[英]Eureka - Unable to register eureka server in itself by using Two Way SSL
我一直在尝试制作两个 ssl 来保护微服务之间的通信。 当服务 A 想要注册到 EurekaServer 时,它实际上正在工作。 但是,当我尝试将 eureka 注册到同一个 eureka 服务器或其他 eureka 实例时,我总是遇到错误的证书异常。
这是我来自尤里卡服务器的 application.yml
server:
port: ${SERVER_SSL_PORT:${PORT:10100}}
ssl:
enabled: true
client-auth: need
key-alias: ${JKS_ALIAS}
key-password: ${JKS_KEY_PASSWORD}
key-store-type: ${JKS_TYPE}
key-store-provider: ${JKS_PROVIDER:SUN}
key-store: ${JKS_PATH}
key-store-password: ${JKS_KEY_PASSWORD}
trust-store: ${JKS_PATH}
trust-store-password: ${JKS_KEY_PASSWORD}
trust-store-provider: ${JKS_PROVIDER:SUN}
trust-store-type: ${JKS_TYPE}
## EUREKA CONFIGURATION
eureka:
client:
enabled: true
register-with-eureka: true
fetch-registry: false
service-url:
defaultZone: ${SVC_REGISTRY:https://localhost:14102/eureka}
prefer-same-zone-eureka: true
healthcheck:
enabled: true
tls:
enabled: true
key-store: ${JKS_PATH}
key-password: ${JKS_KEY_PASSWORD}
key-store-type: ${JKS_TYPE}
key-store-password: ${JKS_KEYSTORE_PASSWORD}
trust-store: ${JKS_PATH}
trust-store-password: ${JKS_KEY_PASSWORD}
trust-store-type: ${JKS_TYPE}
instance:
instance-id: ${SERVER_NAME:${spring.application.name}:${server.port}}@${eureka.instance.hostname}
hostname: ${SERVER_HOST:localhost}
home-page-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}
status-page-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/info
health-check-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/health
secure-health-check-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/health
lease-renewal-interval-in-seconds: 10
prefer-ip-address: true
metadata-map:
instanceId: ${eureka.instance.instance-id}
zone: ${SERVER_ZONE:local}
non-secure-port-enabled: false
secure-port-enabled: true
secure-port: ${server.port}
我也尝试添加这个配置来修改 JerseyClient
@Bean
@SneakyThrows
public DiscoveryClient.DiscoveryClientOptionalArgs discoveryClientOptionalArgs2() {
DiscoveryClient.DiscoveryClientOptionalArgs args = new DiscoveryClient.DiscoveryClientOptionalArgs();
EurekaJerseyClientImpl.EurekaJerseyClientBuilder clientBuilder = new EurekaJerseyClientImpl.EurekaJerseyClientBuilder()
.withClientName("DiscoveryClient-HTTPClient-Custom")
.withUserAgent("Java-EurekaClient")
.withConnectionTimeout(config.getEurekaServerConnectTimeoutSeconds() * 1000)
.withReadTimeout(config.getEurekaServerReadTimeoutSeconds() * 1000)
.withMaxConnectionsPerHost(config.getEurekaServerTotalConnectionsPerHost())
.withMaxTotalConnections(config.getEurekaServerTotalConnections())
.withConnectionIdleTimeout(config.getEurekaConnectionIdleTimeoutSeconds() * 1000)
.withEncoderWrapper(CodecWrappers.getEncoder(config.getEncoderName()))
.withDecoderWrapper(CodecWrappers.resolveDecoder(config.getDecoderName(), config.getClientDataAccept()))
.withCustomSSL(sslContext());
EurekaJerseyClient jerseyClient = clientBuilder.build();
args.setEurekaJerseyClient(jerseyClient);//Provide custom EurekaJerseyClient to override default one
return args;
}
@Bean
public SSLContext sslContext() throws Exception {
log.info("initialize ssl context bean with keystore {} ", env.getProperty("JKS_PATH"));
char[] password = env.getProperty("JKS_KEY_PASSWORD").toCharArray();
return new SSLContextBuilder()
.loadTrustMaterial(ResourceUtils.getFile(env.getProperty("JKS_PATH")), password).build();
}
但我不断收到此错误
2022-09-01 18:44:01.522 INFO 26829 --- [tbeatExecutor-0] c.ndstdRedirectingEurekaHttpClient:请求执行错误。 endpoint=DefaultEndpoint{ serviceUrl='https://XXXXXXXXXXXXXXXXXXXX:DDDD/eureka/}, exception=javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate stacktrace=com.sun.jersey.api.client.ClientHandlerException: javax. net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) at com.sun.jersey.api.client.Client.handle(Client.java :652) at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) at Z4D236D9A2D102 C5FE6AD1C50DA4BEC50Z.sun.jersey.api.client.WebResource.access$200(WebResource.java:74) at com.sun.jersey.api.client.WebResource$Builder.put(WebResource.java:529) at
证书应该没问题,因为它与我用来在服务 A 和注册表之间制作 2way SSL 的证书相同。 我也在具有有效证书的真实服务器上对此进行测试。
对此有任何线索吗?
提前致谢! 欣赏它
我找到了问题的根本原因。 我认为这个属性是真的
prefer-ip-address: true
但它应该是错误的,因为我的证书注册了主机名,而不是 IP。 因此,当它尝试验证证书时,它正在比较不同的主机名与 ip 并且它抛出了 bad_certificate 异常。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.