[英]Mutual TLS using a Retrofit (Retrofit2) Client (Kotlin) within Springboot
我一直試圖弄清楚如何在將 Retrofit 客戶端用於 API 時提供客戶端證書。 我對證書很有信心,因為它適用於 Python/requests,但為 Retrofit 配置它沒有結果。 目前我有這個:
@Configuration
@ConditionalOnProperty("serviceApi.enabled")
class ServiceApiConfiguration {
@Bean
fun serviceApiEndpoint(@Value("\${serviceApi.baseUrl}") serviceApiBaseUrl: String): HttpUrl = HttpUrl.parse(serviceApiBaseUrl) ?: throw BeanCreationException("Invalid URL: $serviceApiBaseUrl")
@Bean
fun serviceApi(serviceApiEndpoint: HttpUrl, mapper: ObjectMapper, retrofitClient: OkHttpClient): ServiceApi {
return Retrofit.Builder()
.addConverterFactory(JacksonConverterFactory.create(mapper.disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES)))
.addCallAdapterFactory(CoroutineCallAdapterFactory())
.baseUrl(serviceApiEndpoint)
.client(retrofitClient)
.build()
.create(ServiceApi::class.java)
}
}
證書在密鑰庫中,但鑒於此錯誤,它似乎沒有使用它:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[na:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1967) ~[na:1.8.0_252]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:331) ~[na:1.8.0_252]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:325) ~[na:1.8.0_252]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1688) ~[na:1.8.0_252]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:226) ~[na:1.8.0_252]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1082) ~[na:1.8.0_252]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:1010) ~[na:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1079) ~[na:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1388) ~[na:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1416) ~[na:1.8.0_252]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1400) ~[na:1.8.0_252]
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:320) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:284) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:169) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[okhttp-3.12.2.jar:na]
at com.netflix.spinnaker.okhttp.OkHttp3MetricsInterceptor.intercept(OkHttp3MetricsInterceptor.java:42) ~[kork-web-5.2.2.jar:5.2.2]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121) ~[okhttp-3.12.2.jar:na]
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:250) ~[okhttp-3.12.2.jar:na]
at okhttp3.RealCall$AsyncCall.execute(RealCall.java:201) ~[okhttp-3.12.2.jar:na]
at okhttp3.internal.NamedRunnable.run(NamedRunnable.java:32) ~[okhttp-3.12.2.jar:na]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) ~[na:1.8.0_252]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) ~[na:1.8.0_252]
at java.lang.Thread.run(Thread.java:748) ~[na:1.8.0_252]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:450) ~[na:1.8.0_252]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:317) ~[na:1.8.0_252]
at sun.security.validator.Validator.validate(Validator.java:262) ~[na:1.8.0_252]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330) ~[na:1.8.0_252]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237) ~[na:1.8.0_252]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132) ~[na:1.8.0_252]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1670) ~[na:1.8.0_252]
... 33 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_252]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_252]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_252]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445) ~[na:1.8.0_252]
... 39 common frames omitted
任何幫助是極大的贊賞!
PKIX path building failed錯誤意味着您的客戶端不信任服務器。 API 是否不使用您的 JRE 信任的證書和鏈?
將客戶端證書與 retrofit (okhhtp) 一起使用時出現 bad_certificate 錯誤,但與 curl 一起工作正常
[英]bad_certificate error when using client certificate with retrofit (okhhtp) but works fine with curl
使用Retrofit2進行POST時發生Spring Boot服務器錯誤,僅在數據庫中存在關系時發生
[英]Spring Boot server error while POST with Retrofit2, only happens when there are relationships in the database
Android Retrofit客戶端+ Spring Boot服務POST“ 400”響應
[英]Android Retrofit client + Spring Boot service POST “400” response
Spring 引導 Oauth2 客戶端(反應式)相互 TLS/SSL 令牌 uri
[英]Spring Boot Oauth2 Client(Reactive) Mutual TLS/SSL token uri
在使用 kotlin 的 springboot 測試中使用和不使用 @Autowired Constructor 有什么區別
[英]What is difference between using and not using @Autowired Constructor in springboot test with kotlin
無法為參數找到方法springBoot() - 使用Kotlin的Spring Boot
[英]Could not find method springBoot() for arguments - Spring Boot using Kotlin
Gradle Kotlin DSL無法使用Springboot生成Mapper實現class
[英]Gradle Kotlin DSL cannot generate Mapper implementation class using Springboot
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.