当我们试图从zuul访问安全的https REST点时,我们得到了以下异常。
2017-10-27 08:26:08.499调试15708-[http-nio-9092-exec-1]o.a.h.c.ssl.SLConnectionSocketFactory:安全会话已建立2017-10-27 08:26:08.500调试15708-[http-nio-9092-exec-1]o.a.h.c.ssl.SSLConnectionSocketFactory:协商协议:TLSv1.22017-10-27 08:26:08.500调试15708---[http-nio-9092-exec-1]o.a.h.c.ssl.SLConnectionSocketFactory:协商的密码套件:TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA2562017-10-27 08:26:08.501调试15708---[http-nio-9092-exec-1]o.a.h.c.ssl.ssl连接套接字工厂:对等主体:CN=10.xxxx.xx.xx,OU=xxx,o=xxx,L=xxx,ST=xx,c=xx2017-10-27 08:26:08.502调试15708---[http-nio-9092-exec-1]o.a.h.c.ssl.SLConnectionSocketFactory:发行人主体:CN=10.xxxx.xx.xx,OU=xxx,o=xxx,L=xxx,ST=xx,c=xx2017-10-27 08:26:08.116调试15708-[http-nio-9092-exec-1]o.a.h.conn.sl.DefaultHostnameVerifier:的证书与证书使用者的通用名称不匹配:10.xxxx.xx.xxjavax.net.ssl.SSLPeerUnverifiedException:的证书与证书使用者的通用名称不匹配网址:org.apache.http.con.sl.DefaultHostnameVerifier.matchCN(DefaultHostnameVerifier.java:186)网址:org.apache.http.con.sl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:133)网址:org.apache.http.con.sl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99)网址:org.apache.http.con.sl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:463)网址:org.apache.http.con.sl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397)网址:org.apache.http.con.sl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)网址:org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperationr.java:142)网址:org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnection Manager.java:359)网址:org.apache.http.impl.execchain.MainClientExec.securshRoute(MainClientExec.java:381)网址:org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)网址:org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)网址:org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)网址:org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)网址:org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)网址:org.apache.http.impl.client.CloseableHttpClient.exexecute(CloseableHttpClient.java:83)网址:org.apache.http.impl.client.CloseableHttpClient.exexecute(CloseableHttpClient.java:108)网址:org.apache.http.impl.client.CloseableHttpClient.exexecute(CloseableHttpClient.java:56)网址:org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalanciingHttpClient.java:94)网址:org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalanciingHttpClient.java:43)网址:com.netflix.client.AbstractLoadBalancerAwareClient$1.call(AbstractLoadBalance rAwareClient.java:109)网址:com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommon.java:303)网址:com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommon.java:287)在rx.internal.util.ScalerSynchronousObservable$3.call(ScalarSynchronous Observable.java:231)在rx.internal.util.ScalerSynchronousObservable$3.call(ScalarSynchronous Observable.java:228)在rx。Observable.unsafeSubscribe(Observable.java:10211)在rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.drain(OnSubscribeConcatMap.java:286)在rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.onNext(OnSubscribeConcatMap.java:144)网址:com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommon.java:185)网址:com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommon.java:180)…
服务通过POST请求向eureka注册。请查看以下POST请求示例。
弹簧:应用程序:名称:网关服务器:端口:9092ssl:enabled:trueclientAuth:want密钥存储:classpath:keystore.jks密钥存储密码:密码密钥密码:密码密钥别名:xxxx尤里卡:实例:nonSecurePortEnabled:falsesecurePortEnabled:true客户端:服务URL:defaultZone:${EUREKA_URI:http://localhost:8761/eureka}注册表获取间隔秒数:15向尤里卡注册:true获取注册表:true检测信号执行器线程池大小:5尤里卡服务url轮询间隔秒数:10zuul:前缀:/tree路线:服务:路径:/cxf/**条形前缀:falseserviceId:serv功能区:IsSecure:trueIsHostnameValidationRequired:false
服务通过POST请求向eureka注册。请查看以下POST请求示例。
{"实例":{"主机名":"xxx","app":"appname","vipAddress":"appname","secureVipAddress":"appname","ipAddr":"10.xxx.xx.xxx","status":"UP","端口":{"$":"8181","@enabled":"true"},"securePort":{"$":"8443","@enabled":"true"},"healthCheckUrl":"http://localhost:8000/cat","statusPageUrl":"http://localhost:8000/cat","主页URL":http://localhost:8000/cat","dataCenterInfo":{"@class":"com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo","name":"MyOwn"}}
如果我在上面的zuul配置中用相应的url替换serviceId,它可以正常工作。
keystore.jks一直在src/main/resources下。此外,还在$JDK_HOME/jre/lib/security/cacerts下将密钥库条目导入到证书中。我们是否缺少其他配置?
注意:REST端点是一个OSGI服务。spring-boot版本:v1.7.RELEASE我们使用嵌入式tomcat。
上述问题的原因是证书不包含字段">SubjectAlternativeName"。在创建了带有字段">SubjectAlternativeName"的证书后,问题得到了解决,该字段依次包括CN(通用名)和IP详细信息。我们还需要生成信任库。
对于正在寻找解决方案的人来说,希望以下步骤可能会有所帮助。
1.生成服务器密钥和自签名服务器证书keytool-genkey-alias serverkey-keyalg RSA-storetype PKCS12-keystore serverkeystore.p12-ext SAN=dns:abc.com,dns:localhost,ip:120.0.1
2.生成客户端密钥和自签名客户端证书keytool-genkey-alias clientkey-keyalg RSA-storetype PKCS12-keystore clientkeystore.p12-ext SAN=dns:def.com,dns:localhost,ip:127.0.0.1
3.导出服务器证书keytool-Export-alias serverkey-file servercert.cer-keystore serverkeystore.p12
4.导出客户端证书keytool-Export-alias clientkey-file clientcert.cer-keystore clientkeystore.p12
5.将证书导入$JAVA_HOME/jre/lib/securitysudo keytool-Import-trustcacerts-alias localhost-file localhost.crt-keystore$JAVA_HOME/jre/lib/security/caerts
网关的application.yml:
spring:
application:
name: gateway
server:
port: 8443
ssl:
enabled: true
key-store: classpath:serverkeystore.p12
key-store-password: server
key-alias: serverkey
eureka:
instance:
securePort: ${server.port}
nonSecurePortEnabled: false
securePortEnabled: true
leaseRenewalIntervalInSeconds: 7
leaseExpirationDurationInSeconds: 9
client:
serviceUrl:
defaultZone: ${EUREKA_URI:http://localhost.com:8761/eureka/}
registry-fetch-interval-seconds: 5
register-with-eureka: true
fetch-registry: true
heartbeat-executor-thread-pool-size: 5
eureka-service-url-poll-interval-seconds: 10
zuul:
prefix: /service
routes:
producer:
path: /employee/**
strip-prefix: false
serviceId: producer
ribbon:
IsSecure: true
logging:
file: logs/gateway.log
level.root: INFO
level.com.fujitsu.fnc.sdnfw.msvc: DEBUG