使用ssl从spark连接到mongo docker

时间:2018-05-15 13:02:03

标签: mongodb scala apache-spark docker ssl

出于测试目的,我想使用mongo-spark连接器将MongoDB docker实例连接到Spark

设置MongoDB的凭据我使用此脚本生成所有keys& certs的{​​{1}}:

SSL

然后我运行一个docker实例:

#Root CA key
openssl genrsa -out rootCA.key 2048

#Root CA crt
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=CA/L=Santa Monica/O=test/OU=IT/CN=127.0.0.1:27117"

#Mongodb key
openssl genrsa -out mongodb.key 2048

#Mongodb csr
openssl req -new -key mongodb.key -out mongodb.csr -subj "/C=US/ST=CA/L=Santa Monica/O=test/OU=IT/CN=127.0.0.1:27117"

#Mongodb crt
openssl x509 -req -in mongodb.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256

#PEM files
cat mongodb.key mongodb.crt rootCA.crt > mongodb.pem
cat rootCA.key rootCA.crt > rootCA.pem

# Clean
rm mongo.pkc mongo-truststore

# Add mongo to keystore
openssl pkcs12 -CAfile rootCA.pem -export -in mongodb.pem -out mongo.pkc  -password pass:test12

# Add root ca to trust store
echo "y" | keytool -importcert -trustcacerts -file rootCA.crt -keystore mongo-truststore  -storepass test12

到目前为止一切顺利。我实际上可以使用{3} docker run -d \ --name testmongo \ -e MONGO_INITDB_ROOT_USERNAME=test \ -e MONGO_INITDB_ROOT_PASSWORD=test12 \ -e MONGODB_DBNAME=testdb \ -v $sslpath:/etc/ssl/ \ -p 27117:27017 \ mongo:3.6 \ --sslMode requireSSL \ --sslPEMKeyFile /etc/ssl/mongodb.pem \ --auth 之类的工具使用mongochef& SCRAM(SSL& username

然而,将password与这些选项一起使用:

Spark

-Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=local-files/ssl/mongo.pkc -Djavax.net.ssl.keyStorePassword=test12 -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=local-files/ssl/mongo-truststore -Djavax.net.ssl.trustStorePassword=test12 -Djavax.net.debug=true 中的结果:

  

java.security.cert.CertificateException:没有主题替代名称

完成输出:

a

使用调试我实际上可以看到com.mongodb.MongoSocketWriteException: Exception sending message at com.mongodb.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:465) at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:208) at com.mongodb.connection.CommandHelper.sendMessage(CommandHelper.java:89) at com.mongodb.connection.CommandHelper.executeCommand(CommandHelper.java:32) at com.mongodb.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:85) at com.mongodb.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:45) at com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:116) at com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:113) at java.lang.Thread.run(Thread.java:745) Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747) at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123) at com.mongodb.connection.SocketStream.write(SocketStream.java:75) at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:204) ... 7 more Caused by: java.security.cert.CertificateException: No subject alternative names present at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144) at sun.security.util.HostnameChecker.match(HostnameChecker.java:93) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488) ... 16 more 已正确加载,但某些keystores IP 无法与证书匹配。

我不想使用127.0.0.1,因为我想在CI计算机上运行它。

我试过了两个:

hostnames

并且:

HttpsURLConnection.setDefaultHostnameVerifier(
    SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)

一切都无济于事: - (

1 个答案:

答案 0 :(得分:0)

我明白了。 正在检查subjectAltName,但未在自签名证书中显示

更换

openssl x509 -req -in mongodb.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256


openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -in mongodb.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256

为我修好了

相关问题
最新问题