We got the following exception when we try to access secure https REST point from zuul.
当我们试图从zuul访问安全的https REST点时,我们得到了以下的异常。
2017-10-27 08:26:08.499 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory : Secure session established
2017-10-27 08:26:08.500 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory : negotiated protocol: TLSv1.2
2017-10-27 08:26:08.500 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory : negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2017-10-27 08:26:08.501 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory : peer principal: CN=10.xxx.xx.xx, OU=xxx, O=xxx, L=xxx, ST=xx, C=xx
2017-10-27 08:26:08.502 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory : issuer principal: CN=10.xxx.xx.xx, OU=xxx, O=xxx, L=xxx, ST=xx, C=xx
2017-10-27 08:26:08.516 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.conn.ssl.DefaultHostnameVerifier : Certificate for doesn't match common name of the certificate subject: 10.xxx.xx.xx
javax.net.ssl.SSLPeerUnverifiedException: Certificate for doesn't match common name of the certificate subject
at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchCN(DefaultHostnameVerifier.java:186)
at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:133)
at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:463)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
at org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalancingHttpClient.java:94)
at org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalancingHttpClient.java:43)
at com.netflix.client.AbstractLoadBalancerAwareClient$1.call(AbstractLoadBalancerAwareClient.java:109)
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:303)
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:287)
at rx.internal.util.ScalarSynchronousObservable$3.call(ScalarSynchronousObservable.java:231)
at rx.internal.util.ScalarSynchronousObservable$3.call(ScalarSynchronousObservable.java:228)
at rx.Observable.unsafeSubscribe(Observable.java:10211)
at rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.drain(OnSubscribeConcatMap.java:286)
at rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.onNext(OnSubscribeConcatMap.java:144)
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:185)
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:180)
...
service is registered with eureka via POST request. Please find the below sample POST request.
服务通过POST请求在eureka注册。请找到下面的样本POST请求。
spring:
application:
name: gateway
server:
port: 9092
ssl:
enabled: true
clientAuth: want
key-store: classpath:keystore.jks
key-store-password: password
key-password: password
key-alias: xxxx
eureka:
instance:
nonSecurePortEnabled: false
securePortEnabled: true
client:
serviceUrl:
defaultZone: ${EUREKA_URI:http://localhost:8761/eureka}
registry-fetch-interval-seconds: 15
register-with-eureka: true
fetch-registry: true
heartbeat-executor-thread-pool-size: 5
eureka-service-url-poll-interval-seconds: 10
zuul:
prefix: /tree
routes:
serv:
path: /cxf/**
strip-prefix: false
serviceId: serv
ribbon:
IsSecure: true
IsHostnameValidationRequired: false
service is registered with eureka via POST request. Please find the below sample POST request.
服务通过POST请求在eureka注册。请找到下面的样本POST请求。
{
"instance": {
"hostName": "xxx",
"app": "appname",
"vipAddress": "appname",
"secureVipAddress": "appname",
"ipAddr": "10.xxx.xx.xxx",
"status": "UP",
"port": {"$": "8181", "@enabled": "true"},
"securePort": {"$": "8443", "@enabled": "true"},
"healthCheckUrl": "http://localhost:8000/cat",
"statusPageUrl": "http://localhost:8000/cat",
"homePageUrl": "http://localhost:8000/cat",
"dataCenterInfo": {
"@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
"name": "MyOwn"
}
}
if i replace serviceId with the corresponding url in above zuul configuration, it works fine.
如果我在zuul配置中使用对应的url替换serviceId,它就可以正常工作了。
keystore.jks has been under src/main/resources. Also, imported keystore entry into certificate under $JDK_HOME/jre/lib/security/cacerts. Are we missing any other configuration?
密钥存储库。jks一直在src/main/resources下。此外,在$JDK_HOME/jre/lib/安全性/cacerts下,导入的密钥库进入证书。我们是否遗漏了其他的配置?
Kindly help to resolve the issue.
请帮忙解决这个问题。
NOTE: REST endpoint is an OSGI service. spring boot version: v1.5.7.RELEASE We use embedded tomcat.
注意:REST端点是一个OSGI服务。弹簧启动版本:v1.5.7。RELEASE我们使用嵌入的tomcat。
1 个解决方案
#1
1
The reason for the above issue is the certificate doesn't contain the field "SubjectAlternativeName". After creating certificate with field "SubjectAlternativeName" which in turn includes CN(Common Name) and IP details, issue is resolved. we need to generate truststore as well.
上述问题的原因是该证书不包含字段“SubjectAlternativeName”。在创建了带有字段“SubjectAlternativeName”的证书之后,该证书又包含了CN(公共名称)和IP详细信息,问题就解决了。我们还需要生成信任库。
For someone who is looking for a solution, hope the below steps might help.
对于正在寻找解决方案的人来说,希望下面的步骤能有所帮助。
1. Generate server key and self signed server certificate keytool -genkey -alias serverkey -keyalg RSA -storetype PKCS12 -keystore serverkeystore.p12 -ext SAN=dns:abc.com,dns:localhost,ip:127.0.0.1
1。生成服务器密钥和自签名服务器证书keytool -genkey -别名serverkey -keyalg RSA -storetype PKCS12 -keystore serverkeystore。p12 ext圣= dns:abc.com,dns:localhost,ip:127.0.0.1
2. Generate client key and self signed client certificate keytool -genkey -alias clientkey -keyalg RSA -storetype PKCS12 -keystore clientkeystore.p12 -ext SAN=dns:def.com,dns:localhost,ip:127.0.0.1
2。生成客户端密钥和自签名客户端证书keytool -genkey -别名clientkey -keyalg RSA -storetype PKCS12 -keystore clientkeystore。p12 ext圣= dns:def.com,dns:localhost,ip:127.0.0.1
3. Export the server certificate keytool -export -alias serverkey -file servercert.cer -keystore serverkeystore.p12
3所示。导出服务器证书keytool -export -alias serverkey -file servercert。cer keystore serverkeystore.p12
4. Export the client certificate keytool -export -alias clientkey -file clientcert.cer -keystore clientkeystore.p12
4所示。导出客户端证书keytool -export -alias clientkey -file clientcert。cer keystore clientkeystore.p12
5. Import cert to $JAVA_HOME/jre/lib/security sudo keytool -import -trustcacerts -alias localhost -file localhost.crt -keystore $JAVA_HOME/jre/lib/security/cacerts
5。导入cert到$JAVA_HOME/jre/lib/安全sudo keytool -导入-trustcacerts -别名localhost -file localhost。crt keystore $ JAVA_HOME / jre / lib /安全/除
application.yml of gateway:
应用程序。yml网关:
spring:
application:
name: gateway
server:
port: 8443
ssl:
enabled: true
key-store: classpath:serverkeystore.p12
key-store-password: server
key-alias: serverkey
eureka:
instance:
securePort: ${server.port}
nonSecurePortEnabled: false
securePortEnabled: true
leaseRenewalIntervalInSeconds: 7
leaseExpirationDurationInSeconds: 9
client:
serviceUrl:
defaultZone: ${EUREKA_URI:http://localhost.com:8761/eureka/}
registry-fetch-interval-seconds: 5
register-with-eureka: true
fetch-registry: true
heartbeat-executor-thread-pool-size: 5
eureka-service-url-poll-interval-seconds: 10
zuul:
prefix: /service
routes:
producer:
path: /employee/**
strip-prefix: false
serviceId: producer
ribbon:
IsSecure: true
logging:
file: logs/gateway.log
level.root: INFO
level.com.fujitsu.fnc.sdnfw.msvc: DEBUG
#1
1
The reason for the above issue is the certificate doesn't contain the field "SubjectAlternativeName". After creating certificate with field "SubjectAlternativeName" which in turn includes CN(Common Name) and IP details, issue is resolved. we need to generate truststore as well.
上述问题的原因是该证书不包含字段“SubjectAlternativeName”。在创建了带有字段“SubjectAlternativeName”的证书之后,该证书又包含了CN(公共名称)和IP详细信息,问题就解决了。我们还需要生成信任库。
For someone who is looking for a solution, hope the below steps might help.
对于正在寻找解决方案的人来说,希望下面的步骤能有所帮助。
1. Generate server key and self signed server certificate keytool -genkey -alias serverkey -keyalg RSA -storetype PKCS12 -keystore serverkeystore.p12 -ext SAN=dns:abc.com,dns:localhost,ip:127.0.0.1
1。生成服务器密钥和自签名服务器证书keytool -genkey -别名serverkey -keyalg RSA -storetype PKCS12 -keystore serverkeystore。p12 ext圣= dns:abc.com,dns:localhost,ip:127.0.0.1
2. Generate client key and self signed client certificate keytool -genkey -alias clientkey -keyalg RSA -storetype PKCS12 -keystore clientkeystore.p12 -ext SAN=dns:def.com,dns:localhost,ip:127.0.0.1
2。生成客户端密钥和自签名客户端证书keytool -genkey -别名clientkey -keyalg RSA -storetype PKCS12 -keystore clientkeystore。p12 ext圣= dns:def.com,dns:localhost,ip:127.0.0.1
3. Export the server certificate keytool -export -alias serverkey -file servercert.cer -keystore serverkeystore.p12
3所示。导出服务器证书keytool -export -alias serverkey -file servercert。cer keystore serverkeystore.p12
4. Export the client certificate keytool -export -alias clientkey -file clientcert.cer -keystore clientkeystore.p12
4所示。导出客户端证书keytool -export -alias clientkey -file clientcert。cer keystore clientkeystore.p12
5. Import cert to $JAVA_HOME/jre/lib/security sudo keytool -import -trustcacerts -alias localhost -file localhost.crt -keystore $JAVA_HOME/jre/lib/security/cacerts
5。导入cert到$JAVA_HOME/jre/lib/安全sudo keytool -导入-trustcacerts -别名localhost -file localhost。crt keystore $ JAVA_HOME / jre / lib /安全/除
application.yml of gateway:
应用程序。yml网关:
spring:
application:
name: gateway
server:
port: 8443
ssl:
enabled: true
key-store: classpath:serverkeystore.p12
key-store-password: server
key-alias: serverkey
eureka:
instance:
securePort: ${server.port}
nonSecurePortEnabled: false
securePortEnabled: true
leaseRenewalIntervalInSeconds: 7
leaseExpirationDurationInSeconds: 9
client:
serviceUrl:
defaultZone: ${EUREKA_URI:http://localhost.com:8761/eureka/}
registry-fetch-interval-seconds: 5
register-with-eureka: true
fetch-registry: true
heartbeat-executor-thread-pool-size: 5
eureka-service-url-poll-interval-seconds: 10
zuul:
prefix: /service
routes:
producer:
path: /employee/**
strip-prefix: false
serviceId: producer
ribbon:
IsSecure: true
logging:
file: logs/gateway.log
level.root: INFO
level.com.fujitsu.fnc.sdnfw.msvc: DEBUG