Блог

Главная - Вопросы по программированию - Причал 11. Не удалось установить безопасное соединение с сертификатом godaddy

Причал 11. Не удалось установить безопасное соединение с сертификатом godaddy

#java #ssl #jetty

Вопрос:

Я пытаюсь использовать сертификат Godaddy для создания безопасного http-соединения.

Сначала я протестировал свой код с помощью самозаверяющего сертификата и работал нормально, но когда я пытаюсь использовать сертификат от godaddy, у меня есть a SSL_ERROR_HANDSHAKE_FAILURE_ALERT в firefox и a ERR_SSL_PROTOCOL_ERROR в Chrome. Не исключение. Нет журнала ошибок. Никаких сообщений.

 Secure Connection Failed

An error occurred during a connection to servername.com:8443. SSL peer was unable to negotiate an acceptable set of security parameters.

Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Журнал отладки перед исключением:

 [server-33] DEBUG org.eclipse.jetty.util.thread.QueuedThreadPool  - Runner started for QueuedThreadPool[server]@33e5ccce{STARTED,8<=12<=200,i=0,r=-1,q=0}[ReservedThreadExecutor@627551fb{s=1/16,p=0}]
[server-22] DEBUG org.eclipse.jetty.io.SocketChannelEndPoint  - Key interests updated 1 -> 0 on SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=4/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=INTERESTED,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=4/30000}=>HttpConnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChannelOverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[server-22] DEBUG org.eclipse.jetty.io.ManagedSelector  - Selector sun.nio.ch.EPollSelectorImpl@3fc1893b waiting with 1 keys
[server-33] DEBUG org.eclipse.jetty.util.thread.QueuedThreadPool  - run SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=4/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=INTERESTED,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=5/30000}=>HttpConnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChannelOverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}:runFillable:BLOCKING in QueuedThreadPool[server]@33e5ccce{STARTED,8<=12<=200,i=0,r=-1,q=0}[ReservedThreadExecutor@627551fb{s=1/16,p=0}]
[server-33] DEBUG org.eclipse.jetty.io.FillInterest  - fillable FillInterest@6d28095a{SSLC.NBReadCB@1008464{SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=4/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=INTERESTED,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=5/30000}=>HttpConnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChannelOverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}}}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - >c.onFillable SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=5/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=INTERESTED,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=5/30000}=>HttpConnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChannelOverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - onFillable SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=5/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=INTERESTED,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=6/30000}=>HttpConnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChannelOverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[server-33] DEBUG org.eclipse.jetty.io.FillInterest  - fillable FillInterest@66f8bebc{AC.ReadCB@1ae6359c{HttpConnection@1ae6359c::DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=6/30000}}}
[server-33] DEBUG org.eclipse.jetty.server.HttpConnection  - HttpConnection@1ae6359c::DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=6/30000} onFillable enter HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0} null
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - >fill SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=5/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=IDLE,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=6/30000}=>HttpConnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChannelOverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - fill NOT_HANDSHAKING
[server-33] DEBUG org.eclipse.jetty.io.SocketChannelEndPoint  - filled 517 HeapByteBuffer@7a6e94fa[p=0,l=517,c=17408,r=517]={<<<x16x03x01x02x00x01x00x01xFcx03x03xCcxB0>x1f8"xCfxD6-^mx04xC0xC3...x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00>>>x00x00x00x00x00x00x00x00x00...x00x00x00x00x00x00x00}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - net filled=517
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - fill starting handshake SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=0/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=517/-1,di=-1,fill=IDLE,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=7/30000}=>HttpConnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChannelOverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - unwrap net_filled=517 Status = OK HandshakeStatus = NEED_TASK bytesConsumed = 517 bytesProduced = 0 encryptedBuffer=[p=517,l=517,c=17408,r=0] unwrapBuffer=DirectByteBuffer@73daf2e[p=0,l=0,c=17408,r=0]={<<<>>>x00x00x00x00x00x00x00x00x00...x00x00x00x00x00x00x00} appBuffer=DirectByteBuffer@73daf2e[p=0,l=0,c=17408,r=0]={<<<>>>x00x00x00x00x00x00x00x00x00...x00x00x00x00x00x00x00}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - fill NEED_TASK
[server-33] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory  - SNI matching for type=host_name (0), value=hayquecomer.com
[server-33] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory  - SNI host name hayquecomer.com
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - fill NEED_WRAP
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - >flush SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=31/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NEED_WRAP,eio=0/-1,di=-1,fill=IDLE,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=39/30000}=>HttpConnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChannelOverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - flush b[0]=HeapByteBuffer@3335b1d9[p=0,l=0,c=0,r=0]={<<<>>>}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - flush NEED_WRAP
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=-,flush=-,to=39/30000} stored flush exception
javax.net.ssl.SSLHandshakeException: No available authentication scheme
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:955)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:944)
    at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440)
    at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1252)
    at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1188)
    at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851)
    at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:812)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:627)
    at org.eclipse.jetty.server.HttpConnection.fillRequestBuffer(HttpConnection.java:354)
    at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:265)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:324)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:528)
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:377)
    at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:163)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.SocketChannelEndPoint$1.run(SocketChannelEndPoint.java:106)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
    at java.base/java.lang.Thread.run(Thread.java:830)

