Question

当我们尝试从zuul访问安全的https REST点时，我们遇到以下异常。

2017-10-27 08:26:08.499 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   : Secure session established
2017-10-27 08:26:08.500 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   :  negotiated protocol: TLSv1.2
2017-10-27 08:26:08.500 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   :  negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
2017-10-27 08:26:08.501 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   :  peer principal: CN=10.xxx.xx.xx, OU=xxx, O=xxx, L=xxx, ST=xx, C=xx
2017-10-27 08:26:08.502 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.c.ssl.SSLConnectionSocketFactory   :  issuer principal: CN=10.xxx.xx.xx, OU=xxx, O=xxx, L=xxx, ST=xx, C=xx
2017-10-27 08:26:08.516 DEBUG 15708 --- [http-nio-9092-exec-1] o.a.h.conn.ssl.DefaultHostnameVerifier   : Certificate for  doesn't match common name of the certificate subject: 10.xxx.xx.xx
javax.net.ssl.SSLPeerUnverifiedException: Certificate for  doesn't match common name of the certificate subject
    at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchCN(DefaultHostnameVerifier.java:186)
    at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:133)
    at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:463)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
    at org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalancingHttpClient.java:94)
    at org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalancingHttpClient.java:43)
    at com.netflix.client.AbstractLoadBalancerAwareClient$1.call(AbstractLoadBalancerAwareClient.java:109)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:303)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:287)
    at rx.internal.util.ScalarSynchronousObservable$3.call(ScalarSynchronousObservable.java:231)
    at rx.internal.util.ScalarSynchronousObservable$3.call(ScalarSynchronousObservable.java:228)
    at rx.Observable.unsafeSubscribe(Observable.java:10211)
    at rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.drain(OnSubscribeConcatMap.java:286)
    at rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.onNext(OnSubscribeConcatMap.java:144)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:185)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:180)
...

服务通过POST请求在eureka注册。请查看以下示例POST请求。


    spring:
      application:
        name: gateway 
    server:
      port: 9092
      ssl:    
        enabled: true
        clientAuth: want
        key-store: classpath:keystore.jks
        key-store-password: password
        key-password: password   
        key-alias: xxxx
    eureka:
      instance:
        nonSecurePortEnabled: false
        securePortEnabled: true
      client:
        serviceUrl:
          defaultZone: ${EUREKA_URI:http://localhost:8761/eureka}
        registry-fetch-interval-seconds: 15
        register-with-eureka: true
        fetch-registry: true
        heartbeat-executor-thread-pool-size: 5
        eureka-service-url-poll-interval-seconds: 10
    zuul:
      prefix: /tree
      routes:
        serv:
          path: /cxf/**
          strip-prefix: false
          serviceId: serv
    ribbon:
      IsSecure: true
      IsHostnameValidationRequired: false

服务通过POST请求在eureka注册。请找到以下示例POST请求。


    {
    "instance": {
        "hostName": "xxx",
        "app": "appname",
        "vipAddress": "appname",
        "secureVipAddress": "appname",
        "ipAddr": "10.xxx.xx.xxx",
        "status": "UP",
        "port": {"$": "8181", "@enabled": "true"},
        "securePort": {"$": "8443", "@enabled": "true"},
        "healthCheckUrl": "http://localhost:8000/cat",
        "statusPageUrl": "http://localhost:8000/cat",
        "homePageUrl": "http://localhost:8000/cat",
        "dataCenterInfo": {
            "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo", 
            "name": "MyOwn"
        }
    }

如果我用上面的zuul配置中的相应url替换serviceId，它可以正常工作。

keystore.jks一直在src / main / resources下。此外，将导入的密钥库条目导入到$ JDK_HOME / jre / lib / security / cacerts下的证书中。我们是否缺少任何其他配置？

注意： REST端点是OSGI服务。 spring boot版本：v1.5.7.RELEASE 我们使用嵌入式tomcat。

Answer 1

上述问题的原因是证书不包含字段＆＃34; SubjectAlternativeName ＆＃34;。使用字段＆＃34; SubjectAlternativeName ＆＃34;创建证书后其中包括CN（通用名称）和IP详细信息，问题得到解决。我们还需要生成 truststore 。

对于正在寻找解决方案的人，希望以下步骤可能有所帮助。

<强> 1。生成服务器密钥和自签名服务器证书 keytool -genkey -alias serverkey -keyalg RSA -storetype PKCS12 -keystore serverkeystore.p12 -ext SAN = dns：abc.com，dns：localhost，ip：127.0.0.1

<强> 2。生成客户端密钥和自签名客户端证书 keytool -genkey -alias clientkey -keyalg RSA -storetype PKCS12 -keystore clientkeystore.p12 -ext SAN = dns：def.com，dns：localhost，ip：127.0.0.1

第3。导出服务器证书 keytool -export -alias serverkey -file servercert.cer -keystore serverkeystore.p12

<强> 4。导出客户端证书 keytool -export -alias clientkey -file clientcert.cer -keystore clientkeystore.p12

<强> 5。将证书导入$ JAVA_HOME / jre / lib / security sudo keytool -import -trustcacerts -alias localhost -file localhost.crt -keystore $ JAVA_HOME / jre / lib / security / cacerts

网关的application.yml：

spring:
  application:
    name: gateway
server:
  port: 8443
  ssl:
    enabled: true
    key-store: classpath:serverkeystore.p12
    key-store-password: server
    key-alias: serverkey
eureka:
  instance:
    securePort: ${server.port}
    nonSecurePortEnabled: false
    securePortEnabled: true
    leaseRenewalIntervalInSeconds: 7
    leaseExpirationDurationInSeconds: 9
  client:
    serviceUrl:
      defaultZone: ${EUREKA_URI:http://localhost.com:8761/eureka/}
    registry-fetch-interval-seconds: 5
    register-with-eureka: true
    fetch-registry: true
    heartbeat-executor-thread-pool-size: 5
    eureka-service-url-poll-interval-seconds: 10
zuul:
  prefix: /service
  routes:
    producer:
      path: /employee/**
      strip-prefix: false
      serviceId: producer
ribbon:
  IsSecure: true
logging:
 file: logs/gateway.log
 level.root: INFO
 level.com.fujitsu.fnc.sdnfw.msvc: DEBUG

SSLPeerUnverifiedException - ＆lt;＆gt;的证书与证书主题的通用名称不匹配

1 个答案: