Java 如何在 Docker 容器中向 Tomcat 添加 SSL 证书?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/46923699/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to add SSL certificates to Tomcat in Docker container?
提问by Gagan Singh
I'm new to Docker and trying to learn it. I'm using Docker Quickstart Terminal on Windows 7. I've a simple requirement where I'm using Tomcat in a Docker container. My DockerFile is as following:
我是 Docker 的新手并试图学习它。我在 Windows 7 上使用 Docker 快速入门终端。我有一个简单的要求,我在 Docker 容器中使用 Tomcat。我的 DockerFile 如下:
FROM tomcat:8.0.47-jre7
RUN cd /usr/local/tomcat/webapps
COPY test.war /usr/local/tomcat/webapps/test.war
Then I issue simple build and run commands in the Docker console.
然后我在 Docker 控制台中发出简单的构建和运行命令。
test.war is a Java web-service. This web-service internally calls other web-services on remote hosts using HTTPS. I've the certs for the remote hosts.
test.war 是一个 Java 网络服务。此 Web 服务使用 HTTPS 在内部调用远程主机上的其他 Web 服务。我有远程主机的证书。
I tried several ways available on the internet to import or copy those certs to different locations as mentioned on different forums/blogs, but in vain. Whenever I use HTTPS to call the external web-service from test.war, it gives me SSL Handshake error.
我尝试了几种互联网上可用的方法来将这些证书导入或复制到不同论坛/博客上提到的不同位置,但徒劳无功。每当我使用 HTTPS 从 test.war 调用外部 Web 服务时,它都会给我 SSL 握手错误。
I also have a Java keystore. I tried to use Java also in my Docker file and tried to use the keystore, but again, in vain.
我也有一个 Java 密钥库。我也尝试在我的 Docker 文件中使用 Java 并尝试使用密钥库,但再次失败。
When I use the same test.war on the tomcat installed directly on my machine, it works absolutely fine.
当我在我的机器上直接安装的 tomcat 上使用相同的 test.war 时,它工作得很好。
Can someone help me by providing the steps to be able to import/use SSL certs/keystore in this scenario. Also, how can I import more than one certs?
有人可以通过提供能够在这种情况下导入/使用 SSL 证书/密钥库的步骤来帮助我。另外,如何导入多个证书?
回答by Sasha Shpota
You can try importing the certificate into jvm trusted store inside docker.
您可以尝试将证书导入 docker 内的 jvm 可信存储。
I've the certs for the remote hosts.
我有远程主机的证书。
You can use these certificates but in fact you don't need them, you only need the root certificate of the authority that issued the certificates. You can download it from the internet.
您可以使用这些证书,但实际上您不需要它们,您只需要颁发证书的机构的根证书。你可以从互联网上下载它。
Usually they are given in pemformat, but you'll need derfor jvm.
通常它们以pem格式给出,但你需要derjvm。
First you need to convert the certificate:
首先你需要转换证书:
openssl x509 -in ca.pem -inform pem -out ca.der -outform der
Then install it into jvm keystore:
然后将其安装到 jvm 密钥库中:
keytool -importcert -alias startssl -keystore \
$JAVA_HOME/lib/security/cacerts -storepass changeit -file ca.der
This command asks if you really want to add the certificate, you shoudl type "yes".
此命令询问您是否真的要添加证书,您应该输入“是”。
And all together in a Dockerfile:
全部放在一起Dockerfile:
FROM tomcat:8.0.47-jre7
COPY ca.pem ca.pem
RUN openssl x509 -in ca.pem -inform pem -out ca.der -outform der
RUN echo yes | keytool -importcert -alias startssl -keystore \
/docker-java-home/jre/lib/security/cacerts -storepass changeit -file ca.der
COPY test.war /usr/local/tomcat/webapps/test.war
WORKDIR /usr/local/tomcat/webapps
Note: if you already have certificate in derformat you don't need opensslcall, just copy the certificate directly.
注意:如果您已经有der不需要openssl调用的格式的证书,直接复制证书即可。
To verify that the certificate is really applied you can run the container, ssh into it
要验证证书是否真的被应用,您可以运行容器,通过 ssh 进入它
$ docker exec -it <CONTAINER-ID> bash
and check the keystore:
并检查密钥库:
$ keytool -keystore "/docker-java-home/jre/lib/security/cacerts" -storepass changeit -list | grep <NAME-OF-YOUR-CERT-AUTHORITY>
回答by Tom Donohue
For Java apps in RHEL/Centos images, you can use update-ca-trust, which will update your trust stores for you, from files you place into /etc/pki/ca-trust. It also accepts .pemfiles directly:
对于 RHEL/Centos 映像中的 Java 应用程序,您可以使用update-ca-trust,它将为您更新您的信任库,从您放入/etc/pki/ca-trust. 它还.pem直接接受文件:
FROM ...
USER root
COPY yourcertificate.pem /etc/pki/ca-trust/source/anchors/yourcertificate.pem
RUN update-ca-trust
This will update /etc/pki/java/cacertsfor you automatically, so that Java will trust the new certificate.
这将/etc/pki/java/cacerts自动为您更新,以便 Java 将信任新证书。
Or, if your cert is hosted on a web server, then you can use curlto download it instead of copying the file - for example:
或者,如果您的证书托管在 Web 服务器上,那么您可以使用curl它来下载它而不是复制文件 - 例如:
RUN curl -k https://badssl.com/certs/ca-untrusted-root.crt -o /etc/pki/ca-trust/source/anchors/ca-untrusted-root.crt && \
update-ca-trust
回答by Sireesh Yarlagadda
=> Use classpath:/some/location/cerkey.jksin case of Docker location, to refer the docker instance.
=>classpath:/some/location/cerkey.jks在 Docker 位置的情况下使用,以引用 docker 实例。
=> Use file:/some/location/cerkey.jksin case of host location, where the docker is running.
=>file:/some/location/cerkey.jks在 docker 运行的主机位置的情况下使用。
Hint: Value of server.ssl.key-store
提示:server.ssl.key-store 的值