Я создал хранилище ключей, используя следующие команды:

 keytool -import -alias intermediate -trustcacerts -file gd_bundle-g2-g1.crt -keystore main.keystore -storetype jks
keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.crt -keystore main.keystore

И в отчаянный момент тоже попытался с:

 keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.pem -keystore main.keystore

и

 openssl crl2pkcs7 -nocrl -certfile 4331e701f4d1b69.crt -out 4331e701f4d1b69.p7b -certfile gd_bundle-g2-g1.crt
keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.p7b -keystore main.keystore

The command:

 keytool -list -v -keystore main.keystore

The command show two keys:

 Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: intermediate
Creation date: May 26, 2021
Entry type: trustedCertEntry
...
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 
...
Alias name: main
Creation date: May 26, 2021
Entry type: trustedCertEntry
...
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 
...

И мой код работает с самозаверяющим сертификатом. Я меняю только имя файла:

   public void start() throws ServerException, FileNotFoundException {
    QueuedThreadPool threadPool = new QueuedThreadPool();
    threadPool.setName("server");
    server = new Server(threadPool);
    HttpConfiguration httpConfig = new HttpConfiguration();
    httpConfig.addCustomizer(new SecureRequestCustomizer(false));
    HttpConnectionFactory http11 = new HttpConnectionFactory(httpConfig);
    SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
    File file = new File("/home/esteban/.../ssl/main.keystore");
    if (!file.exists()) {
      throw new FileNotFoundException(file.toString());
    }

    sslContextFactory.setKeyStorePath(file.toString());
    sslContextFactory.setKeyStorePassword("password");

    SslConnectionFactory tls = new SslConnectionFactory(sslContextFactory, http11.getProtocol());
    ServerConnector connector = new ServerConnector(server, tls, http11);
    connector.setPort(8443);
    server.addConnector(connector);
    server.setHandler(new AbstractHandler() {
      @Override
      public void handle(String target, Request jettyRequest, HttpServletRequest request, HttpServletResponse response) throws IOException {
        response.getWriter().print("nada");
        jettyRequest.setHandled(true);
        response.setStatus(200);
        response.setHeader("X-URL", request.getRequestURI());
        response.setHeader("X-HOST", request.getServerName());
      }
    });

    try {
      server.start();
    } catch (Exception e) {
      throw new ServerException(e);
    }
  }

Я попытался использовать свой компьютер /etc/hosts , чтобы иметь правильное имя хоста, и на удаленном сервере с тем же результатом.

У меня больше нет идей. Мне нужно немного свежего.

Комментарии:

1. Ваше хранилище ключей не содержит пар ключей. Как ваши, так и ваши собственные сертификаты центра сертификации были импортированы в качестве надежных сертификатов центра сертификации. Вам необходимо импортировать свой собственный сертификат без этой -trustcacerts опции и использовать тот же псевдоним, с помощью которого вы создали исходную пару ключей и CSR. Затем сертификат будет связан с парой ключей, и он будет отображаться как запись ключа, а не запись сертификата.

2. Я уже создал самозаверяющий сертификат, и он отлично работает. Моя проблема в сертификате Godaddy. Я не создавал сертификат, Godaddy дал его мне, и у меня нет для него никакого псевдонима. У меня просто есть zip-файл от Godaddy с: xxx.pem, xxx.crt и gd_bundle-g2-g1.crt, «Пакеты сертификатов GoDaddy — G2 с крестом на G1, включает корневой каталог»

3. Как вы создали сертификат? Сначала вам нужно было создать пару ключей, а затем CSR. Где находится ключевая пара? Как вы создали КСО?

Метки: