1

We recently changed from using standalone Tomcat 8 containers to using the embedded Tomcat 8 container. We are having some trouble getting SSL to work on Grails 3.1.6 with the embedded container. We had been using the certificateFile approach with APR Native Libraries with the standalone container. We would like to keep this approach with the embedded Tomcat instead of changing to the keystore approach. I tried the Grails documentation, went deep into the Spring Boot embedded container documentation, but haven't found a working solution yet.

I tried many different configuration approaches in the application.yml. Based on several different pieces of documentation, sources, etc. my latest attempt was:

environments:
  test:
    grails:
        server:
            port: 8443
            ssl:
                enabled: true
            certificateKeyFile: '/usr/share/app/my_domain_net.key'
            certificateFile: '/usr/share/app/my_domain_net.crt'
            certificateChainFile: '/usr/share/app/myCA.crt'
        serverURL: "https://test.mydomain.net:8443"
        tomcat:
            port: 8443
            ssl:
                enabled: true
            certificateKeyFile: '/usr/share/app/my_domain_net.key'
            certificateFile: '/usr/share/app/my_domain_net.crt'
            certificateChainFile: '/usr/share/app/myCA.crt'

I also tried adding this to the end of the application.yml:

server:
    port: 8443
    ssl:
        enabled: true
    certificateKeyFile: '/usr/share/app/my_domain_net.key'
    certificateFile: '/usr/share/app/my_domain_net.crt'
    certificateChainFile: '/usr/share/app/myCA.crt'

but this gave me a 'resource location may not be null' error. Most examples and questions I see are quite dated at this point. Time to ask a fresh question on stackoverflow. Thanks in advance!

4

1 回答 1

2

即使在 LD_LIBRARY_PATH 上加载了 APR 本机库,也无法使用 openssl certificateKeyFile 方法。(我认为,如果您编辑 grails-app/init/myapp/Application.groovy 并按照 Spring 文档添加额外的连接器(在http://docs.spring.io/spring-boot/的第 70.9 段,我认为这是可能的) docs/current/reference/html/howto-embedded-servlet-containers.html),但这很困难,您需要阅读 org.springframework 资源以了解如何使用 openssl 证书和 APR Native 进行这项工作。)对于我,这是不值得的,所以这是使用密钥库方法的方法。

我不得不使用 Tomcat keytool 方法重新键入证书。

然后,application.yml 更新为如下所示:

---
---
environments:
    development:
        server:
            port: 8080
            ssl:
                enabled: false
        grails:
            serverURL: "http://localhost:8080"

---
---
environments:
    test:
        server:
            port: 8443
            ssl:
                enabled: true
            key-store: classpath:my_domain_net.jks
            key-store-password: mypassword
            key-password: mypassword
        grails:
            serverURL: "https://test.mydomain.net:8443"

我准备证书的过程是:

1) create a directory for ssl_certificates
2) pick a Certificate Authority (I chose DigiCert)
3) use the CA's instructions for generating a csr for Tomcat:keytool
4) the CA's keytool command asks for a keystore password and key password
5) submit the csr and wait ~10 minutes for the cert to be issued
6) download the issued certificate as my_domain_net.p7b into the
   ssl_certificates folder created above
7) keytool -import -trustcacerts -alias server -file my_domain_net.p7b \
       -keystore my_domain_net
8) copy my_domain_net.jks into src/main/resources/ of your web project.
于 2016-06-02T17:16:55.290 回答