自签名证书,Java,Hudson和JIRA
[英]Self-signed certificates, Java, Hudson and JIRA
问题描述
I'm trying to set up the Hudson JIRA plugin. 
我正在尝试设置Hudson JIRA插件。 Our JIRA server is secured with an self-signed SSL certificate. 我们的JIRA服务器使用自签名SSL证书进行保护。 I've inserted the certificate my web browser has stored using the keytool command, and gotten Hudson to find it. 我已经使用keytool命令插入了我的Web浏览器存储的证书,并让Hudson找到它。 But now it complains: 但现在抱怨:
java.security.cert.CertificateException: No subject alternative names present
The common name of the certificate is "Unknown", and I do not see any subject alternative names in the certificate 证书的通用名称是“未知”,我在证书中看不到任何主题备用名称
$ openssl x509 -in Unknown -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1214507595 (0x4863ea4b)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
Validity
Not Before: Jun 26 19:13:15 2008 GMT
Not After : May 5 19:13:15 2018 GMT
Subject: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
[omitted]
Signature Algorithm: md5WithRSAEncryption
[omitted]
(Identifying info redacted and noted in brackets.) (识别已编辑的信息并在括号中注明。)
Is there a way to attach a subject alternate name to this certificate? 有没有办法将主题备用名称附加到此证书? Or is there some other way? 或者还有其他方式吗? Or am I forced to hack the Hudson Jira plugin? 或者我被迫破解Hudson Jira插件?
3 个解决方案
解决方案1
23 2010-09-04 07:26:32
The hostname used to access your Jira server (eg jira.acme.com in https://jira.acme.com/ ) must either match one of the CN fields of the subject name or, when it doesn't, one of the Subject Alternative Name of the cert. 用于访问Jira服务器的主机名 (例如https://jira.acme.com/中的 jira.acme.com )必须与主题名称的CN字段之一匹配,否则必须与其中一个匹配。 Subject Alternative Name证书的Subject Alternative Name 。
This is detailed in the RFC 2818 : 这在RFC 2818中有详细说明:
In some cases, the URI is specified as an IP address rather than a hostname.
In your case, Java is complaining because neither the CN ("Unknown") nor a Subject Alternative Name (since you have none) did match the hostname of your Jira server. 在你的情况下,Java抱怨,因为CN (“未知”)和Subject Alternative Name (因为你没有)都没有匹配你的Jira服务器的主机名。
So, either generate a certificate with the appropriate CN , for example using keytool : 因此,要么使用适当的CN生成证书,例如使用keytool :
To create a keypair and self-signed certificate 创建密钥对和自签名证书
$ keytool -genkey -alias jira_acme_com -keyalg RSA -keysize 2048 -validity 365 -keystore jira_acme_com.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: jira.acme.com
What is the name of your organizational unit?
[Unknown]: Our project
What is the name of your organization?
[Unknown]: Our company
What is the name of your City or Locality?
[Unknown]: Our town
What is the name of your State or Province?
[Unknown]: NJ
What is the two-letter country code for this unit?
[Unknown]: US
Is CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US correct?
[no]: y
Enter key password for
(RETURN if same as keystore password):
To view the personal information 查看个人信息
$ keytool -list -v -keystore jira_acme_com.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: jira_acme_com
Creation date: Sep 4, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Issuer: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Serial number: 4c81e9a9
Valid from: Sat Sep 04 10:39:37 CEST 2010 until: Sun Sep 04 10:39:37 CEST 2011
Certificate fingerprints:
MD5: 15:6A:E3:14:E2:78:F4:95:41:E6:33:C9:F8:8B:64:23
SHA1: CD:A6:9A:84:18:E8:62:50:2C:DC:2F:89:22:F6:BA:E9:1A:63:F6:C6
Signature algorithm name: SHA1withRSA
Version: 3
And setup Tomcat to use the keystore. 并设置Tomcat以使用密钥库。
Of, if you want to create a multihomed certificate, you'll have to use OpenSSL (keytool cannot add X509 extensions such as Subject Alternative Name). 当然,如果要创建多宿主证书,则必须使用OpenSSL(keytool不能添加X509扩展名,例如Subject Alternative Name)。 These links are excellent resources: 这些链接是很好的资源:
