我已经通过openssl创建了证书
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
并通过java中的keytool导入tls.crt
keytool -import -file C:\Code_Base\Certificates\NGINX_150\tls.crt -storepass changeit -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
但是我得到了
16:30:21,046 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLException: hostname in certificate didn't match: <135.209.100.150> != at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:159) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:561) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:536) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:208) [keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:39) [keycloak-as7-adapter-2.4.0.Final.jar:2.4.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_152]
最佳答案
当 common name 出现时,会发生公共(public)名称不匹配错误(或 SAN s)您的 SSL/TLS 证书与尝试访问您的服务时其他服务连接到的主机 + 域名不匹配。
您的 CommonName (CN=nginxsvc) 应与服务的主机和域名/IP 相匹配。因此,如果您的服务位于 nginxservice.yourdomain.com,则证书公用名也应为 nginxservice.yourdomain.com。如果您仅将 IP 用于开发目的,您也可以使用该 IP,直到您拥有用于您的服务的 DNS 条目。
关于java - 证书中的主机名在 OAuth 请求中不匹配,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/48500408/