我正在尝试以下路径:spring boot app-https-nginx-http-application can-t-use-https->can-t-use-https-http-nginx-https-spring boot app
我正在向nginx服务器发送https请求,该服务器正在代理一个不能使用https的应用程序,因此nginx在http上转发请求。
(已使用密钥库资源管理器)
创建并导出 root
以及 intermediate
自签名证书。与 intermediate
我创建了一个名为 nginx.cer
还有一个是我的申请 backend.cer
导出 nginx.cer
这是你的私钥 nginx.pkcs8
创建了一个jks密钥库 backend
可以找到rsa密钥对
导入 root
以及 intermediate
信任库的证书:
keytool-import-alias root-file root.cer-storetype jks-keystore mycustom.truststore
keytool import-alias intermediate-file intermediate.cer-storetype jks-keystore mycustom.truststore
我在application.properties中添加了以下内容:
server.ssl.enabled=真
server.ssl.client auth=无
server.ssl.key store=keystores/backend.jks
server.ssl.key store password=更改
server.ssl.trust store=密钥库/mycustom.truststore
server.ssl.trust store password=更改
这是我的nginx配置:
# user nobody;
worker_processes auto;
# pid logs/nginx.pid;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 443 ssl;
server_name localhost;
ssl_certificate D:/nginx/nginx.cer;
ssl_certificate_key D:/nxinx/nginx.pkcs8;
ssl_verify_client off;
location / {
proxy_pass http://10.10.10.10:8999 ; # this is the application that can't be HTTPS
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
我试图通过nginx到达端点时的java代码:
@GetMapping(value = "/test")
public ResponseEntity<String> test() {
String body = getBody("https://localhost:443/get");
return new ResponseEntity<>(body, HttpStatus.OK);
}
private String getBody(String url) {
HttpHeaders headers = new HttpHeaders();
HttpEntity<?> httpEntity = new HttpEntity<>(headers);
RestTemplate restTemplate = new RestTemplate();
ResponseEntity<String> response = restTemplate.exchange(url, HttpMethod.GET, httpEntity, String.class);
body = response.getBody();
return body;
}
我得到这个错误:
https-jsse-nio-8080-exec-6, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
13:03:25.619 [https-jsse-nio-8080-exec-6] ERROR h.e.c.e.ProblemDetailControllerAdvice - I/O error on GET request for "https://localhost:443/auth": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://localhost:443/auth": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我用这个标志运行应用程序 -Djavax.net.debug=ssl
所以我看到一些日志。
例如,我看到 intermediate
以及 root
已添加到信任库:
adding as trusted cert:
Subject: CN=root, OU=Root Organization Unit, O=Root Organization Name, L=Bp, ST=England, C=GB
Issuer: CN=root, OU=Root Organization Unit, O=Root Organization Name, L=Bp, ST=England, C=GB
Algorithm: RSA; Serial number: 0x5fcf6702
Valid from Tue Dec 08 12:44:02 CET 2020 until Sat Dec 08 12:44:02 CET 2040
adding as trusted cert:
Subject: CN=intermediate, OU=Intermediate Organization Unit, O=Intermediate Organization Name, L=Bp, ST=England, C=GB
Issuer: CN=root, OU=Root Organization Unit, O=Root Organization Name, L=Bp, ST=England, C=GB
Algorithm: RSA; Serial number: 0x5fcf6794
Valid from Tue Dec 08 12:46:28 CET 2020 until Sun Dec 08 12:46:28 CET 2030
然后我可以看到我的spring引导应用程序获得nginx证书,然后抛出异常(:
%% Initialized: [Session-4, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
**TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
https-jsse-nio-8080-exec-6, READ: TLSv1.2 Handshake, length = 1691
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
***Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=localhost, OU=Client Organization Unit, O=Client Organization Name, L=Bp, ST=England, C=GB
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 4096 bits
modulus: 706300239359326084796982953931286641353625051940973252498564123939478710128996412798780081417878884037
...
public exponent: 65537
Validity: [From: Wed Dec 09 12:17:44 CET 2020,
To: Thu Dec 09 12:17:44 CET 2021]
Issuer: CN=intermediate, OU=Intermediate Organization Unit, O=Intermediate Organization Name, L=Bp, ST=England, C=GB
SerialNumber: [ 5fd0b258]
Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: F3 CF 3F 63 F5 D7 11 56 CF DE 49 F9 E6 40 4A 6B ..?c...V..I..@Jk
0010: 09 40 FA 95 .@..
]
]
[2]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
[3]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[4]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
CN=localhost, OU=Local, O=Host, L=Bp, ST=England, C=GB
IPAddress: 127.0.0.1
]
[5]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 26 79 B7 49 38 25 4F 52 2E 69 C7 95 45 C9 6D D3 &y.I8%OR.i..E.m.
0010: 08 30 74 52 .0tR
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 13 68 B6 E2 93 40 DD 31 DE 73 2F 3F 00 63 B4 68 .h...@.1.s/?.c.h
0010: A6 6E 7A FD A1 4F 97 0B 9B 00 D3 85 F1 9D 4B 87 .nz..O........K.
...
...
]
***
%% Invalidated: [Session-4, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384]
https-jsse-nio-8080-exec-6, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
https-jsse-nio-8080-exec-6, WRITE: TLSv1.2 Alert, length = 2
https-jsse-nio-8080-exec-6, called closeSocket()
如果我打开门 https://localhost:443
在浏览器中,nginx代理我到正确的站点,如果我检查证书,它就在那里。所以我相信nginx的配置是正确的。
提前谢谢你的帮助!
暂无答案!
目前还没有任何答案,快来回答吧!