如何解决Jetty 11.使用godaddy证书安全连接失败
我正在尝试使用 Godaddy 证书来创建安全的 http 连接。
首先,我使用自签名证书测试了我的代码并且工作正常,但是当我尝试使用来自 Godaddy 的证书时,我在 Firefox 上有一个 SSL_ERROR_HANDSHAKE_FAILURE_ALERT,在 Chrome 中有一个 ERR_SSL_PROTOCOL_ERROR。没有例外。没有错误日志。没有消息。
Secure Connection Failed
An error occurred during a connection to servername.com:8443. SSL peer was unable to negotiate an acceptable set of security parameters.
Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT
The page you are trying to view cannot be shown because the authenticity of the received data Could not be verified.
Please contact the website owners to inform them of this problem.
异常前的调试日志:
[server-33] DEBUG org.eclipse.jetty.util.thread.QueuedThreadPool - Runner started for QueuedThreadPool[server]@33e5ccce{STARTED,8<=12<=200,i=0,r=-1,q=0}[ReservedThreadExecutor@627551fb{s=1/16,p=0}]
[server-22] DEBUG org.eclipse.jetty.io.socketChannelEndPoint - Key interests updated 1 -> 0 on SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=4/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=INTERESTED,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,to=4/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChanneloverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[server-22] DEBUG org.eclipse.jetty.io.ManagedSelector - Selector sun.nio.ch.EPollSelectorImpl@3fc1893b waiting with 1 keys
[server-33] DEBUG org.eclipse.jetty.util.thread.QueuedThreadPool - run SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,to=5/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,age=0}:runFillable:BLOCKING in QueuedThreadPool[server]@33e5ccce{STARTED,p=0}]
[server-33] DEBUG org.eclipse.jetty.io.FillInterest - fillable FillInterest@6d28095a{SSLC.NBReadCB@1008464{SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,age=0}}}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - >c.onFillable SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,fill=-,to=5/30000}{io=0/0,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - onFillable SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,to=6/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,age=0}
[server-33] DEBUG org.eclipse.jetty.io.FillInterest - fillable FillInterest@66f8bebc{AC.ReadCB@1ae6359c{httpconnection@1ae6359c::DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,to=6/30000}}}
[server-33] DEBUG org.eclipse.jetty.server.httpconnection - httpconnection@1ae6359c::DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,to=6/30000} onFillable enter HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0} null
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - >fill SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,fill=IDLE,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - fill NOT_HANDSHAKING
[server-33] DEBUG org.eclipse.jetty.io.socketChannelEndPoint - filled 517 HeapByteBuffer@7a6e94fa[p=0,l=517,c=17408,r=517]={<<<\x16\x03\x01\x02\x00\x01\x00\x01\xFc\x03\x03\xCc\xB0>\x1f8"\xCf\xD6-^m\x04\xC0\xC3...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - net filled=517
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - fill starting handshake SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,to=0/30000}{io=0/0,eio=517/-1,to=7/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - unwrap net_filled=517 Status = OK HandshakeStatus = NEED_TASK bytesConsumed = 517 bytesProduced = 0 encryptedBuffer=[p=517,r=0] unwrapBuffer=DirectByteBuffer@73daf2e[p=0,l=0,r=0]={<<<>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00} appBuffer=DirectByteBuffer@73daf2e[p=0,r=0]={<<<>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - fill NEED_TASK
[server-33] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI matching for type=host_name (0),value=hayquecomer.com
[server-33] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory - SNI host name hayquecomer.com
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - fill NEED_WRAP
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - >flush SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,to=31/30000}{io=0/0,kro=1}->SslConnection@1008464{NEED_WRAP,eio=0/-1,to=39/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - flush b[0]=HeapByteBuffer@3335b1d9[p=0,c=0,r=0]={<<<>>>}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - flush NEED_WRAP
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection - DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,to=39/30000} stored flush exception
javax.net.ssl.SSLHandshakeException: No available authentication scheme
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:955)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:944)
at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1252)
at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1188)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851)
at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:812)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247)
at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:627)
at org.eclipse.jetty.server.httpconnection.fillRequestBuffer(httpconnection.java:354)
at org.eclipse.jetty.server.httpconnection.onFillable(httpconnection.java:265)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:324)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:528)
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:377)
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:163)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
at org.eclipse.jetty.io.socketChannelEndPoint$1.run(SocketChannelEndPoint.java:106)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
at java.base/java.lang.Thread.run(Thread.java:830)
我使用以下命令创建了密钥库:
keytool -import -alias intermediate -trustcacerts -file gd_bundle-g2-g1.crt -keystore main.keystore -storetype jks
keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.crt -keystore main.keystore
在绝望的时刻还尝试了:
keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.pem -keystore main.keystore
和
openssl crl2pkcs7 -nocrl -certfile 4331e701f4d1b69.crt -out 4331e701f4d1b69.p7b -certfile gd_bundle-g2-g1.crt
keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.p7b -keystore main.keystore
命令:
keytool -list -v -keystore main.keystore
命令显示两个键:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: intermediate
Creation date: May 26,2021
Entry type: trustedCertEntry
...
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
...
Alias name: main
Creation date: May 26,2021
Entry type: trustedCertEntry
...
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
...
public void start() throws ServerException,FileNotFoundException {
QueuedThreadPool threadPool = new QueuedThreadPool();
threadPool.setName("server");
server = new Server(threadPool);
HttpConfiguration httpConfig = new HttpConfiguration();
httpConfig.addCustomizer(new SecureRequestCustomizer(false));
httpconnectionFactory http11 = new httpconnectionFactory(httpConfig);
SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
File file = new File("/home/esteban/.../ssl/main.keystore");
if (!file.exists()) {
throw new FileNotFoundException(file.toString());
}
sslContextFactory.setKeyStorePath(file.toString());
sslContextFactory.setKeyStorePassword("password");
SslConnectionFactory tls = new SslConnectionFactory(sslContextFactory,http11.getProtocol());
ServerConnector connector = new ServerConnector(server,tls,http11);
connector.setPort(8443);
server.addConnector(connector);
server.setHandler(new AbstractHandler() {
@Override
public void handle(String target,Request jettyRequest,HttpServletRequest request,HttpServletResponse response) throws IOException {
response.getWriter().print("nada");
jettyRequest.setHandled(true);
response.setStatus(200);
response.setHeader("X-URL",request.getRequestURI());
response.setHeader("X-HOST",request.getServerName());
}
});
try {
server.start();
} catch (Exception e) {
throw new ServerException(e);
}
}
我确实尝试在我的计算机上使用 /etc/hosts 以获得正确的主机名并在远程服务器上获得相同的结果。
我没有更多想法。我需要一些新鲜的。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
