我一直在尝试创建两个ssl来保护微服务之间的通信。当服务A想注册到EurekaServer时,它实际上是工作的。但是当我试图将eureka注册到同一个eureka服务器或eureka的其他示例时,我总是得到一个错误的证书异常。
这是我的应用程序.yml来自Eureka 服务器
server:
port: ${SERVER_SSL_PORT:${PORT:10100}}
ssl:
enabled: true
client-auth: need
key-alias: ${JKS_ALIAS}
key-password: ${JKS_KEY_PASSWORD}
key-store-type: ${JKS_TYPE}
key-store-provider: ${JKS_PROVIDER:SUN}
key-store: ${JKS_PATH}
key-store-password: ${JKS_KEY_PASSWORD}
trust-store: ${JKS_PATH}
trust-store-password: ${JKS_KEY_PASSWORD}
trust-store-provider: ${JKS_PROVIDER:SUN}
trust-store-type: ${JKS_TYPE}
## EUREKA CONFIGURATION
eureka:
client:
enabled: true
register-with-eureka: true
fetch-registry: false
service-url:
defaultZone: ${SVC_REGISTRY:https://localhost:14102/eureka}
prefer-same-zone-eureka: true
healthcheck:
enabled: true
tls:
enabled: true
key-store: ${JKS_PATH}
key-password: ${JKS_KEY_PASSWORD}
key-store-type: ${JKS_TYPE}
key-store-password: ${JKS_KEYSTORE_PASSWORD}
trust-store: ${JKS_PATH}
trust-store-password: ${JKS_KEY_PASSWORD}
trust-store-type: ${JKS_TYPE}
instance:
instance-id: ${SERVER_NAME:${spring.application.name}:${server.port}}@${eureka.instance.hostname}
hostname: ${SERVER_HOST:localhost}
home-page-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}
status-page-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/info
health-check-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/health
secure-health-check-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/health
lease-renewal-interval-in-seconds: 10
prefer-ip-address: true
metadata-map:
instanceId: ${eureka.instance.instance-id}
zone: ${SERVER_ZONE:local}
non-secure-port-enabled: false
secure-port-enabled: true
secure-port: ${server.port}我还尝试添加此配置以修改JerseyClient
@Bean
@SneakyThrows
public DiscoveryClient.DiscoveryClientOptionalArgs discoveryClientOptionalArgs2() {
DiscoveryClient.DiscoveryClientOptionalArgs args = new DiscoveryClient.DiscoveryClientOptionalArgs();
EurekaJerseyClientImpl.EurekaJerseyClientBuilder clientBuilder = new EurekaJerseyClientImpl.EurekaJerseyClientBuilder()
.withClientName("DiscoveryClient-HTTPClient-Custom")
.withUserAgent("Java-EurekaClient")
.withConnectionTimeout(config.getEurekaServerConnectTimeoutSeconds() * 1000)
.withReadTimeout(config.getEurekaServerReadTimeoutSeconds() * 1000)
.withMaxConnectionsPerHost(config.getEurekaServerTotalConnectionsPerHost())
.withMaxTotalConnections(config.getEurekaServerTotalConnections())
.withConnectionIdleTimeout(config.getEurekaConnectionIdleTimeoutSeconds() * 1000)
.withEncoderWrapper(CodecWrappers.getEncoder(config.getEncoderName()))
.withDecoderWrapper(CodecWrappers.resolveDecoder(config.getDecoderName(), config.getClientDataAccept()))
.withCustomSSL(sslContext());
EurekaJerseyClient jerseyClient = clientBuilder.build();
args.setEurekaJerseyClient(jerseyClient);//Provide custom EurekaJerseyClient to override default one
return args;
}
@Bean
public SSLContext sslContext() throws Exception {
log.info("initialize ssl context bean with keystore {} ", env.getProperty("JKS_PATH"));
char[] password = env.getProperty("JKS_KEY_PASSWORD").toCharArray();
return new SSLContextBuilder()
.loadTrustMaterial(ResourceUtils.getFile(env.getProperty("JKS_PATH")), password).build();
}但我一直收到这个错误
2022-09-01 18:44:01.522信息26829 --- [tbeatExecutor-0] c.n.d.s.t.d.重定向Eureka Http客户端:请求执行错误。端点=默认端点{ serviceUrl =“https://XXXXXXXXXXXXXXXXXXXXXX:DDDD/eureka/},异常=javax .NET.ssl. SSL握手异常:收到致命警报:异常错误:javax.net.ssl.SSLHandshakeException:收到致命警报:您可以在以下位置创建一个新的Web资源创建器:
证书应该是好的,因为它是我用来在服务A和注册表之间建立双向SSL的同一个证书。我也在一个真实的服务器上用有效的证书测试这个。
有什么线索吗?
先谢谢你了!非常感谢
1条答案
按热度按时间hsgswve41#
我找到了问题的根本原因。我把这个属性当作真
但它应该是假的,因为我的证书注册了主机名,而不是IP。所以当它尝试验证证书时,它比较的是主机名与IP,这是不同的,它抛出了bad_certificate异常。