英文:
Configuring SSL on Jetty
问题
我正在尝试配置我的Jetty环境,以便能够建立一个安全连接。
我按照官方Jetty文档中描述的步骤进行了操作:https://www.eclipse.org/jetty/documentation/9.4.31.v20200723/jetty-ssl-distribution.html,但没有成功。
重现步骤:
- 运行命令:java -jar start.jar --create-startd --add-to-start=ssl
- 运行命令:java -jar start.jar --add-to-start=ssl,conscrypt
- 运行命令:java -jar start.jar --add-to-startd=ssl,https
- 更新start.d/ssl.ini文件中的值如下:
--module=ssl
jetty.ssl.host=0.0.0.0
jetty.ssl.port=8583
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=OBF:
jetty.sslContext.keyManagerPassword=OBF:
jetty.sslContext.trustStorePassword=OBF:
#Enable client certificate authentication.
jetty.sslContext.needClientAuth=true
生成密钥库的步骤如下:
openssl genrsa -des3 -out jetty.key
openssl req -new -x509 -key jetty.key -out jetty.crt
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
openssl req -new -key jetty.key -out jetty.csr
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
作为最后一步,我已经对密码进行了混淆,并更新到start.d/ssl.ini文件中。
问题:
我遇到了一个错误,大致是这样的:
2020-09-28 13:51:46.896:INFO::main: Logging initialized @523ms to org.eclipse.jetty.util.log.StdErrLog
2020-09-28 13:51:47.387:WARN:oejs.HomeBaseWarning:main: This instance of Jetty is not running from a separate {jetty.base} directory, this is not recommended. See documentation at http://www.eclipse.org/jetty/documentation/current/startup.html
2020-09-28 13:51:47.414:INFO:oejs.Server:main: jetty-9.4.31.v20200723; built: 2020-07-23T17:57:36.812Z; git: 450ba27947e13e66baa8cd1ce7e85a4461cacc1d; jvm 11.0.8+10-LTS
2020-09-28 13:51:47.460:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///opt/jetty-distribution-9.4.31.v20200723/webapps/] at interval 1
2020-09-28 13:51:47.796:INFO:oejus.SslContextFactory:main: x509=X509@6853425f(jetty,h=[jettyhttp2sample.organicdesign.org],w=[]) for Server@5a9f4771[provider=Conscrypt,keyStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore,trustStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore]
2020-09-28 13:51:47.799:INFO:oejus.SslContextFactory:main: Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default
2020-09-28 13:51:47.882:INFO:oejs.AbstractConnector:main: Started ServerConnector@46c1a1fc{SSL, (ssl, http/1.1)}{localhost:8443}
2020-09-28 13:51:47.886:INFO:oejs.AbstractConnector:main: Started ServerConnector@7b205dbd{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
2020-09-28 13:51:47.887:INFO:oejs.Server:main: Started @1514ms
Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default
感谢任何帮助。
英文:
I'm trying to configure my jetty environment to be able to have a secure connection.
I've run the steps described on the official jetty documentation :https://www.eclipse.org/jetty/documentation/9.4.31.v20200723/jetty-ssl-distribution.html. but with no success..
Steps to recreate:
- java -jar start.jar --create-startd --add-to-start=ssl
- java -jar start.jar --add-to-start=ssl,conscrypt
- java -jar start.jar --add-to-startd=ssl,https
- update start.d/ssl.ini with the values:
--module=ssl
jetty.ssl.host=0.0.0.0
jetty.ssl.port=8583
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=OBF:
jetty.sslContext.keyManagerPassword=OBF:
jetty.sslContext.trustStorePassword=OBF:
#Enable client certificate authentication.
jetty.sslContext.needClientAuth=true
For generating the keystore I followed the steps:
openssl genrsa -des3 -out jetty.key
openssl req -new -x509 -key jetty.key -out jetty.crt
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
openssl req -new -key jetty.key -out jetty.csr
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore
As last step I've obfuscated the password and updated it into start.d/ssl.ini file.
ISSUE
I'm facing with an error which say something like
2020-09-28 13:51:46.896:INFO::main: Logging initialized @523ms to org.eclipse.jetty.util.log.StdErrLog
2020-09-28 13:51:47.387:WARN:oejs.HomeBaseWarning:main: This instance of Jetty is not running from a separate {jetty.base} directory, this is not recommended. See documentation at http://www.eclipse.org/jetty/documentation/current/startup.html
2020-09-28 13:51:47.414:INFO:oejs.Server:main: jetty-9.4.31.v20200723; built: 2020-07-23T17:57:36.812Z; git: 450ba27947e13e66baa8cd1ce7e85a4461cacc1d; jvm 11.0.8+10-LTS
2020-09-28 13:51:47.460:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///opt/jetty-distribution-9.4.31.v20200723/webapps/] at interval 1
2020-09-28 13:51:47.796:INFO:oejus.SslContextFactory:main: x509=X509@6853425f(jetty,h=[jettyhttp2sample.organicdesign.org],w=[]) for Server@5a9f4771[provider=Conscrypt,keyStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore,trustStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore]
2020-09-28 13:51:47.799:INFO:oejus.SslContextFactory:main: Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default
2020-09-28 13:51:47.882:INFO:oejs.AbstractConnector:main: Started ServerConnector@46c1a1fc{SSL, (ssl, http/1.1)}{localhost:8443}
2020-09-28 13:51:47.886:INFO:oejs.AbstractConnector:main: Started ServerConnector@7b205dbd{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
2020-09-28 13:51:47.887:INFO:oejs.Server:main: Started @1514ms
Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default
Any help is appreciated
Thanks.
答案1
得分: 1
这里没有报告任何错误,这是备用提供程序(在您的情况下为conscrypt)的正常回退操作。
Conscrypt安全提供程序不支持KeyManagerFactory
的SunX509
算法,因此它会回退到JVM默认实现。
此外,请不要直接编辑jetty-home / jetty-distribution中的文件,这是一个更严重的警告,正确使用分发版本,并根据警告消息中链接的文档将jetty-home与jetty-base分开。在Jetty 10和Jetty 11中,已彻底删除了管理Jetty独立配置的这种古老技术!
英文:
There's no error being reported here, this is normal fallback operations for alternate providers (conscrypt in your case).
The Conscrypt security provider doesn't support the SunX509
algorithm for KeyManagerFactory
, so it falls back to the JVM default implementation.
Also, don't edit files in your jetty-home / jetty-distribution directly, that's a much bigger WARN, use the distribution correctly and separate your jetty-home from your jetty-base per the documentation linked in that WARN message. This ancient technique for managing the configuration of Jetty standalone has been completely removed in Jetty 10 and Jetty 11!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论