如何修复 java.security.InvalidAlgorithmParameterException:连接到 elasticsearch 时 trustAnchors 参数必须为非空
[英]How to fix java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty when connecting to elasticsearch
问题描述
I am using elasticsearch 7.1.0.
我正在使用弹性搜索 7.1.0。 I want to connect to a secure elasicsearch cluster.我想连接到安全的 elasicsearch 集群。 When I am trying to write data with the the RestHighLevelClient I always get the exception no matter what.当我尝试使用 RestHighLevelClient 写入数据时,无论如何我总是得到异常。
I am running on Ubuntu 18.04.2 LTS and intellJ is using /usr/lib/jvm/java-11-openjdk-amd64 and I am using spring boot First I am creating an keystore and than I am adding the private key and the certificate chain.我在 Ubuntu 18.04.2 LTS 上运行,intellJ 正在使用 /usr/lib/jvm/java-11-openjdk-amd64 并且我正在使用 spring boot 首先我创建一个密钥库,然后添加私钥和证书链。 Than I am assigining the keystore to the Truststore.比我将密钥库分配给信任库。 When the @Bean HighRestLevelClient gets created I am adding the sslContext to the Rest client like shown here:当 @Bean HighRestLevelClient 创建时,我将 sslContext 添加到 Rest 客户端,如下所示:
https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_encrypted_communication.html https://www.elastic.co/guide/en/elasticsearch/client/java-rest/current/_encrypted_communication.html
Please See the code.请看代码。
@Bean
public void initKeyStore() {
try {
log.info("start creating keystore");
KeyStore keyStore = KeyStore.getInstance("JKS");
char[] pwdArray = "pwd".toCharArray();
keyStore.load(null, pwdArray);
FileOutputStream fos = new FileOutputStream("absolutPathToKeystore/elasticKeyStore");
keyStore.store(fos, pwdArray);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate certCA = cf.generateCertificate(new FileInputStream("es-certs/ca.crt"));
Certificate esNodeCert = cf.generateCertificate(new FileInputStream("es-node.crt"));
X509Certificate[] certificates = new X509Certificate[2];
certificates[0] = (X509Certificate)esNodeCert;
certificates[1] = (X509Certificate)certCA;
byte[] keyBytes = Files.readAllBytes(Paths.get("es-node-pkcs8.der"));;
PKCS8EncodedKeySpec pubSpec = new PKCS8EncodedKeySpec(keyBytes);
KeyFactory kf = KeyFactory.getInstance("RSA");
PrivateKey privateKey = kf.generatePrivate(pubSpec);
keyStore.setKeyEntry("secure-elastic-connection", privateKey, pwdArray, certificates);
System.setProperty("javax.net.ssl.trustStore", "absolutPathToKeystore/elasticKeyStore");
} catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | InvalidKeySpecException e) {
log.error("something went wrong creating keystore");
log.error(e.getMessage());
}
log.info("finished creating keystore");
}
@Bean(destroyMethod = "close")
@DependsOn("initKeyStore")
public RestHighLevelClient client() {
RestHighLevelClient client = null;
try {
log.info("start setting up elastic search connection");
final CredentialsProvider credentialsProvider =
new BasicCredentialsProvider();
credentialsProvider.setCredentials(AuthScope.ANY,
new UsernamePasswordCredentials("elasticuser", "pwd"));
KeyStore truststore = KeyStore.getInstance(KeyStore.getDefaultType());
truststore.load(new FileInputStream("absolutPathTo/elasticKeyStore"), "pwd".toCharArray());
SSLContextBuilder sslBuilder = SSLContexts.custom()
.loadTrustMaterial(truststore, null);
final SSLContext sslContext = sslBuilder.build();
client = new RestHighLevelClient(
RestClient.builder(new HttpHost(esHost, esPort, "https"))
.setHttpClientConfigCallback(new RestClientBuilder.HttpClientConfigCallback() {
@Override
public HttpAsyncClientBuilder customizeHttpClient(
HttpAsyncClientBuilder httpClientBuilder) {
return httpClientBuilder.setDefaultCredentialsProvider(credentialsProvider).setSSLContext(sslContext);
}
}));
} catch (KeyStoreException | IOException | CertificateException e) {
log.info("something went wrong loading keystore for elasticsearch");
log.error(e.getMessage());
} catch (NoSuchAlgorithmException | KeyManagementException e) {
log.info("something went wrong loading sslcontext for elasticsearch");
log.error(e.getMessage());
}
log.info("finished setting up elasic search connection");
return client;
}
java.io.IOException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at org.elasticsearch.client.RestClient$SyncResponseListener.get(RestClient.java:948)
at org.elasticsearch.client.RestClient.performRequest(RestClient.java:227)
at org.elasticsearch.client.RestHighLevelClient.internalPerformRequest(RestHighLevelClient.java:1433)
at org.elasticsearch.client.RestHighLevelClient.performRequest(RestHighLevelClient.java:1403)
at org.elasticsearch.client.RestHighLevelClient.performRequestAndParseEntity(RestHighLevelClient.java:1373)
at org.elasticsearch.client.RestHighLevelClient.index(RestHighLevelClient.java:821)
at com.x24factory.monitoring.service.ElasticsearchServiceImpl.sendOverviewPOJOToElastic(ElasticsearchServiceImpl.java:43)
at com.x24factory.monitoring.service.MonitoringCreatorServiceImpl.sendOverviewToElasticsearch(MonitoringCreatorServiceImpl.java:77)
at com.x24factory.monitoring.service.MonitoringCreatorServiceImpl.createMonitoring(MonitoringCreatorServiceImpl.java:38)
at com.x24factory.monitoring.MonitoringApplication.run(MonitoringApplication.java:56)
at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:813)
at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:797)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:324)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1260)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1248)
at com.x24factory.monitoring.MonitoringApplication.main(MonitoringApplication.java:33)
Caused by: javax.net.ssl.SSLException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at org.apache.http.nio.reactor.ssl.SSLIOSession.convert(SSLIOSession.java:258)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:265)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:301)
at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:509)
at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:120)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:162)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:337)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:276)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:591)
at java.base/java.lang.Thread.run(Thread.java:834)
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:86)
at java.base/sun.security.validator.Validator.getInstance(Validator.java:181)
at java.base/sun.security.ssl.X509TrustManagerImpl.getValidator(X509TrustManagerImpl.java:308)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrustedInit(X509TrustManagerImpl.java:176)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:249)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:620)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:461)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:361)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:448)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1065)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1052)
at java.base/java.security.AccessController.doPrivileged(Native Method)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:999)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:281)
at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:339)
... 9 more
1 个解决方案
解决方案1
0 2019-12-17 13:48:35
I'm facing the same error on Elastic client for v6.8.2, although the client is created using ApacheHTTPClient and is working well on one environment but not on other.我在 v6.8.2 的 Elastic 客户端上遇到了同样的错误,尽管客户端是使用 ApacheHTTPClient 创建的,并且在一个环境中运行良好,但在其他环境中运行良好。
On digging up a bit, seems like OCP 4.x has some changes on route behaviors when it comes to Passthrough.稍微挖掘一下,似乎 OCP 4.x 在涉及 Passthrough 时对路由行为进行了一些更改。 On 3.6, the certificate is still required for Passthrough, but for 4.x, it just don't look for certificate at all.在 3.6 上,Passthrough 仍然需要证书,但对于 4.x,它根本不查找证书。 When changed the route to use Re-encrypt TLS termination policy, I started getting the above error (Edge being out of option since ES is SSL enabled).当更改路由以使用重新加密 TLS 终止策略时,我开始收到上述错误(由于 ES 启用了 SSL,因此 Edge 无法选择)。
Tried debugging the client code and SSL handshake was going fine, cert being picked up, validated by server and vice versa for server cert, but then abruptly closed connection.尝试调试客户端代码并且 SSL 握手进行得很好,证书被拾取,由服务器验证,反之亦然,服务器证书,但随后突然关闭连接。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.