登录发布者或商店时对等端未通过身份验证
Peer not authenticated when login on publisher or store
登录 /publisher 或 /store 时,出现 "Peer not authenticated" 错误。
为了提供更多上下文,我创建了一个新的密钥库并将其 .pem 证书导入客户端-trustore.jks,最后更新了 SSL 密钥库配置以使用这个新密钥库,如下所示:https://docs.wso2.com/display/ADMIN44x/Configuring+Keystores+in+WSO2+Products#Configuring%20keystores%20for%20SSL%20connections
启用 SSL 调试的 WSO2 日志:
%% Invalidated: [Session-11, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-9443-exec-25, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
http-nio-9443-exec-25, WRITE: TLSv1.2 Alert, length = 2
http-nio-9443-exec-25, called closeSocket()
http-nio-9443-exec-25, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http-nio-9443-exec-25, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http-nio-9443-exec-45, READ: TLSv1.2 Alert, length = 2
http-nio-9443-exec-45, RECV TLSv1.2 ALERT: fatal, certificate_unknown
http-nio-9443-exec-45, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-45, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-45, called closeOutbound()
http-nio-9443-exec-45, closeOutboundInternal()
http-nio-9443-exec-45, SEND TLSv1.2 ALERT: warning, description = close_notify
http-nio-9443-exec-45, WRITE: TLSv1.2 Alert, length = 2
TID: [-1234] [] [2020-03-10 15:03:32,866] INFO {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Permission cache updated for tenant -1234 {org.wso2.carbon.core.internal.permission.update.PermissionUpdater}
TID: [-1234] [] [2020-03-10 15:03:32,898] INFO {org.apache.axis2.transport.http.HTTPSender} - Unable to sendViaPost to url[https://<serverPublicIP>:9443/services/AuthenticationAdmin] {org.apache.axis2.transport.http.HTTPSender}
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
我使用的keytool命令:
// Create the keystore
$ keytool -genkey -alias custom -keyalg RSA -keysize 2048 -keystore custom.jks -dname "CN=<myhostdomain>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon
// Export the new keystore certificate
$ keytool -export -alias custom -keystore custom.jks -file custom.pem
// Import the new certificate into the client-truststore
$ keytool -import -alias custom -file custom.pem -keystore client-truststore.jks -storepass wso2carbon
产品版本:
APIM 2.6(不使用 IS 作为密钥管理器,仅使用股票 WSO2 API 管理器)
在全新安装中始终重现该问题。问题是我通过在 carbon.xml 中更改此配置(已评论)在浏览器中启用了 H2 数据库可视化:
<H2DatabaseConfiguration>
<property name="web" />
<property name="webPort">8082</property>
<property name="webAllowOthers" />
出于某种原因,这会导致在登录发布者或商店时出现 Peer not authenticated 错误。
登录 /publisher 或 /store 时,出现 "Peer not authenticated" 错误。
为了提供更多上下文,我创建了一个新的密钥库并将其 .pem 证书导入客户端-trustore.jks,最后更新了 SSL 密钥库配置以使用这个新密钥库,如下所示:https://docs.wso2.com/display/ADMIN44x/Configuring+Keystores+in+WSO2+Products#Configuring%20keystores%20for%20SSL%20connections
启用 SSL 调试的 WSO2 日志:
%% Invalidated: [Session-11, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
http-nio-9443-exec-25, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
http-nio-9443-exec-25, WRITE: TLSv1.2 Alert, length = 2
http-nio-9443-exec-25, called closeSocket()
http-nio-9443-exec-25, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http-nio-9443-exec-25, IOException in getSession(): javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
http-nio-9443-exec-45, READ: TLSv1.2 Alert, length = 2
http-nio-9443-exec-45, RECV TLSv1.2 ALERT: fatal, certificate_unknown
http-nio-9443-exec-45, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-45, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-45, called closeOutbound()
http-nio-9443-exec-45, closeOutboundInternal()
http-nio-9443-exec-45, SEND TLSv1.2 ALERT: warning, description = close_notify
http-nio-9443-exec-45, WRITE: TLSv1.2 Alert, length = 2
TID: [-1234] [] [2020-03-10 15:03:32,866] INFO {org.wso2.carbon.core.internal.permission.update.PermissionUpdater} - Permission cache updated for tenant -1234 {org.wso2.carbon.core.internal.permission.update.PermissionUpdater}
TID: [-1234] [] [2020-03-10 15:03:32,898] INFO {org.apache.axis2.transport.http.HTTPSender} - Unable to sendViaPost to url[https://<serverPublicIP>:9443/services/AuthenticationAdmin] {org.apache.axis2.transport.http.HTTPSender}
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
我使用的keytool命令:
// Create the keystore
$ keytool -genkey -alias custom -keyalg RSA -keysize 2048 -keystore custom.jks -dname "CN=<myhostdomain>, OU=Home,O=Home,L=SL,S=WS,C=LK" -storepass wso2carbon -keypass wso2carbon
// Export the new keystore certificate
$ keytool -export -alias custom -keystore custom.jks -file custom.pem
// Import the new certificate into the client-truststore
$ keytool -import -alias custom -file custom.pem -keystore client-truststore.jks -storepass wso2carbon
产品版本:
APIM 2.6(不使用 IS 作为密钥管理器,仅使用股票 WSO2 API 管理器)
在全新安装中始终重现该问题。问题是我通过在 carbon.xml 中更改此配置(已评论)在浏览器中启用了 H2 数据库可视化:
<H2DatabaseConfiguration>
<property name="web" />
<property name="webPort">8082</property>
<property name="webAllowOthers" />
出于某种原因,这会导致在登录发布者或商店时出现 Peer not authenticated 错误。