- Creating an SSL Certificate with Multiple Hostnames 创建具有多个主机名的SSL证书
- OpenSSL - Community Ubuntu Documentation OpenSSL - 社区Ubuntu文档
Update: Given that you can't change the certificate (you really should have mentioned that), a temporary solution could be to change the local /etc/hosts file of the required machines to resolve Unknown to the real IP of the machine. 更新:鉴于您无法更改证书(您确实应该提到),临时解决方案可能是更改所需计算机的本地/etc/hosts文件以将Unknown解析为计算机的真实IP。
123.123.123.123 Unknown
So that you could access https://Unknown/ from these machines. 这样您就可以从这些计算机访问https:// Unknown / 。 But obviously, this is more a dirty hack than a real solution and doesn't scale. 但很明显,这更像是一个肮脏的黑客,而不是一个真正的解决方案,并且不会扩展。
Contacting the admins to get a real "good" certificate is still the real good solution. 联系管理员以获得真正的“好”证书仍然是真正的好解决方案。
Resources 资源
- A few frequently used SSL commands (using openssl or keytool) 一些常用的SSL命令 (使用openssl或keytool)
- Creating an SSL Certificate with Multiple Hostnames 创建具有多个主机名的SSL证书
- OpenSSL - Community Ubuntu Documentation OpenSSL - 社区Ubuntu文档
References 参考
解决方案2
1 2010-09-04 04:03:39
If I'm not mistaken, SSL requires that the common name of the certificate contain the hostname that you're attempting to connect to, that way the client side can validate that the certificate is not just trusted in general, but trusted for the location. 如果我没有弄错,SSL要求证书的通用名称包含您尝试连接的主机名,这样客户端可以验证证书通常不仅是受信任的,而是受信任的位置。
I'm assuming you're generating the certificate with OpenSSL. 我假设您使用OpenSSL生成证书。 Is there a reason you're not setting the cn=[yourserver] ? 你有没有设置cn=[yourserver] ?
It may be that when it cannot find the proper hostname in the common name, that the plug-in attempts to look for it in a subject alt name, and when that fails because there is no subjectAltName, you're getting a bad error message. 可能是当它无法在公共名称中找到正确的主机名时,插件会尝试在主题alt名称中查找它,并且当由于没有subjectAltName而失败时,您将收到错误的错误消息。
Anyway, if you're using this for multiple sites, you need to have the hostnames in the subjectAltName. 无论如何,如果您将它用于多个站点,则需要在subjectAltName中具有主机名。 I've found a site that documents how to create your self-signed cert properly. 我找到了一个记录如何正确创建自签名证书的站点。
http://library.linode.com/ssl-guides/subject-alt-name-ssl http://library.linode.com/ssl-guides/subject-alt-name-ssl
Hope this helps. 希望这可以帮助。
解决方案3
0 2010-09-09 12:28:46
There are several possible solutions, each with its own set of pains. 有几种可能的解决方案,每种解决方案都有自己的一套难题。
Generate a new certificate for JIRA, this time specifying a CN when generating the secret key-pair for the certficate.
为JIRA生成新证书,这次在为证书生成密钥对时指定CN。 I cannot see why a new certificate cannot be generated;
我看不出为什么无法生成新证书; I'm pretty sure that other client to the JIRA server are also encountering some issues, especially warnings from browsers, for the described certificate. 我很确定JIRA服务器的其他客户端也遇到了一些问题,特别是来自浏览器的警告,对于所描述的证书。 All clients (and client applications) must therefore be re-tested, but this is not a pain, if the self-signed certificate has been issued by a local CA that is trusted by all clients. 因此,必须重新测试所有客户端(和客户端应用程序),但如果自签名证书由所有客户端信任的本地CA颁发,则这不是一件痛苦的事。 - Edit the DNS entries to ensure that the lookup to 'Unknown' from the Hudson server, points to the server where JIRA is installed [I did remind someone that there are pains associated with some of the solutions :-) ]. 编辑DNS条目以确保从Hudson服务器查找“未知”,指向安装了JIRA的服务器[我确实提醒某人某些解决方案存在相关的痛苦:-)]。 This ensures that the value of the CN stored in the certificate matches with the hostname - you'll need to configure Hudson to use a URL like
http://Unknown/.....这可以确保证书中存储的CN的值与主机名匹配 - 您需要配置Hudson以使用http://Unknown/....类的URL。 And oh, use this only if you're in a really tight spot;哦,只有当你处在一个非常紧张的地方时才使用它; you don't want to be explaining why you did this. 你不想解释你为什么这样做。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.