Postgresql无法接受SSL连接:sslv3警报证书未知
[英]Postgresql could not accept SSL connection: sslv3 alert certificate unknown
问题描述
I'm using SpringBoot with configuration datasource.url = jdbc:postgresql://...../mydb?ssl=true&sslFactory=....nonValidating... 
我正在使用SpringBoot配置datasource.url = jdbc:postgresql://..... / mydb?ssl = true&sslFactory = .... nonValidating ...
in my application.yml 在我的application.yml中
port: 8443
ssl:
enabled: true
key-alias: PGSQLServerHostNameHere
key-store: keystore.jks
key-store-password:....
key-store-type: JKS
trust-store: #this one is irrelevant, it's just a...
### ... trust store for other restTemplate stuff
trust-store-password: ....
key-password: ....
ciphers: "TLSv1.2"
protocol: TLS
However, Postgresql also is setup and running with SSL=on. 但是,Postgresql也设置并运行SSL = on。 ssl_ciphers='TLSv1.2' 的ssl_ciphers = 'TLSv1.2工作'
However in PGSQL logs I get: 但是在PGSQL日志中,我得到:
Postgresql could not accept SSL connection: sslv3 alert certificate unknown
I get an error in my spring boot app on prod (this error doesn't happen with my self-signed cert in local): 我在prod上的春季启动应用程序中出现错误(本地的自签名证书不会发生此错误):
org.postgresql...PSQLException: SSL error: sun.security.validator.ValdiatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SSL Cert Configs SSL证书配置
I have the signed certificates in root.crt for postgresql server (including the Java app server's signed certificate inside with the right alias). 我在root.crt中为postgresql服务器签名了证书(包括Java app服务器的签名证书,里面有正确的别名)。
I have the signed certificate of the postgresql server (alias: PGSQLServerHostNameHere) in the JKS file as a "trustEntry" for my keystore.jks. 我在JKS文件中将postgresql服务器的签名证书(别名:PGSQLServerHostNameHere)作为我的keystore.jks的“trustEntry”。
I have privateKeyEntry in my keystore.jks for my own server. 我的keystore.jks中有privateKeyEntry用于我自己的服务器。
I have the root CAs in the keystore.jks. 我在keystore.jks中有根CA.
The SpringBoot app works fine in my local machine with a self-signed JKS. SpringBoot应用程序在我的本地机器上使用自签名JKS可以正常工作。
But Postgresql is a problem... rejecting my communications from the java app server. 但Postgresql是一个问题...拒绝我从Java应用服务器的通信。
postgresql.conf: postgresql.conf中:
ssl = on
ssl_ciphers = 'TLSv1.2'
(everything else is default)
pg_hba.conf 的pg_hba.conf
hostssl all all md5
2 个解决方案
解决方案1
1 2017-04-30 18:18:38
Postgresql could not accept SSL connection: sslv3 alert certificate unknown .... sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This means that the client could not accept the certificate from the server, probably because the CA which issued that certificate is not in the trust store. 这意味着客户端无法接受来自服务器的证书,可能是因为颁发该证书的CA不在信任库中。 And the client sends this server this problem as alert so that the server knows why the connection fails. 并且客户端将此服务器作为警报发送此服务器,以便服务器知道连接失败的原因。
But Postgresql is a problem... rejecting my communications from the java app server.
No, your Java application is rejecting the communication with Postgresql because it does not trust the certificate. 不,您的Java应用程序拒绝与Postgresql的通信,因为它不信任证书。 What you see in the error message from Postgresql is just what your Java application has send as the reason why it will not continue with the TLS handshake. 您在Postgresql的错误消息中看到的正是您的Java应用程序发送的内容,因为它不会继续TLS握手。
解决方案2
1 已采纳 2017-05-12 13:23:11
I guess the only way was to look at JSSE implementation and add -Djavax.net.ssl type commands to command-line or to add it to System.setProperty() . 我想唯一的方法是查看JSSE实现并将-Djavax.net.ssl类型命令添加到命令行或将其添加到System.setProperty() 。
Additionally, you can add it to the url of the JDBC ssl_cert=... &ssl_key=... etc. 此外,您可以将其添加到JDBC ssl_cert=... &ssl_key=...等的URL中。
Had to find the right commands for postgresql. 不得不为postgresql找到合适的命令。 It's not well-documented. 它没有详细记录。
the application.yml "ssl" properties are unrelated to javax.net.ssl application.yml “ssl”属性与javax.net.ssl无关
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.