[從零開始搭網站六]爲域名申請免費SSL證書(https),併爲Tomcat配置https域名所用的多SSL證書

　　點擊下面鏈接查看從零開始搭網站全系列

　　從零開始搭網站

 

　　因爲國內的網絡環境比較惡劣,運營商流量劫持的狀況比較嚴重,通常表現爲別人打開你的網站的時候會彈一些莫名其妙的廣告...更過度的會跳轉至別的網站.

　　那麼爲了解決這種狀況,那麼咱們就要申請SSL證書,而且配置服務器.

　　而且,我準備再學習並寫一個微信小程序,而微信小程序全部接口都須要走https,那麼全線https就勢在必行.

 

　　目前免費https其實有不少家,我以前出過一個教程是 用Let's Encrypt實現Https(Windows環境+Tomcat+Java) ,這個我如今也不許備用了,一是我如今開發環境從windows server換成了Linux,二是如今找到了更好用的免費SSL證書.

　　我推薦你們使用兩家的免費SSL證書,一個是阿里雲的,一個是騰訊的(固然,實際上都是賽門鐵克的證書,我說他倆只是在他倆家能夠免費買).免費的安全性,權威性確定要差一點,可是咱們我的建站掛個https就足夠了.若是有須要,這兩家有付費的更好的選擇.

 

　　1:因爲我是阿里雲重度依賴用戶嘛,因此咱們先打開阿里免費證書發放的網站: https://www.aliyun.com/product/cas?spm=5176.8142029.388261.255.b1KqKz

　　或者能夠在管理控制檯產品裏在這找到:

　　

　　2:點當即購買,選擇免費型:

 

　　3:去支付-->當即付款-->跳轉至證書控制檯-->補全-->嗯...........................本地教程到此結束謝謝你們(開玩笑的下面還有)

 

　　4:難道就由於這世界上有一個牌子是LV?因此我就不能給LV域名上SSL證書?仍是由於綠綠?宗教歧視?阿里你這不清真啊,從你阿里旅行更名叫飛豬我就看出來了,大家阿里不是一家清真公司,哼!咱們轉投騰訊好了.

 

　　5:打開騰訊雲證書管理頁面: https://console.qcloud.com/ssl 申請證書

 

　　6:填寫子域名和申請郵箱,密碼和備註均可以不寫

 

　　7:下一步,強烈建議選擇手動DNS解析,硬要選擇文件驗證的...那你選吧我也攔不住...

　　8:確認申請-->查看證書詳情,以下圖所示:

 

　　9:去你的域名DNS解析那裏添加一條這樣的解析,以下圖所示:

 

　　10:返回你的證書列表,等人家給你發郵件和短信就好了,我申請的這兩都在1分鐘以內經過了,很是快速,差點圖都截不上了.

 

　　11:證書申請好了,接下來該往tomcat裏配置了,這裏騰訊官方說的很明白,我就不獻醜了,直接上官方文檔吧 : https://www.qcloud.com/document/product/400/4143#4.-tomcat-.E8.AF.81.E4.B9.A6.E9.83.A8.E7.BD.B2

 

　　12:別急,還沒完,我這麼長的男人,怎麼會到此結束了,下面還有很長呢

　　

　　13:好,你們如今想一個問題,通過第11步官方文檔的配置,你全部請求都走了443端口,驗證了443端口所配的SSL證書了.但是.因爲我們申請的是單域名證書,而tomcat裏明明能夠配置多域名多項目,目前來看一個端口只能配一個證書,那麼你其餘網站怎麼辦,你其餘有證書的域名怎麼往tomcat裏配呢?這就是我接下來要說的了----單tomcat,單ip,配多SSL證書

 

　　14:網上的各類教程都是在要麼配多tomcat,要麼tomcat裏配多IP,這樣就能夠有多個443端口,致使我一度認爲實在是沒有辦法配單tomcat單SSL證書了.可是我以前知道nginx能夠配置多SSL證書,我就去查了一下,原來原理是打開SNI設置,那麼tomcat支不支持呢?通過查證,8.5以上的版本也支持SNI,這就很開心了(8.5如下是實在沒有辦法了,要否則大家升級tomcat版本跟我這個教程走,要否則再配一個nginx,請求先走ngnix代理一下)

 

　　15:通過數小時的摸索,查閱了百度,谷歌等網站,因爲tomcat9.0版本很新,使用的人不多(大多數人仍是老版本不出錯就用老版本吶...),查到的資料比較少,結合一點點的信息,再加上官方網站: http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig 和 https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html 網站後,終於讓個人兩個證書都能在tomcat裏生效,在這裏我貼出個人server.xml 你們複製粘貼過去,對應修改就行了,配置很是簡單(可是在調試通以前是很是的痛苦,log的日誌信息很是的少,中英文能參考的文獻也很是的少)

　　配置ssl證書這裏,.jks文件是騰訊雲提供給你下載的,把這個文件放在服務器/usr/tomcat/conf路徑下,後面那個密碼若是你在申請證書的時候填了就是那個,沒填就是下載下來跟.jks文件在一塊兒的另外一個文件.

<?xml version='1.0' encoding='utf-8'?>
<!--
       Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
          define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
         <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
              Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
                  UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share
              a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
             <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->


    <!-- A "Connector" represents an endpoint by which requests are received
                  and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

   <!-- A "Connector" using the shared thread pool-->
    <!--
             <Connector executor="tomcatThreadPool"
               port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
                  This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->

    <Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" defaultSSLHostConfigName="www.lveri.com" 

               maxThreads="150" SSLEnabled="true" >

        <SSLHostConfig hostName="www.lveri.com">

            <Certificate certificateKeystoreFile="conf/www.lveri.com.jks" certificateKeystorePassword="x4f96s6l03152c" type="RSA" />

        </SSLHostConfig>

          <SSLHostConfig hostName="api.lveri.com">

              <Certificate certificateKeystoreFile="conf/api.lveri.com.jks" certificateKeystorePassword="ei25vtm4ag" type="RSA" />

          </SSLHostConfig>

    </Connector>


    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />


    <!-- An Engine represents the entry point (within Catalina) that processes
                  every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
             <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
                     /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
                 <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
                      via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
                          resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
                                                                             
      </Realm>
        <Host name="www.lveri.com"  appBase="webapps" unpackWARs="true" autoDeploy="true"><Context path="" docBase="lveri" reloadable="true" debug="0" /></Host>
        <Host name="api.lveri.com"  appBase="webapps" unpackWARs="true" autoDeploy="true"><Context path="" docBase="lveri" reloadable="true" debug="0" /></Host>
    </Engine>
  </Service>
</Server>

              
                                                                                                                            

 

　　16:終於完了,幾乎能夠算是國內出tomcat配置多SSL證書教程的前幾人了...