无法通过 TLS 与 Vert.x 连接到主机答案

【问题标题】：Can't connect to host by TLS with Vert.x无法通过 TLS 与 Vert.x 连接到主机
【发布时间】：2017-10-02 11:43:30
【问题描述】：

我正在尝试连接到具有 TLS 支持的特定主机。我有一个有效的私钥 - “my.key”，我的证书 - “my.crt”，还有 rootCA 证书“root_ca.crt”。我已经知道使用 OpenSsl 请求的主机。 Vertx 可能会使用一些不同的变体来做到这一点：

通过 JksOptions() 和 java 密钥库文件“.jks”
通过 PfxOptions() 和文件“.pfx”（PKCS12 格式）
通过 PemKeyCertOptions() 和两个文件（“key.pem”和“cert.pem”）

但是当我这样做时：

NetClient client = vertx.createNetClient(
                (NetClientOptions) new NetClientOptions()
                        .setLogActivity(true)
                        .setSsl(true)
                        .setOpenSslEngineOptions(new OpenSSLEngineOptions())
                        .addEnabledSecureTransportProtocol("TLSv1.2")
                        .setJksOptions(
                                new JksOptions()
                                        .setPath("/path/to/my.jks")
                                        .setPassword("password")
                        )
        );
client.connect(some_port, "some_host", ar -> {
            if (ar.succeeded()) {
                LOG.debug("Connection succeeded!!!!");
            } else {
                LOG.debug("Connection failed!!!! :: {} :: {}", ar.cause(), ar.cause().getMessage());
            }
        });

构建成功，但是当我运行此代码时出现异常：

INFO: Succeeded in deploying verticle
[vert.x-eventloop-thread-0] DEBUG io.netty.handler.ssl.ReferenceCountedOpenSslContext - verification of certificate failed
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
    at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:223)
    at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:606)
    at org.apache.tomcat.jni.SSL.readFromSSL(Native Method)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:470)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:927)
    at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1033)
    at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:200)
    at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1117)
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1039)
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:411)
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349)
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:341)
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1334)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:363)
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:349)
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:926)
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:129)
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:642)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:565)
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:479)
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:441)
    at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
    at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 30 more

也许我在创建密钥库时做错了什么？要创建它，我正在使用本教程 - https://support.adeptia.com/hc/en-us/articles/207878953-How-to-create-a-KeyStore-with-certificate-chain

请帮助我了解如何获得正确的密钥库以通过 TLS 与我的主机连接？

【问题讨论】：

标签： java ssl vert.x

【解决方案1】：

我找到了一种通过以下命令创建正确的 PKCS12 格式的 java 密钥库的方法：

openssl pkcs12 -inkey my.key -in my.crt -export -out domain.pfx

然后将生成的“domain.pfx”文件放入 PfxOptions 中，将“root_ca.crt”文件放入 PemTrustOptions 中，如下所示：

return new NetClientOptions()
            .setSsl(true)
            .addEnabledSecureTransportProtocol("TLSv1.2")
            .setPfxKeyCertOptions(
                    new PfxOptions()
                            .setPath(pathToKeystoreFile)
                            .setPassword(keystorePassword)
            )
            .setPemTrustOptions(
                    new PemTrustOptions()
                            .addCertPath(rootCACertificate)
            );

附：您在创建证书时输入的 keystorePassword。

【讨论】：