live/mysite.org/privkey.pem (error:0200100D:system library:fopen:Permission denied) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:657) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458) at org.apache.catalina.connector.Connector.initInternal(Connector.java:960) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:580) at org.apache.catalina.startup.Catalina.load(Catalina.java:603) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) Oct 11, 2017 9:40:07 AM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:568) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:851) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:580) at org.apache.catalina.startup.Catalina.load(Catalina.java:603) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:310) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:484) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:964) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 12 more Caused by: java.lang.Exception: Unable to load certificate key /etc/letsencrypt/live/mysite.org/privkey.pem (error:0200100D:system library:fopen:Permission denied) at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:657) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:742) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:458) at org.apache.catalina.connector.Connector.initInternal(Connector.java:960) ... 13 more Oct 11, 2017 9:40:07 AM org.apache.catalina.startup.Catalina load 寻找许可我发现这一点:
root@myvps:~# ls -la /etc/letsencrypt/live/mysite.org/ total 12 drwxr-xr-x 2 root root 4096 Sep 20 06:30 . drwx------ 4 root root 4096 May 23 07:27 .. lrwxrwxrwx 1 root root 39 Sep 20 06:30 cert.pem -> ../../archive/mysite.org/cert3.pem lrwxrwxrwx 1 root root 40 Sep 20 06:30 chain.pem -> ../../archive/mysite.org/chain3.pem lrwxrwxrwx 1 root root 44 Sep 20 06:30 fullchain.pem -> ../../archive/mysite.org/fullchain3.pem lrwxrwxrwx 1 root root 42 Sep 20 06:30 privkey.pem -> ../../archive/mysite.org/privkey3.pem -rw-r--r-- 1 root root 543 May 23 07:27 README root@myvps:~# ls -la /etc/letsencrypt/archive/mysite.org/ total 56 drwxr-xr-x 2 root root 4096 Sep 20 06:30 . drwx------ 4 root root 4096 May 23 07:27 .. -rw-r--r-- 1 root root 1818 May 23 07:27 cert1.pem -rw-r--r-- 1 root root 1814 Jul 22 06:30 cert2.pem -rw-r--r-- 1 root root 1814 Sep 20 06:30 cert3.pem -rw-r--r-- 1 root root 1647 May 23 07:27 chain1.pem -rw-r--r-- 1 root root 1647 Jul 22 06:30 chain2.pem -rw-r--r-- 1 root root 1647 Sep 20 06:30 chain3.pem -rw-r--r-- 1 root root 3465 May 23 07:27 fullchain1.pem -rw-r--r-- 1 root root 3461 Jul 22 06:30 fullchain2.pem -rw-r--r-- 1 root root 3461 Sep 20 06:30 fullchain3.pem -rw-r--r-- 1 root root 1704 May 23 07:27 privkey1.pem -rw-r--r-- 1 root root 1704 Jul 22 06:30 privkey2.pem -rw-r--r-- 1 root root 1704 Sep 20 06:30 privkey3.pem
据我所知,对ls命令的这个答案显示,对于每个人都有对于符号链接和真实文件的READ权限。 我对吗? 那么为什么如果我将它的证书指向/etc/letsencrypt/live/mysite.org/cert.pem为什么tomcat会抱怨权限呢?
问题是/ etc / letsencrypt / live和/ etc / letsencrypt / archive文件夹只能由root权限700访问 。 那么,如果内部文件是可访问的,则在遍历文件时,由于父文件夹的权限,tomcat无法读取它们。
我必须将/ etc / letsencrypt / live和/ etc / letsencrypt / archive的文件夹权限更改为750 ,并将tomcat添加到usergroup root,现在它可以工作。
也许最好将这些文件夹的组所有者更改为root组以外的其他组,比如ssl-cert。