无法访问 localhost:8443/ejbca

Question

我是 ejbca 的新手，我必须将它安装在虚拟机上才能工作

    Ubuntu 20.04
    ejbca_7_4_3_2
    wildfly-18.0.0.Final
    mariadb-server version: 10.3.32-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04
    openjdk version "1.8.0_312"
    Apache Ant(TM) version 1.10.7 compiled on October 24 2019

经过几次尝试（以及大量克隆和删除的虚拟机），我终于通过命令ant runinstall 和ant deploy-keystore 得到“构建成功”消息 但是当我尝试使用 URL https://localhost:8443/ejbca/（安装了证书 SuperAdmin.p12）时，我的浏览器（firefox 96.0 64bits）给出了消息

    An error occurred during a connection to localhost:8443. Cannot communicate securely with peer: no common encryption algorithm(s).
    
    Error code: SSL_ERROR_NO_CYPHER_OVERLAP

我的日志文件中有这个错误，第一个与ant -q clean deployear 相关 最后，每次我尝试通过 URL https://localhost:8443/ejbca/ 访问时都会出现

    ERROR [org.jboss.as.jsf] (MSC service thread 1-1) WFLYJSF0002: Could not load JSF managed bean class: org.ejbca.ui.web.admin.peerconnector.PeerConnectorMBean

    ERROR [io.undertow.request] (default I/O-2) Closing SSLConduit after exception on handshake: javax.net.ssl.SSLHandshakeException: no cipher suites in common
      at sun.security.ssl.Alert.createSSLException(Alert.java:131)
      at sun.security.ssl.Alert.createSSLException(Alert.java:117)
      at sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
      at sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
      at sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
      at sun.security.ssl.ServerHello$T12ServerHelloProducer.chooseCipherSuite(ServerHello.java:461)
      at sun.security.ssl.ServerHello$T12ServerHelloProducer.produce(ServerHello.java:296)
      at sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:421)
      at sun.security.ssl.ClientHello$T12ClientHelloConsumer.consume(ClientHello.java:1020)
      at sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:727)
      at sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:693)
      at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:377)
      at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
      at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:981)
      at sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:968)
      at java.security.AccessController.doPrivileged(Native Method)
      at sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:915)
      at io.undertow.protocols.ssl.SslConduit$5.run(SslConduit.java:1072)
      at org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35)
      at org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1982)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486)
      at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377)
      at java.lang.Thread.run(Thread.java:748)

Answer 1

ERROR [io.undertow.request]（默认 I/O-2）异常后关闭 SSLConduit

听起来像是 TLS 配置问题。您将在运行的命令中找到配置 WildFly 时所做的 TLS 配置：

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/server-ssl-context=httpspriv:add(key-manager=httpsKM,protocols=["TLSv1.2"], use-cipher-suites-order=false,cipher-suite-filter="TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",trust-manager=httpsTM,need-client-auth=true)'

结果在 WildFly 中的standalone.xml 中某处，您可以直接在 WildFly 中修改它。例如，如果您在使用上述 RSA 算法选择时在服务器证书中有 EC 密钥。

在 server.log 中，如果解析值或密钥库时出现任何错误，您还应该看到 WildFly 何时启动。 确保您的服务器和客户端证书具有与 TLS 算法设置匹配的密钥和算法，否则 WildFly 将删除这些算法。