【问题标题】:Spring Boot 1.4.1 SSL trustAnchors exceptionSpring Boot 1.4.1 SSL trustAnchors 异常
【发布时间】:2017-03-24 05:17:42
【问题描述】:

我在 Docker 容器 (docker-compose) 中运行 Spring Boot 微服务进行测试,最近尝试从 Spring Boot 1.4.0 升级到 1.4.1(也尝试过 1.4.2),但服务在启动时失败一个

InvalidAlgorithmParameterException:trustAnchors 参数必须是 非空异常。

我在运行 Spring Boot 1.4.0 时没有遇到任何问题。下面提供了我用于其中一项服务的 Dockerfile(一些敏感值已被替换,尝试 1.4.2 时结果相同。

当我在命令行上运行服务时会发生相同的行为,所有环境变量和 Java 参数都列在下面的 Dockerfile 中。

这是日志的摘录:

2016-11-10 08:10:06.645 ERROR [sbsa-account-om-service,,,] 1 --- [           main] o.apache.catalina.core.StandardService   : Failed to start connector [Connector[HTTP/1.1-8762]]

org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8762]]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:233) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:178) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:544) [spring-context-4.3.3.RELEASE.jar!/:4.3.3.RELEASE]
    at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:371) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1186) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1175) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE]
    at com.sbg.om.services.SbsaAccountOmServiceApplication.main(SbsaAccountOmServiceApplication.java:24) [classes!/:0.0.1-SNAPSHOT]
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_11]
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_11]
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_11]
    at java.lang.reflect.Method.invoke(Method.java:483) ~[na:1.8.0_11]
    at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.Launcher.launch(Launcher.java:50) [app.jar:0.0.1-SNAPSHOT]
    at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:58) [app.jar:0.0.1-SNAPSHOT]
Caused by: org.apache.catalina.LifecycleException: service.getName(): "Tomcat";  Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:976) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 21 common frames omitted
Caused by: java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:874) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:590) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:969) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 22 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[na:1.8.0_11]
    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[na:1.8.0_11]
    at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[na:1.8.0_11]
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:341) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:273) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5]
    ... 27 common frames omitted

2016-11-10 08:10:06.691  INFO [sbsa-account-om-service,,,] 1 --- [           main] o.apache.catalina.core.StandardService   : Stopping service Tomcat

Dockerfile:

FROM webdizz/centos-java8
VOLUME /tmp
ADD <app name>.jar app.jar

ADD smoke-test.trust.jks /smoke-test.trust.jks

# Environment vars for SSL keystore + truststore
ENV security_x509_orgUnit=<org unit>
ENV server_ssl_enabled="true"
ENV security_sessions="stateless"
ENV security_headers_hsts="all"
ENV server_ssl_ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA"
ENV server_ssl_protocol="TLS"
ENV server_ssl_keyStore="/smoke-test.trust.jks"
ENV server_ssl_keyStorePassword=<password>
ENV server_ssl_keyStoreType="JKS"
ENV server_ssl_keyAlias=<alias>
ENV server_ssl_keyPassword=<password>
ENV ribbon_ReadTimeout="60000"
ENV ribbon_IsSecure="true"
ENV ribbon_IsHostnameValidationRequired="true"
ENV ribbon_KeyStore="/smoke-test.trust.jks"
ENV ribbon_KeyStorePassword=<password>
ENV security_requireSsl="true"
ENV server_ssl_trustStore="/smoke-test.trust.jks"
ENV server_ssl_trustStorePassword=<password>
ENV server_ssl_trustStoreType="JKS"
ENV server_ssl_clientAuth="need"
ENV ribbon_TrustStore="/smoke-test.trust.jks"
ENV ribbon_TrustStorePassword=<password>
ENV ribbon_IsClientAuthRequired="true"
ENV PCI_CIPHER_KEY=<key>
ENV liquibase_contexts=<context>

# run actual Java app
RUN sh -c 'touch /app.jar'
EXPOSE 8762
EXPOSE 9997
ENTRYPOINT ["java",  \
            "-Djavax.net.ssl.trustStore=/smoke-test.trust.jks", \
            "-Djavax.net.ssl.trustStorePassword=<password>", \
            "-Djavax.net.ssl.trustStoreType=JKS", \
                "-Djavax.net.debug=ssl", \
            "-Dspring.profiles.active=testing", \
            "-Dom.security.enabled=true", \
            "-Dmanagement.security.enabled=true", \
            "-Dom.security.x509.subjectPrincipalRegex=OU=(.*?)(?:,|$)", \
            "-Dom.security.x509.roleConfiguration[0].roleNames[0]=<roleName>", \
            "-Dom.security.x509.roleConfiguration[0].searchValues[0]=<value>", \
            "-Dom.security.orderedPathRestrictions[0].pattern='/**'", \
            "-Dom.security.orderedPathRestrictions[0].roles=<role>", \          
            "-Dom.security.orderedPathRestrictions[0].csrfDisabled=true", \         
            "-Xdebug", \
            "-agentlib:jdwp=transport=dt_socket,address=9997,server=y,suspend=n", \
            "-Dserver.port=8762", \
            "-Deureka.instance.non-secure-port=0", \
            "-Deureka.instance.secure-port=8762", \
            "-Deureka.instance.hostname=<name>", \
            "-Deureka.instance.nonSecurePortEnabled=false", \
            "-Deureka.instance.securePortEnabled=true", \
            "-Deureka.client.serviceUrl.defaultZone=<URL>", \
            "-Dspring.application.name=sbsa-account-om-service", \
            "-Deureka.instance.secureVirtualHostName=<name>", \
            "-Djava.security.egd=file:/dev/./urandom", \
            "-jar", \
            "/app.jar"]

编辑:这与trustAnchors question 中提到的问题不同,因为我的问题与从 Spring Boot 版本 1.4.0 到 1.4.1 有关,唯一的变化是 Boot 版本,所有其他配置都在Spring Boot 1.4.0 保持不变。

【问题讨论】:

标签: ssl docker spring-boot


【解决方案1】:

事实证明,从 Spring Boot 1.4.1 开始,底层的 Tomcat 版本已经升级到 8.5.6,它现在不接受除

之外的任何其他证书类型
Entry type: trustedCertEntry

我使用的是以下类型的自签名证书:

Entry type: PrivateKeyEntry

重新生成证书后一切正常。

【讨论】:

  • 您如何将证书从 PrivateKeyEntry 更改为 TrustedCertEntry ?我也面临这些问题。
猜你喜欢
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 1970-01-01
  • 2019-01-06
  • 2019-12-26
  • 2019-09-05
  • 2017-03-10
相关资源
最近更新 更多