无法使用 Vert.x 通过 TLS 连接到主机
Can't connect to host by TLS with Vert.x
我正在尝试连接到支持 TLS 的特定主机。我有一个有效的私钥 - "my.key",我的证书 - "my.crt",还有 rootCA 证书 "root_ca.crt"。我已经知道请求的主机使用 OpenSsl。 Vertx 可能会使用一些不同的变体如何做到这一点:
- 通过 JksOptions() 和 java 密钥库文件“.jks”
- 通过 PfxOptions() 和文件“.pfx”(PKCS12 格式)
- 通过 PemKeyCertOptions() 和两个文件("key.pem" 和 "cert.pem")
但是当我这样做的时候:
NetClient client = vertx.createNetClient(
(NetClientOptions) new NetClientOptions()
.setLogActivity(true)
.setSsl(true)
.setOpenSslEngineOptions(new OpenSSLEngineOptions())
.addEnabledSecureTransportProtocol("TLSv1.2")
.setJksOptions(
new JksOptions()
.setPath("/path/to/my.jks")
.setPassword("password")
)
);
client.connect(some_port, "some_host", ar -> {
if (ar.succeeded()) {
LOG.debug("Connection succeeded!!!!");
} else {
LOG.debug("Connection failed!!!! :: {} :: {}", ar.cause(), ar.cause().getMessage());
}
});
构建成功,但是当我运行这段代码时出现异常:
INFO: Succeeded in deploying verticle
[vert.x-eventloop-thread-0] DEBUG io.netty.handler.ssl.ReferenceCountedOpenSslContext - verification of certificate failed
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:223)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:606)
at org.apache.tomcat.jni.SSL.readFromSSL(Native Method)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:470)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:927)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1033)
at io.netty.handler.ssl.SslHandler$SslEngineType.unwrap(SslHandler.java:200)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1117)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1039)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:341)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:642)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:565)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:479)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:441)
at io.netty.util.concurrent.SingleThreadEventExecutor.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 30 more
也许我在创建密钥库时做错了什么?
要创建它,我正在使用本教程 - https://support.adeptia.com/hc/en-us/articles/207878953-How-to-create-a-KeyStore-with-certificate-chain
请帮助我了解如何获得正确的密钥库以通过 TLS 连接到我的主机?
我找到了一种通过此命令以 PKCS12 格式创建正确 java 密钥库的方法:
openssl pkcs12 -inkey my.key -in my.crt -export -out domain.pfx
然后将生成的 "domain.pfx" 文件放入 PfxOptions 并将 "root_ca.crt" 文件放入 PemTrustOptions,如下所示:
return new NetClientOptions()
.setSsl(true)
.addEnabledSecureTransportProtocol("TLSv1.2")
.setPfxKeyCertOptions(
new PfxOptions()
.setPath(pathToKeystoreFile)
.setPassword(keystorePassword)
)
.setPemTrustOptions(
new PemTrustOptions()
.addCertPath(rootCACertificate)
);
P.S。您在创建证书时输入的 keystorePassword。
我正在尝试连接到支持 TLS 的特定主机。我有一个有效的私钥 - "my.key",我的证书 - "my.crt",还有 rootCA 证书 "root_ca.crt"。我已经知道请求的主机使用 OpenSsl。 Vertx 可能会使用一些不同的变体如何做到这一点:
- 通过 JksOptions() 和 java 密钥库文件“.jks”
- 通过 PfxOptions() 和文件“.pfx”(PKCS12 格式)
- 通过 PemKeyCertOptions() 和两个文件("key.pem" 和 "cert.pem")
但是当我这样做的时候:
NetClient client = vertx.createNetClient(
(NetClientOptions) new NetClientOptions()
.setLogActivity(true)
.setSsl(true)
.setOpenSslEngineOptions(new OpenSSLEngineOptions())
.addEnabledSecureTransportProtocol("TLSv1.2")
.setJksOptions(
new JksOptions()
.setPath("/path/to/my.jks")
.setPassword("password")
)
);
client.connect(some_port, "some_host", ar -> {
if (ar.succeeded()) {
LOG.debug("Connection succeeded!!!!");
} else {
LOG.debug("Connection failed!!!! :: {} :: {}", ar.cause(), ar.cause().getMessage());
}
});
构建成功,但是当我运行这段代码时出现异常:
INFO: Succeeded in deploying verticle
[vert.x-eventloop-thread-0] DEBUG io.netty.handler.ssl.ReferenceCountedOpenSslContext - verification of certificate failed
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:223)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:606)
at org.apache.tomcat.jni.SSL.readFromSSL(Native Method)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:470)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:927)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1033)
at io.netty.handler.ssl.SslHandler$SslEngineType.unwrap(SslHandler.java:200)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1117)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1039)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:341)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:642)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:565)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:479)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:441)
at io.netty.util.concurrent.SingleThreadEventExecutor.run(SingleThreadEventExecutor.java:858)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 30 more
也许我在创建密钥库时做错了什么? 要创建它,我正在使用本教程 - https://support.adeptia.com/hc/en-us/articles/207878953-How-to-create-a-KeyStore-with-certificate-chain
请帮助我了解如何获得正确的密钥库以通过 TLS 连接到我的主机?
我找到了一种通过此命令以 PKCS12 格式创建正确 java 密钥库的方法:
openssl pkcs12 -inkey my.key -in my.crt -export -out domain.pfx
然后将生成的 "domain.pfx" 文件放入 PfxOptions 并将 "root_ca.crt" 文件放入 PemTrustOptions,如下所示:
return new NetClientOptions()
.setSsl(true)
.addEnabledSecureTransportProtocol("TLSv1.2")
.setPfxKeyCertOptions(
new PfxOptions()
.setPath(pathToKeystoreFile)
.setPassword(keystorePassword)
)
.setPemTrustOptions(
new PemTrustOptions()
.addCertPath(rootCACertificate)
);
P.S。您在创建证书时输入的 keystorePassword。