如何配置备用SSL属性以连接到Spring Boot Admin?

时间:2019-02-07 03:16:41

标签: netflix-eureka spring-boot-actuator spring-boot-admin

是否有一种方法可以将Eureka客户端配置为使用与spring-boot嵌入式tomcat不同的keystore \ truststore?或者有没有办法在SBA服务器中禁用证书验证?

我遇到的情况是,我在多个VM上都有一个基于spring-boot的微服务集群。所有微服务(包括SBA和Eureka服务器之类的后端管理)都使用HTTPS和典型的spring-boot SSL证书配置进行保护。对于这些服务,我使用自签名CA为每台计算机生成证书。一个例外是“网关”服务,该服务将api服务到我们的Web客户端。此服务配置有由真实CA签名的证书,因为它是唯一可公开访问的服务

现在,我的“网关”服务无法连接到SBA服务器,我看到一连串与SSL相关的错误,抱怨客户端的主机名与证书中的任何alt名称都不匹配。这是因为它正在向SBA提供其公共证书,该公共证书与请求所来自的内部主机名不匹配。

我的服务正在使用Netflix Eureka和服务发现。

编辑:从SBA服务器添加stacktrace:

2019-02-06 21:34:30 [reactor-http-epoll-3] ERROR r.n.http.client.HttpClientConnect - [id: 0x5844260b, L:/172.17.0.5:40928 - R:myhost.mydomain.com/172.xxx.xxx.xxx:443] The connection observed an error
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
        at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
        at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:382)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:335)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1460)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365)
        ... 19 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myhost.mydomain.com found.
        at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
        ... 27 common frames omitted

编辑:进一步检查后,我发现此问题的顺序错误。当网关尝试向SBA注册时,不会发生SSL错误,它实际上可以正常注册;当SBA尝试返回到网关上的执行器时,就会发生SSL错误。

所以我想更新的问题要复杂一些:有没有一种方法可以用不同的密钥库/信任库配置执行器。此外,有没有办法在Zuul中仅对后端连接(例如SBA)开放而不对公共/客户端用户开放?

0 个答案:

没有答案
相关问题
最新问题