[从零开始搭网站六]为域名申请免费SSL证书(https),并为Tomcat配置https域名所用的多SSL证书

　　点击下面链接查看从零开始搭网站全系列

　　从零开始搭网站

 

　　因为国内的网络环境比较恶劣,运营商流量劫持的状况比较严重,通常表现为别人打开你的网站的时候会弹一些莫名其妙的广告...更过度的会跳转至别的网站.

　　那么为了解决这种状况,那么咱们就要申请SSL证书,而且配置服务器.

　　而且,我准备再学习并写一个微信小程序,而微信小程序全部接口都须要走https,那么全线https就势在必行.

 

　　目前免费https其实有不少家,我以前出过一个教程是 用Let's Encrypt实现Https(Windows环境+Tomcat+Java) ,这个我如今也不许备用了,一是我如今开发环境从windows server换成了Linux,二是如今找到了更好用的免费SSL证书.

　　我推荐你们使用两家的免费SSL证书,一个是阿里云的,一个是腾讯的(固然,实际上都是赛门铁克的证书,我说他俩只是在他俩家能够免费买).免费的安全性,权威性确定要差一点,可是咱们我的建站挂个https就足够了.若是有须要,这两家有付费的更好的选择.

 

　　1:因为我是阿里云重度依赖用户嘛,因此咱们先打开阿里免费证书发放的网站: https://www.aliyun.com/product/cas?spm=5176.8142029.388261.255.b1KqKz

　　或者能够在管理控制台产品里在这找到:

　　

　　2:点当即购买,选择免费型:

 

　　3:去支付-->当即付款-->跳转至证书控制台-->补全-->嗯...........................本地教程到此结束谢谢你们(开玩笑的下面还有)

 

　　4:难道就由于这世界上有一个牌子是LV?因此我就不能给LV域名上SSL证书?仍是由于绿绿?宗教歧视?阿里你这不清真啊,从你阿里旅行更名叫飞猪我就看出来了,大家阿里不是一家清真公司,哼!咱们转投腾讯好了.

 

　　5:打开腾讯云证书管理页面: https://console.qcloud.com/ssl 申请证书

 

　　6:填写子域名和申请邮箱,密码和备注均可以不写

 

　　7:下一步,强烈建议选择手动DNS解析,硬要选择文件验证的...那你选吧我也拦不住...

　　8:确认申请-->查看证书详情,以下图所示:

 

　　9:去你的域名DNS解析那里添加一条这样的解析,以下图所示:

 

　　10:返回你的证书列表,等人家给你发邮件和短信就好了,我申请的这两都在1分钟以内经过了,很是快速,差点图都截不上了.

 

　　11:证书申请好了,接下来该往tomcat里配置了,这里腾讯官方说的很明白,我就不献丑了,直接上官方文档吧 : https://www.qcloud.com/document/product/400/4143#4.-tomcat-.E8.AF.81.E4.B9.A6.E9.83.A8.E7.BD.B2

 

　　12:别急,还没完,我这么长的男人,怎么会到此结束了,下面还有很长呢

　　

　　13:好,你们如今想一个问题,通过第11步官方文档的配置,你全部请求都走了443端口,验证了443端口所配的SSL证书了.但是.因为我们申请的是单域名证书,而tomcat里明明能够配置多域名多项目,目前来看一个端口只能配一个证书,那么你其余网站怎么办,你其余有证书的域名怎么往tomcat里配呢?这就是我接下来要说的了----单tomcat,单ip,配多SSL证书

 

　　14:网上的各类教程都是在要么配多tomcat,要么tomcat里配多IP,这样就能够有多个443端口,致使我一度认为实在是没有办法配单tomcat单SSL证书了.可是我以前知道nginx能够配置多SSL证书,我就去查了一下,原来原理是打开SNI设置,那么tomcat支不支持呢?通过查证,8.5以上的版本也支持SNI,这就很开心了(8.5如下是实在没有办法了,要否则大家升级tomcat版本跟我这个教程走,要否则再配一个nginx,请求先走ngnix代理一下)

 

　　15:通过数小时的摸索,查阅了百度,谷歌等网站,因为tomcat9.0版本很新,使用的人不多(大多数人仍是老版本不出错就用老版本呐...),查到的资料比较少,结合一点点的信息,再加上官方网站: http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig 和 https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html 网站后,终于让个人两个证书都能在tomcat里生效,在这里我贴出个人server.xml 你们复制粘贴过去,对应修改就行了,配置很是简单(可是在调试通以前是很是的痛苦,log的日志信息很是的少,中英文能参考的文献也很是的少)

　　配置ssl证书这里,.jks文件是腾讯云提供给你下载的,把这个文件放在服务器/usr/tomcat/conf路径下,后面那个密码若是你在申请证书的时候填了就是那个,没填就是下载下来跟.jks文件在一块儿的另外一个文件.

<?xml version='1.0' encoding='utf-8'?>
<!--
       Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at
      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!-- Note:  A "Server" is not itself a "Container", so you may not
          define subcomponents such as "Valves" at this level.
     Documentation at /docs/config/server.html
 -->
<Server port="8005" shutdown="SHUTDOWN">
  <Listener className="org.apache.catalina.startup.VersionLoggerListener" />
  <!-- Security listener. Documentation at /docs/config/listeners.html
         <Listener className="org.apache.catalina.security.SecurityListener" />
  -->
  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
  <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
  <Listener className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" />

  <!-- Global JNDI resources
              Documentation at /docs/jndi-resources-howto.html
  -->
  <GlobalNamingResources>
    <!-- Editable user database that can also be used by
                  UserDatabaseRealm to authenticate users
    -->
    <Resource name="UserDatabase" auth="Container"
              type="org.apache.catalina.UserDatabase"
              description="User database that can be updated and saved"
              factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
              pathname="conf/tomcat-users.xml" />
  </GlobalNamingResources>

  <!-- A "Service" is a collection of one or more "Connectors" that share
              a single "Container" Note:  A "Service" is not itself a "Container",
       so you may not define subcomponents such as "Valves" at this level.
       Documentation at /docs/config/service.html
   -->
  <Service name="Catalina">

    <!--The connectors can use a shared executor, you can define one or more named thread pools-->
    <!--
             <Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
        maxThreads="150" minSpareThreads="4"/>
    -->


    <!-- A "Connector" represents an endpoint by which requests are received
                  and responses are returned. Documentation at :
         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
         Java AJP  Connector: /docs/config/ajp.html
         APR (HTTP/AJP) Connector: /docs/apr.html
         Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
    -->
    <Connector port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />

   <!-- A "Connector" using the shared thread pool-->
    <!--
             <Connector executor="tomcatThreadPool"
               port="80" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="8443" />
    -->
    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
                  This connector uses the NIO implementation that requires the JSSE
         style configuration. When using the APR/native implementation, the
         OpenSSL style configuration is required as described in the APR/native
         documentation -->

    <Connector port="443" protocol="org.apache.coyote.http11.Http11Nio2Protocol" defaultSSLHostConfigName="www.lveri.com" 

               maxThreads="150" SSLEnabled="true" >

        <SSLHostConfig hostName="www.lveri.com">

            <Certificate certificateKeystoreFile="conf/www.lveri.com.jks" certificateKeystorePassword="x4f96s6l03152c" type="RSA" />

        </SSLHostConfig>

          <SSLHostConfig hostName="api.lveri.com">

              <Certificate certificateKeystoreFile="conf/api.lveri.com.jks" certificateKeystorePassword="ei25vtm4ag" type="RSA" />

          </SSLHostConfig>

    </Connector>


    <!-- Define an AJP 1.3 Connector on port 8009 -->
    <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />


    <!-- An Engine represents the entry point (within Catalina) that processes
                  every request.  The Engine implementation for Tomcat stand alone
         analyzes the HTTP headers included with the request, and passes them
         on to the appropriate Host (virtual host).
         Documentation at /docs/config/engine.html -->

    <!-- You should set jvmRoute to support load-balancing via AJP ie :
             <Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
    -->
    <Engine name="Catalina" defaultHost="localhost">

      <!--For clustering, please take a look at documentation at:
                     /docs/cluster-howto.html  (simple how to)
          /docs/config/cluster.html (reference documentation) -->
      <!--
                 <Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
      -->

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
                      via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
                          resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase"/>
                                                                             
      </Realm>
        <Host name="www.lveri.com"  appBase="webapps" unpackWARs="true" autoDeploy="true"><Context path="" docBase="lveri" reloadable="true" debug="0" /></Host>
        <Host name="api.lveri.com"  appBase="webapps" unpackWARs="true" autoDeploy="true"><Context path="" docBase="lveri" reloadable="true" debug="0" /></Host>
    </Engine>
  </Service>
</Server>

              
                                                                                                                            

 

　　16:终于完了,几乎能够算是国内出tomcat配置多SSL证书教程的前几人了...