Jetty 9.3.1.v20150714
配置了包含3个证书的密钥库:服务器证书,CA证书和GeoTrust根证书。
使用keytool -list -keystore jetty/etc/keystore -storetype pkcs12
表示它具有以下证书-
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 4 entries
jetty, Aug 29, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): A3:...:10
root, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
ca, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 0E:34:14:18:46:E7:42:3D:37:F2:0D:C0:AB:06:C9:BB:D8:43:DC:24
server, Aug 30, 2015, trustedCertEntry,
Certificate fingerprint (SHA1): 20:...:E3
服务器加载后,日志显示它加载了证书-
2015-08-30 05:32:47 main ServerConnector [INFO] Started ServerConnector@34849eef{HTTP/1.1,[http/1.1, h2c, h2c-17, h2c-16, h2c-15, h2c-14]}{0.0.0.0:8080}
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=jetty cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate cn alias=root cn=GeoTrust Global CA in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] Certificate SAN alias=server cn=example.com in SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [INFO] x509={example.com=server} wild={} alias=null for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
2015-08-30 05:32:47 main SslContextFactory [DEBUG] managers=[sun.security.ssl.SunX509KeyManagerImpl@36c54a56] for SslContextFactory@7af707e0(file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore,file:///usr/share/jetty/jetty-distribution-9.3.1.v20150714/etc/keystore)
但是,当尝试使用HTTPS连接服务器时,由于证书错误(自签名)而失败。
使用
openssl s_client -connect example.com:443
检查返回的证书将返回-CONNECTED(00000003)
depth=0 C = ..., CN = example.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = ..., CN = example.com
verify return:1
---
Certificate chain
0 s:/C=.../CN=example.com
i:/C=.../CN=example.com
---
它仅显示1个自签名证书,而不显示密钥库中的证书。尝试将HTTPS命令发送到服务器时,它会在日志中显示-
2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Customize 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-17 SslContextFactory [DEBUG] Enable SNI matching 1d4638d[SSLEngine[hostname=12.13.14.15 port=25453] SSL_NULL_WITH_NULL_NULL]
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matches=type=host_name (0), value=example.com for org.eclipse.jetty.util.ssl.SslContextFactory$AliasSNIMatcher@22497dda
2015-08-30 06:06:52 qtp1579572132-20 SslContextFactory [DEBUG] matched example.com->server
2015-08-30 06:06:52 qtp1579572132-16 HttpParser [WARN] parse exception: java.lang.IllegalStateException: too much data seeking EOF in CLOSE for HttpChannelOverHttp@37b97125{r=1,c=false,a=IDLE,uri=-}
我通过关闭服务器来确保它连接到正确的服务器,然后得到一个
CONNECTION REFUSED
,还尝试删除密钥库文件,并且服务器无法加载,这意味着它使用的是正确的文件。该自签名的1长证书链从何而来?服务器是否可能定义了两个密钥库?
更新资料
使用所有三个证书的
openssl s_client
正确显示了用另一种(有效的)密钥库进行替换。这意味着问题出在原始密钥库中,如上所示,它具有3个公共证书,但是
openssl
仅输出1个自签名证书。以下是用于生成密钥库的命令-
keytool -genkeypair -storetype pkcs12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -alias jetty
keytool -certreq -alias jetty -keystore keystore.p12 -storetype pkcs12 -file jetty.csr -keyalg RSA
# send CSR file to a CA for signing. got back 3 CRT files.
keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt
keytool -import -alias ca -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias server -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt
最佳答案
密钥库构建不正确。
添加到密钥库的最后一个条目具有别名server
而不是jetty
,后者是私钥的别名。这样做会阻止识别证书对私钥的答复。
为了解决这个问题,我从密钥库中删除了所有证书,并为它们添加了正确的别名。
keytool -import -alias root -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file root.crt
keytool -import -alias inter -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file ca.crt
keytool -import -alias jetty -keystore keystore.p12 -storetype pkcs12 -trustcacerts -file server.crt
在最后一条命令之后,keytool将以
Certificate reply was installed in keystore
响应,指示它识别出服务器证书响应。我不确定它是否有影响,但是我不称其为CA的中间证书
ca
,而是在工作的密钥库中称其为inter
,我认为这不是必需的,但值得一提。