尤里卡 - 无法使用双向 SSL 自行注册尤里卡服务器

Question

我一直在尝试制作两个 ssl 来保护微服务之间的通信。 当服务 A 想要注册到 EurekaServer 时，它实际上正在工作。 但是，当我尝试将 eureka 注册到同一个 eureka 服务器或其他 eureka 实例时，我总是遇到错误的证书异常。

这是我来自尤里卡服务器的 application.yml

server:
  port: ${SERVER_SSL_PORT:${PORT:10100}}
  ssl:
    enabled: true
    client-auth: need
    key-alias: ${JKS_ALIAS}
    key-password: ${JKS_KEY_PASSWORD}
    key-store-type: ${JKS_TYPE}
    key-store-provider: ${JKS_PROVIDER:SUN}
    key-store: ${JKS_PATH}
    key-store-password: ${JKS_KEY_PASSWORD}
    trust-store: ${JKS_PATH}
    trust-store-password: ${JKS_KEY_PASSWORD}
    trust-store-provider: ${JKS_PROVIDER:SUN}
    trust-store-type: ${JKS_TYPE}

## EUREKA CONFIGURATION
eureka:
  client:
    enabled: true
    register-with-eureka: true
    fetch-registry: false
    service-url:
      defaultZone: ${SVC_REGISTRY:https://localhost:14102/eureka}
    prefer-same-zone-eureka: true
    healthcheck:
      enabled: true
    tls:
      enabled: true
      key-store: ${JKS_PATH}
      key-password: ${JKS_KEY_PASSWORD}
      key-store-type: ${JKS_TYPE}
      key-store-password: ${JKS_KEYSTORE_PASSWORD}
      trust-store: ${JKS_PATH}
      trust-store-password: ${JKS_KEY_PASSWORD}
      trust-store-type: ${JKS_TYPE}
  instance:
    instance-id: ${SERVER_NAME:${spring.application.name}:${server.port}}@${eureka.instance.hostname}
    hostname: ${SERVER_HOST:localhost}
    home-page-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}
    status-page-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/info
    health-check-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/health
    secure-health-check-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/health
    lease-renewal-interval-in-seconds: 10
    prefer-ip-address: true
    metadata-map:
      instanceId: ${eureka.instance.instance-id}
      zone: ${SERVER_ZONE:local}
    non-secure-port-enabled: false
    secure-port-enabled: true
    secure-port: ${server.port}

我也尝试添加这个配置来修改 JerseyClient

    @Bean
    @SneakyThrows
    public DiscoveryClient.DiscoveryClientOptionalArgs discoveryClientOptionalArgs2() {
        

        DiscoveryClient.DiscoveryClientOptionalArgs args = new DiscoveryClient.DiscoveryClientOptionalArgs();

        EurekaJerseyClientImpl.EurekaJerseyClientBuilder clientBuilder = new EurekaJerseyClientImpl.EurekaJerseyClientBuilder()
                .withClientName("DiscoveryClient-HTTPClient-Custom")
                .withUserAgent("Java-EurekaClient")
                .withConnectionTimeout(config.getEurekaServerConnectTimeoutSeconds() * 1000)
                .withReadTimeout(config.getEurekaServerReadTimeoutSeconds() * 1000)
                .withMaxConnectionsPerHost(config.getEurekaServerTotalConnectionsPerHost())
                .withMaxTotalConnections(config.getEurekaServerTotalConnections())
                .withConnectionIdleTimeout(config.getEurekaConnectionIdleTimeoutSeconds() * 1000)
                .withEncoderWrapper(CodecWrappers.getEncoder(config.getEncoderName()))
                .withDecoderWrapper(CodecWrappers.resolveDecoder(config.getDecoderName(), config.getClientDataAccept()))
                .withCustomSSL(sslContext());
               
        EurekaJerseyClient jerseyClient = clientBuilder.build();
        args.setEurekaJerseyClient(jerseyClient);//Provide custom EurekaJerseyClient to override default one
        return args;
    }

    @Bean
    public SSLContext sslContext() throws Exception {
        log.info("initialize ssl context bean with keystore {} ", env.getProperty("JKS_PATH"));
        char[] password = env.getProperty("JKS_KEY_PASSWORD").toCharArray();
        return new SSLContextBuilder()
                .loadTrustMaterial(ResourceUtils.getFile(env.getProperty("JKS_PATH")), password).build();
    }

但我不断收到此错误

2022-09-01 18:44:01.522 INFO 26829 --- [tbeatExecutor-0] c.ndstdRedirectingEurekaHttpClient：请求执行错误。 endpoint=DefaultEndpoint{ serviceUrl='https://XXXXXXXXXXXXXXXXXXXX:DDDD/eureka/}, exception=javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate stacktrace=com.sun.jersey.api.client.ClientHandlerException: javax. net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) at com.sun.jersey.api.client.Client.handle(Client.java :652) at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) at Z4D236D9A2D102 C5FE6AD1C50DA4BEC50Z.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.put(WebResource.java:529) at

证书应该没问题，因为它与我用来在服务 A 和注册表之间制作 2way SSL 的证书相同。 我也在具有有效证书的真实服务器上对此进行测试。

对此有任何线索吗？

提前致谢！ 欣赏它

Answer 1

我找到了问题的根本原因。 我认为这个属性是真的

prefer-ip-address: true

但它应该是错误的，因为我的证书注册了主机名，而不是 IP。 因此，当它尝试验证证书时，它正在比较不同的主机名与 ip 并且它抛出了 bad_certificate 异常。