AWS Secrets Manager 证书问题
[英]AWS Secrets Manager Certificate issue
问题描述
I am trying to run some java code to get a secret form AWS Secrets manager.
我正在尝试运行一些 java 代码来获取一个来自 AWS Secrets manager 的秘密。 The code is pretty basic.代码非常基本。
ClientConfiguration clientConfigurtion = new ClientConfiguration();
clientConfigurtion.setProxyHost("myproxyhost");
clientConfigurtion.setProxyPort(80);
clientConfigurtion.setProxyUsername("XXX");
clientConfigurtion.setProxyPassword("XXX");
clientConfigurtion.setProxyProtocol(Protocol.HTTP);
// Create a Secrets Manager client
AWSSecretsManager client = AWSSecretsManagerClientBuilder.standard()
.withRegion(region).withClientConfiguration(clientConfigurtion)
.build();
// In this sample we only handle the specific exceptions for the 'GetSecretValue' API.
// See https://docs.aws.amazon.com/secretsmanager/latest/apireference/API_GetSecretValue.html
// We rethrow the exception by default.
String decodedBinarySecret;
GetSecretValueRequest getSecretValueRequest = new GetSecretValueRequest()
.withSecretId(secretName);
GetSecretValueResult getSecretValueResult = null;
try {
getSecretValueResult = client.getSecretValue(getSecretValueRequest);
} catch (DecryptionFailureException e) {
// Secrets Manager can't decrypt the protected secret text using the provided KMS key.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InternalServiceErrorException e) {
// An error occurred on the server side.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InvalidParameterException e) {
// You provided an invalid value for a parameter.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (InvalidRequestException e) {
// You provided a parameter value that is not valid for the current state of the resource.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
} catch (ResourceNotFoundException e) {
// We can't find the resource that you asked for.
// Deal with the exception here, and/or rethrow at your discretion.
throw e;
}
When I get to the line where it actually gets the secret value "getSecretValueResult = client.getSecretValue(getSecretValueRequest);"当我到达它实际获取秘密值“getSecretValueResult = client.getSecretValue(getSecretValueRequest);”的那一行时I get a stack trace.我得到一个堆栈跟踪。
In several places the trace contains this text.在几个地方,跟踪包含此文本。
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I assume that this means I'm missing some certificate but I don't know what to do to fix this.我认为这意味着我缺少一些证书,但我不知道该怎么做才能解决这个问题。
I'm running this locally on a Mac.我在 Mac 上本地运行它。
Any help on getting around this certificate error is greatly appreciated.非常感谢有关解决此证书错误的任何帮助。
1 个解决方案
解决方案1
0 2020-08-11 19:08:29
I encountered the same issue and just got it working.我遇到了同样的问题并且刚刚开始工作。 The default truststore does not have a listing for https://secretsmanager.us-east-1.amazonaws.com .默认信任库没有https://secretsmanager.us-east-1.amazonaws.com的列表。 The way you can see the URL that the AWS client is trying to connect with (in your case it might be slightly different) is turn on the java system property javax.net.debug=all You can do that via command line or if using maven do it like this:您可以看到 AWS 客户端尝试连接的 URL(在您的情况下可能略有不同)的方式是打开 java 系统属性 javax.net.debug=all 您可以通过命令行或如果使用Maven 这样做:
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-surefire-plugin</artifactId>
<version>2.22.2</version>
<configuration>
<systemPropertyVariables>
<javax.net.ssl.trustStore>c:\\path to your cert truststore\\cacerts</javax.net.ssl.trustStore>
<javax.net.ssl.trustStorePassword>changeit</javax.net.ssl.trustStorePassword>
<javax.net.debug>all</javax.net.debug>
</systemPropertyVariables>
</configuration>
</plugin>
Once you know the URL that the AWS client is trying to make the ssl handshake with (search the output/error log for "*** Certificate chain") and you'll see something like: *** Certificate chain chain [0] = [ [ Version: V3 Subject: CN=secretsmanager.us-east-1.amazonaws.com一旦您知道 AWS 客户端尝试与之进行 ssl 握手的 URL(在输出/错误日志中搜索“*** 证书链”),您将看到如下内容:*** 证书链链 [0] = [ [ 版本:V3 主题:CN=secretsmanager.us-east-1.amazonaws.com
Now the problem is getting this certificate.现在的问题是获得这个证书。 Pull up this URL in Chrome browser https://secretsmanager.us-east-1.amazonaws.com You'll have an error such as Missing Authentication Token在 Chrome 浏览器中拉出这个 URL https://secretsmanager.us-east-1.amazonaws.com你会得到一个错误,比如 Missing Authentication Token
Then just hit F12 and then click on the security tab and download that certificate using the default values.然后只需按 F12,然后单击安全选项卡并使用默认值下载该证书。
Now import that certificate into your Java truststore (I am using git bash shell if you are using DOS change the format of the paths accordingly):现在将该证书导入您的 Java 信任库(如果您使用的是 DOS,我将使用 git bash shell 相应地更改路径的格式):
$JAVA_HOME/bin/keytool -import -alias awsChromeCer2 -keystore /c/path to your keystore/cacerts -file /c/path to where you saved the certificate/awsChromeCert2.cer $JAVA_HOME/bin/keytool -import -alias awsChromeCer2 -keystore /c/path to your keystore/cacerts -file /c/path to where you save the certificate/awsChromeCert2.cer
verify it is there:验证它在那里:
$JAVA_HOME/bin/keytool -list -keystore /c/path to your keystore/cacerts | $JAVA_HOME/bin/keytool -list -keystore /c/path to your keystore/cacerts | grep aws grep aws
when it asks for a password the default might be: changeit当它要求输入密码时,默认值可能是:changeit
Now you should be able to run it successfully without getting this exception: com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target现在您应该能够成功运行它而不会出现此异常:com.amazonaws.SdkClientException:无法执行 HTTP 请求:sun.security.validator.ValidatorException:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径
Rather you will successfully retrieve the AWS secretsmanager secret that you were after.相反,您将成功检索您所追求的 AWS secretsmanager 秘密。 If you are using Maven ensure you have those variables defined like I put in the above section to point to your local truststore.如果您正在使用 Maven,请确保您像我在上一节中所说的那样定义了这些变量,以指向您的本地信任库。 Also ensure you have AWS credentials setup on your machine, but that is a separate issue.还要确保您的机器上设置了 AWS 凭证,但这是一个单独的问题。
I noticed the secretsmanager keys are rotating which means you have to download them close to the time when you will use it.我注意到 secretsmanager 密钥正在轮换,这意味着您必须在接近使用它的时间下载它们。 If you want to automate that you could do something like this:如果你想自动化,你可以做这样的事情:
echo quit |回声退出| openssl s_client -showcerts -servername secretsmanager.us-east-1.amazonaws.com -connect secretsmanager.us-east-1.amazonaws.com:443 > SM_cacert.pem openssl s_client -showcerts -servername secretsmanager.us-east-1.amazonaws.com -connect secretsmanager.us-east-1.amazonaws.com:443 > SM_cacert.pem
either edit the certificate (delete all the text after -----END CERTIFICATE----- just have one blank line after it)要么编辑证书(删除 -----END CERTIFICATE ----- 后面的所有文本,后面只有一个空行)
OR或者
edit the certificate using code from bash shell使用来自 bash shell 的代码编辑证书
awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < SM_cacert.pem awk 'split_after == 1 {n++;split_after=0} /-----END CERTIFICATE-----/ {split_after=1}{print > "rds-ca-" n ".pem"}' < SM_cacert .pem
import the new certificate into your truststore将新证书导入您的信任库
$JAVA_HOME/bin/keytool -import -alias awsFromOpenSsl -keystore /c/path to your truststore/cacerts -file /c/path to the new cert file/rds-ca-.pem $JAVA_HOME/bin/keytool -import -alias awsFromOpenSsl -keystore /c/path to your truststore/cacerts -file /c/path to the new cert file/rds-ca-.pem
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.