如果spring启动应用程序将根证书和中间证书添加为可信证书,为什么会发生“pkix路径构建失败”?

8ljdwjyq  于 2021-06-30  发布在  Java
关注(0)|答案(0)|浏览(212)

我正在尝试以下路径:spring boot app-https-nginx-http-application can-t-use-https->can-t-use-https-http-nginx-https-spring boot app
我正在向nginx服务器发送https请求,该服务器正在代理一个不能使用https的应用程序,因此nginx在http上转发请求。
(已使用密钥库资源管理器)
创建并导出 root 以及 intermediate 自签名证书。与 intermediate 我创建了一个名为 nginx.cer 还有一个是我的申请 backend.cer 导出 nginx.cer 这是你的私钥 nginx.pkcs8 创建了一个jks密钥库 backend 可以找到rsa密钥对
导入 root 以及 intermediate 信任库的证书:
keytool-import-alias root-file root.cer-storetype jks-keystore mycustom.truststore
keytool import-alias intermediate-file intermediate.cer-storetype jks-keystore mycustom.truststore
我在application.properties中添加了以下内容:
server.ssl.enabled=真
server.ssl.client auth=无
server.ssl.key store=keystores/backend.jks
server.ssl.key store password=更改
server.ssl.trust store=密钥库/mycustom.truststore
server.ssl.trust store password=更改
这是我的nginx配置:


# user  nobody;

worker_processes auto;

# pid        logs/nginx.pid;

events {
    worker_connections  1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    server {
        listen 443 ssl;

        server_name localhost;

        ssl_certificate         D:/nginx/nginx.cer;
        ssl_certificate_key     D:/nxinx/nginx.pkcs8;
        ssl_verify_client       off;

        location / {        
            proxy_pass http://10.10.10.10:8999 ; # this is the application that can't be HTTPS
        }

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }
    }
}

我试图通过nginx到达端点时的java代码:

@GetMapping(value = "/test")
public ResponseEntity<String> test() {
    String body = getBody("https://localhost:443/get");

    return new ResponseEntity<>(body, HttpStatus.OK);
}

private String getBody(String url) {
        HttpHeaders headers = new HttpHeaders();
        HttpEntity<?> httpEntity = new HttpEntity<>(headers);

        RestTemplate restTemplate = new RestTemplate();
        ResponseEntity<String> response = restTemplate.exchange(url, HttpMethod.GET, httpEntity, String.class);

        body = response.getBody();
        return body;
    }

我得到这个错误:

https-jsse-nio-8080-exec-6, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
13:03:25.619 [https-jsse-nio-8080-exec-6] ERROR h.e.c.e.ProblemDetailControllerAdvice - I/O error on GET request for "https://localhost:443/auth": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://localhost:443/auth": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我用这个标志运行应用程序 -Djavax.net.debug=ssl 所以我看到一些日志。
例如,我看到 intermediate 以及 root 已添加到信任库:

adding as trusted cert:
  Subject: CN=root, OU=Root Organization Unit, O=Root Organization Name, L=Bp, ST=England, C=GB
  Issuer:  CN=root, OU=Root Organization Unit, O=Root Organization Name, L=Bp, ST=England, C=GB
  Algorithm: RSA; Serial number: 0x5fcf6702
  Valid from Tue Dec 08 12:44:02 CET 2020 until Sat Dec 08 12:44:02 CET 2040

adding as trusted cert:
  Subject: CN=intermediate, OU=Intermediate Organization Unit, O=Intermediate Organization Name, L=Bp, ST=England, C=GB
  Issuer:  CN=root, OU=Root Organization Unit, O=Root Organization Name, L=Bp, ST=England, C=GB
  Algorithm: RSA; Serial number: 0x5fcf6794
  Valid from Tue Dec 08 12:46:28 CET 2020 until Sun Dec 08 12:46:28 CET 2030

然后我可以看到我的spring引导应用程序获得nginx证书,然后抛出异常(:

%% Initialized:  [Session-4, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]

**TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
https-jsse-nio-8080-exec-6, READ: TLSv1.2 Handshake, length = 1691
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]

***Certificate chain

chain [0] = [
[
  Version: V3
  Subject: CN=localhost, OU=Client Organization Unit, O=Client Organization Name, L=Bp, ST=England, C=GB
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 4096 bits
  modulus: 706300239359326084796982953931286641353625051940973252498564123939478710128996412798780081417878884037
...
  public exponent: 65537
  Validity: [From: Wed Dec 09 12:17:44 CET 2020,
               To: Thu Dec 09 12:17:44 CET 2021]
  Issuer: CN=intermediate, OU=Intermediate Organization Unit, O=Intermediate Organization Name, L=Bp, ST=England, C=GB
  SerialNumber: [    5fd0b258]

Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F3 CF 3F 63 F5 D7 11 56   CF DE 49 F9 E6 40 4A 6B  ..?c...V..I..@Jk
0010: 09 40 FA 95                                        .@..
]
]

[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  CN=localhost, OU=Local, O=Host, L=Bp, ST=England, C=GB
  IPAddress: 127.0.0.1
]

[5]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 26 79 B7 49 38 25 4F 52   2E 69 C7 95 45 C9 6D D3  &y.I8%OR.i..E.m.
0010: 08 30 74 52                                        .0tR
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 13 68 B6 E2 93 40 DD 31   DE 73 2F 3F 00 63 B4 68  .h...@.1.s/?.c.h
0010: A6 6E 7A FD A1 4F 97 0B   9B 00 D3 85 F1 9D 4B 87  .nz..O........K.
...
...

]

***

%% Invalidated:  [Session-4, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
https-jsse-nio-8080-exec-6, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
https-jsse-nio-8080-exec-6, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8080-exec-6, called closeSocket()

如果我打开门 https://localhost:443 在浏览器中,nginx代理我到正确的站点,如果我检查证书,它就在那里。所以我相信nginx的配置是正确的。
提前谢谢你的帮助!

暂无答案!

目前还没有任何答案,快来回答吧!

相关问题