Spring Boot 1.4.1 SSL trustAnchors异常

时间:2016-11-10 08:40:06

标签: ssl docker spring-boot

我正在Docker容器(docker-compose)中运行Spring Boot微服务进行测试,最近尝试从Spring Boot 1.4.0升级到1.4.1(也试过1.4.2。)但是启动时服务失败了

  

InvalidAlgorithmParameterException:trustAnchors参数必须是   非空例外。

我没有遇到任何运行Spring Boot 1.4.0的问题。下面提供了我用于其中一个服务的Dockerfile(一些敏感值已被替换,尝试使用相同结果的1.4.2。

当我在命令行上运行服务时,会发生相同的行为,下面的Dockerfile中列出了所有环境变量和Java参数。

以下是日志摘录:

2016-11-10 08:10:06.645 ERROR [sbsa-account-om-service,,,] 1 --- [           main] o.apache.catalina.core.StandardService   : Failed to start connector [Connector[HTTP/1.1-8762]]

org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8762]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:233) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:178) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:544) [spring-context-4.3.3.RELEASE.jar!/:4.3.3.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:371) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1186) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1175) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at com.sbg.om.services.SbsaAccountOmServiceApplication.main(SbsaAccountOmServiceApplication.java:24) [classes!/:0.0.1-SNAPSHOT]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_11]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_11]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_11]
    at java.lang.reflect.Method.invoke(Method.java:483) ~[na:1.8.0_11]
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:50) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:58) [app.jar:0.0.1-SNAPSHOT]
Caused by: org.apache.catalina.LifecycleException: service.getName(): "Tomcat";  Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:976) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 21 common frames omitted
Caused by: java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:874) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:590) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:969) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 22 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[na:1.8.0_11]
    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[na:1.8.0_11]
    at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[na:1.8.0_11]
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:341) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:273) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 27 common frames omitted

2016-11-10 08:10:06.691  INFO [sbsa-account-om-service,,,] 1 --- [           main] o.apache.catalina.core.StandardService   : Stopping service Tomcat

Dockerfile:

FROM webdizz/centos-java8
VOLUME /tmp
ADD <app name>.jar app.jar

ADD smoke-test.trust.jks /smoke-test.trust.jks

# Environment vars for SSL keystore + truststore
ENV security_x509_orgUnit=<org unit>
ENV server_ssl_enabled="true"
ENV security_sessions="stateless"
ENV security_headers_hsts="all"
ENV server_ssl_ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
ENV server_ssl_protocol="TLS"
ENV server_ssl_keyStore="/smoke-test.trust.jks"
ENV server_ssl_keyStorePassword=<password>
ENV server_ssl_keyStoreType="JKS"
ENV server_ssl_keyAlias=<alias>
ENV server_ssl_keyPassword=<password>
ENV ribbon_ReadTimeout="60000"
ENV ribbon_IsSecure="true"
ENV ribbon_IsHostnameValidationRequired="true"
ENV ribbon_KeyStore="/smoke-test.trust.jks"
ENV ribbon_KeyStorePassword=<password>
ENV security_requireSsl="true"
ENV server_ssl_trustStore="/smoke-test.trust.jks"
ENV server_ssl_trustStorePassword=<password>
ENV server_ssl_trustStoreType="JKS"
ENV server_ssl_clientAuth="need"
ENV ribbon_TrustStore="/smoke-test.trust.jks"
ENV ribbon_TrustStorePassword=<password>
ENV ribbon_IsClientAuthRequired="true"
ENV PCI_CIPHER_KEY=<key>
ENV liquibase_contexts=<context>

# run actual Java app
RUN sh -c 'touch /app.jar'
EXPOSE 8762
EXPOSE 9997
ENTRYPOINT ["java",  \
            "-Djavax.net.ssl.trustStore=/smoke-test.trust.jks", \
            "-Djavax.net.ssl.trustStorePassword=<password>", \
            "-Djavax.net.ssl.trustStoreType=JKS", \
                "-Djavax.net.debug=ssl", \
            "-Dspring.profiles.active=testing", \
            "-Dom.security.enabled=true", \
            "-Dmanagement.security.enabled=true", \
            "-Dom.security.x509.subjectPrincipalRegex=OU=(.*?)(?:,|$)", \
            "-Dom.security.x509.roleConfiguration[0].roleNames[0]=<roleName>", \
            "-Dom.security.x509.roleConfiguration[0].searchValues[0]=<value>", \
            "-Dom.security.orderedPathRestrictions[0].pattern='/**'", \
            "-Dom.security.orderedPathRestrictions[0].roles=<role>", \          
            "-Dom.security.orderedPathRestrictions[0].csrfDisabled=true", \         
            "-Xdebug", \
            "-agentlib:jdwp=transport=dt_socket,address=9997,server=y,suspend=n", \
            "-Dserver.port=8762", \
            "-Deureka.instance.non-secure-port=0", \
            "-Deureka.instance.secure-port=8762", \
            "-Deureka.instance.hostname=<name>", \
            "-Deureka.instance.nonSecurePortEnabled=false", \
            "-Deureka.instance.securePortEnabled=true", \
            "-Deureka.client.serviceUrl.defaultZone=<URL>", \
            "-Dspring.application.name=sbsa-account-om-service", \
            "-Deureka.instance.secureVirtualHostName=<name>", \
            "-Djava.security.egd=file:/dev/./urandom", \
            "-jar", \
            "/app.jar"]

编辑:这与trustAnchors question中提到的问题不同,因为我的问题与从Spring Boot 1.4.0版本到1.4.1有关,唯一的变化是Boot版本,所有其他配置在Spring Boot 1.4.0下工作已经保持不变。

1 个答案:

答案 0 :(得分:3)

事实证明,从Spring Boot 1.4.1开始,底层Tomcat版本升级到8.5.6,现在它不接受除

之外的任何其他证书类型
Entry type: trustedCertEntry

我使用的是类型为:

的自签名证书
Entry type: PrivateKeyEntry

重新生成证书后,一切正常。