我正在尝试运行一些Java代码以获取来自AWS Secrets Manager的秘密表格。该代码非常基本。
ClientConfiguration clientConfigurtion = new ClientConfiguration();
clientConfigurtion.setProxyHost("myproxyhost");
clientConfigurtion.setProxyPort(80);
clientConfigurtion.setProxyUsername("XXX");
clientConfigurtion.setProxyPassword("XXX");
clientConfigurtion.setProxyProtocol(Protocol.HTTP);
// Create a Secrets Manager client
AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
.withRegion(region).withClientConfiguration(clientConfigurtion)
.build();
// In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
// See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
// We rethrow the exception by default.
String decodedBinarySecret;
GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
.withSecretId(secretName);
GetSecretValueResult getSecretValueResult = null;
try {
getSecretValueResult = client.getSecretValue(getSecretValueRequest);
} catch (DecryptionFailureException e) {
// Secrets Manager can't decrypt the protected secret text using the provided KMS key.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InternalServiceErrorException e) {
// An error occurred on the server side.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InvalidParameterException e) {
// You provided an invalid value for a parameter.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InvalidRequestException e) {
// You provided a parameter value that is not valid for the current state of the resource.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (ResourceNotFoundException e) {
// We can't find the resource that you asked for.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
}
当我到达实际上获得秘密值的那一行时,“ getSecretValueResult = client.getSecretValue(getSecretValueRequest);”我得到了堆栈跟踪。
踪迹在多个地方都包含此文本。
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我认为这意味着我缺少一些证书,但是我不知道该怎么办。
我正在Mac上本地运行它。
对于解决此证书错误的任何帮助,我们深表感谢。
答案 0 :(得分:0)
我遇到了同样的问题,只是让它起作用。默认的信任库没有https://secretsmanager.us-east-1.amazonaws.com的列表。可以通过以下方法来查看AWS客户端尝试与之连接的URL的方式(在您的情况下可能略有不同):java系统属性javax.net.debug = all您可以通过命令行或使用专家这样做:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.2</version>
<configuration>
<systemPropertyVariables>
<javax.net.ssl.trustStore>c:\\path to your cert truststore\\cacerts</javax.net.ssl.trustStore>
<javax.net.ssl.trustStorePassword>changeit</javax.net.ssl.trustStorePassword>
<javax.net.debug>all</javax.net.debug>
</systemPropertyVariables>
</configuration>
</plugin>
一旦您知道AWS客户端尝试与之进行ssl握手的URL(在输出/错误日志中搜索“ ***证书链”),您将看到类似以下内容的内容: ***证书链 链[0] = [ [ 版本:V3 主题:CN = secretsmanager.us-east-1.amazonaws.com
现在问题在于获取此证书。在Chrome浏览器中提取此URL https://secretsmanager.us-east-1.amazonaws.com 您将遇到一个错误,例如 缺少身份验证令牌
然后只需按F12,然后单击“安全性”选项卡,然后使用默认值下载该证书。
现在将证书导入到您的Java信任库中(如果您使用DOS,我将使用git bash shell相应地更改路径的格式):
$ JAVA_HOME / bin / keytool -import -alias awsChromeCer2 -keystore / c /密钥库路径/ cacerts -file / c /保存证书的路径/awsChromeCert2.cer
验证它是否存在:
$ JAVA_HOME / bin / keytool -list -keystore / c /您的密钥库/证书的路径| grep aws
当要求输入密码时,默认值可能是:changeit
现在,您应该能够成功运行它,而不会出现以下异常: com.amazonaws.SdkClientException:无法执行HTTP请求:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到所请求目标的有效证书路径
相反,您将成功检索您所追求的AWS Secretsmanager机密。 如果您使用的是Maven,请确保已定义了那些变量,就像我在上一节中所述的那样,以指向您的本地信任库。另外,还要确保在计算机上设置了AWS凭证,但这是一个单独的问题。
我注意到secretsmanager键正在旋转,这意味着您必须在使用它的时间附近下载它们。如果要自动化,可以执行以下操作:
回声退出| openssl s_client -showcerts-服务器名称secretsmanager.us-east-1.amazonaws.com -connect secretsmanager.us-east-1.amazonaws.com:443> SM_cacert.pem
编辑证书(删除----- END CERTIFICATE -----之后的所有文本,仅在其后留一个空白行)
OR
使用bash shell中的代码编辑证书
awk'split_after == 1 {n ++; split_after = 0} / -----结束证书----- / {split_after = 1} {print>“ rds-ca-” n“ .pem”} ' 将新证书导入您的信任库 $ JAVA_HOME / bin / keytool -import -alias awsFromOpenSsl -keystore / c /您的信任库/证书的路径-file / c /新证书文件的路径/rds-ca-.pem