SSL握手异常,在Springboot服务与第三方API建立通信时使用p12密钥库。

huangapple go评论147阅读模式
英文:

SSLHanshakeException while establishing communication from Springboot service to 3rd part api using p12 keystore

问题

从我们的Springboot应用程序中,我们需要连接到第三方服务。我们已经从第三方供应商那里获得了p12证书。

我已经成功地通过浏览器和Postman客户端导入p12证书作为pfx文件来与该服务建立通信。

现在我正在尝试在我的服务中导入或使用这个P12证书进行通信。
但是一直在收到以下错误。

feign.RetryableException: sun.security.validator.ValidatorException: PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException: 无法找到到请求目标的有效认证路径

我尝试过的方法:

  1. 使用OpenSSL命令提取证书,并使用keytool从p12文件中导入jks信任库到我的一个文件夹中
   -Djavax.net.ssl.keyStoreType=pkcs12  
   -Djavax.net.ssl.keyStore=C:\thirdparty.p12 
   -Djavax.net.ssl.keyStorePassword=<密码> 
   -Djavax.net.ssl.trustStoreType=jks 
   -Djavax.net.ssl.trustStore=C:\\thirdparty.jks 
   -Djavax.net.ssl.trustStorePassword=<密码>
  1. 根据指定创建了一个自定义的Feign配置
    https://dzone.com/articles/ssl-based-feignclient-example-in-java-microcervice
  2. 只在Dockerfile中导入了p12证书,并尝试运行Docker
   RUN cd /usr/lib/jvm/java-1.8-openjdk/jre/bin && keytool -importkeystore -deststorepass changeit - 
   destkeypass changeit -destkeystore cacerts -deststoretype pkcs12 -srckeystore  thirdparty.p12 - 
   srcstoretype PKCS12 -srcstorepass <密码>

所有方法都出现了相同的错误。

我认为我可能漏掉了一些可能很简单的东西。
问题:

  1. 当我从供应商那里获得p12文件时,是否需要单独创建一个信任库?
  2. 是否有办法只使用p12文件和密码来建立通信?
  3. 我需要在服务级别还是Feign客户端级别进行配置?

提前感谢。

英文:

From our Springboot application we need to connect to a 3rd party service. And we have the p12 certificate provided by the third party vendor.

I was successfully establish communication with this service via browser and postman client just by importing the p12 certificate as pfx file.

Now I am trying to import or use this P12 certificate in my service to communicate.
But keep getting the following error.

feign.RetryableException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Methods that I tried:

  1. using open ssl commands extracted the certificates and imported jks truststore from p12 file in one of my folders using keytool
   -Djavax.net.ssl.keyStoreType=pkcs12  
   -Djavax.net.ssl.keyStore=C:\thirdparty.p12 
   -Djavax.net.ssl.keyStorePassword=&lt;pwd&gt; 
   -Djavax.net.ssl.trustStoreType=jks 
   -Djavax.net.ssl.trustStore=C:\\thirdparty.jks 
   -Djavax.net.ssl.trustStorePassword=&lt;pwd&gt;
  1. created a custom feignconfiguration as specified
    https://dzone.com/articles/ssl-based-feignclient-example-in-java-microcervice
  2. Just imported p12 certificate in dockerfile and tried running the docker
   RUN cd /usr/lib/jvm/java-1.8-openjdk/jre/bin &amp;&amp; keytool -importkeystore -deststorepass changeit - 
   destkeypass changeit -destkeystore cacerts -deststoretype pkcs12 -srckeystore  thirdparty.p12 - 
   srcstoretype PKCS12 -srcstorepass &lt;pwd&gt;

everything gives the same error.

I think I am missing something that could be very simple too.
Questions:

  1. When I have p12 file from the vendor, do I need a separate truststore created for this?
  2. Is there way I can just use the p12 and the password to establish the communication ?
  3. Do I need to do the configuration in service level or in feign client level?

Thanks In advance.

答案1

得分: 1

  1. 在浏览器中打开URL并导出证书。

  2. 查找cacerts文件的位置:

    示例:C:\Program Files(x86)\Java\jre1.6.0_22\lib\security\cacerts。

  3. 在命令行中将.cer文件导入cacerts:

    keytool -import -alias example -keystore C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts -file example.cer

注意:如果要求输入密码,请输入:changeit

重新启动您的JVM/计算机。

英文:
  1. Open URL in your browser and export certificate.

  2. Find location of cacerts files :

    Example : C:\Program Files(x86)\Java\jre1.6.0_22\lib\security\cacerts.

  3. Import the .cer file into cacerts in command line:

    keytool -import -alias example -keystore C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts -file example.cer

Note : If asked for password enter : changeit

Restart your JVM/PC.

答案2

得分: 0

感谢您的输入,Amit Kumar。

是的,通过在信任存储中导入证书,并按照我在问题中提到的那样提供密钥库,它可以工作。

但是,Springboot JPA Hikari 正在自动尝试验证我在 Java 命令行中提供的信任证书,因此服务器无法启动。

现在正在尝试解决这个问题。

英文:

Thank for your input Amit Kumar.

Yes it works by importing the certificates in Truststore and providing the keystore as I mentioned in my question.

But the Springboot JPA Hikari is automatically trying to verify the Trustcertificates that I provided in java command line and hence the server was not coming up.

Trying to resolve that problem now.

huangapple
  • 本文由 发表于 2020年6月29日 03:34:35
  • 转载请务必保留本文链接:https://go.coder-hub.com/62627364.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定