java - Cassandra 需要_client_auth : true problem

标签 java ssl cassandra

Cassandra 版本为 3.11,在 docker 中运行

我对 cassandra.yml 中的以下条目有疑问
require_client_auth: 在 client_encryption_options block 中为真。

如果我设置为 true,我在运行 cqlsh --ssl 时会在日志中收到以下错误消息:

io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: null cert chain
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:442) ~[netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:248) ~[netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:343) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:336) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1294) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:357) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:343) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:911) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:934) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:397) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:302) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:131) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:144) [netty-all-4.0.44.Final.jar:4.0.44.Final]
at java.lang.Thread.run(Thread.java:748) [na:1.8.0_232]

使用此页面生成证书:
https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/configuration/secureSSLCertWithCA.html

在 cqlshrc 中写了以下内容:
[authentication]
username = xxx
password = xxx

[connection]
hostname = 127.0.0.1
port = 9042

[ssl]
certfile = /etc/cassandra/xxx.crt
validate = false

我已经多次重新生成和集成证书。没有成功。

编辑:

好的,现在错误随着零证书链消失了。执行 cqlsh --ssl 时会发生以下情况:

连接错误:('无法连接到任何服务器',{'127.0.0.1':错误(0,u“尝试连接到[('127.0.0.1',9042)]。最后一个错误:未知错误(_ssl.c :2947)")})
我不确定将哪个文件转换为 PKCS12 文件。我已经生成了以下证书:

node1.keystore、server-truststore、node1.csr、node1.crt_signed、rootCa.srl、rootCa.key 和 rootCa.crt

我应该从哪个文件生成 PKCS12 文件?

对不起,我是加密世界的新手。

我的 .pem 文件现在看起来像这样:
Bag Attributes
    friendlyName: node1
    localKeyID: 54 69 6D 65 20 31 35 38 35 30 36 39 35 35 35 37 33 36
subject=/C=US/O=YourCompany/OU=TestCluster/CN=node1
issuer=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
-----BEGIN CERTIFICATE-----
MIIDFTCCAf0CCQDSyTTMgIHuHDANBgkqhkiG9w0BAQUFADBKMQswCQYDVQQGEwJV
UzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rlc3RDbHVzdGVyMQ8w
DQYDVQQDDAZyb290Q2EwHhcNMjAwMzI0MTY1NzMwWhcNMjEwMzI0MTY1NzMwWjBP
MQswCQYDVQQGEwJVUzEUMBIGA1UEChMLWW91ckNvbXBhbnkxFDASBgNVBAsTC1Rl
c3RDbHVzdGVyMRQwEgYDVQQDEwsxMC4yMC4wLjEwMTCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMVTnpvTvMEFswzhTUeJYoTHB04MBx6hEh1pirqhlfVA
Nd8DJ6hR4KZFZ8nMxsw5etkR9iyPVaN4/Hdem6r/t8tHrPWPIADPULR9Kh7Y1s7f
dvAnro0ZpyMtLmabhbxEk4Z0B7ku8NkYdsCuQsIsCZEM0pGDYv3VOmyV/LryQA2x
qGYc0DNYXAVuaqlXrnFc/w4l9UQFxDwWDx05VB0wxXTXf/NnF2UZAB3FZIBIJQhf
pEqbdNiTK4nzK//RF+SBN+2o5YP12CIaDr+163t/2PAcm0W+attmDox5+41IQSF2
CTMW7XXjuIvJ6lLe6HfqouURWPtkyu86ik+p29kaEpMCAwEAATANBgkqhkiG9w0B
AQUFAAOCAQEAJgMDzdcE1CyjERjuxOuTxJYk9QSefLAJI4lFPOO0vNlbkteippE+
vWEc/AvYAEWVHUVPZbOvL45XkaIsUGV9pXpC4/XGv0eMp+sPyEcHdaALxc5n1qsj
ag2FhqVHCoyfwYIIefiS7nXKENKtBTMDSuNNmNMb/cksACP7rouz6ID74u7lDMBH
VcZpzu6ttpO+aLNBe3iSbDA1Ne8Nh33tm94L4FhE7oorA7o+urT1PlWARAopDtzk
Bj0DGK0mco4w1dJazAhDkii39XkAWfs3LvpXC1DijMC8O51iTJJho5bGGcPVe4dy
+9JId48wrN1sTcLhPyI60uEZGDGr8awKwQ==
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: CN=rootCa,OU=TestCluster,O=YourCompany,C=US
subject=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
issuer=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
-----BEGIN CERTIFICATE-----
MIIDEDCCAfgCCQC64l3iiXV4SDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV
UzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rlc3RDbHVzdGVyMQ8w
DQYDVQQDDAZyb290Q2EwHhcNMjAwMzI0MTY1MzU2WhcNMjEwMzI0MTY1MzU2WjBK
MQswCQYDVQQGEwJVUzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rl
c3RDbHVzdGVyMQ8wDQYDVQQDDAZyb290Q2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDCC7NIswTCqQVoECBRuH8Z3HimZhLeLG+VWXJ6Um4TMB80MVgB
ToLfqSnGwS0yCB2G6tZWoN8joiz/3bbfYXLnVggj48z4ZMxykHmKwWcsRgScKPU9
BeZW2/trlplbIkOEy8J544Q9212d9r1jnMXCITPKVmi/GVCD+VBxqYbD9nLGdNwM
D4q+s2BrRIq+13U52ntA86rvI+Jgu4SNBp5yD089kmgnrbRJwUvtCLZYc87u0rp9
5KI+5iag0A7v0Xu2/Dh3fQMO+YQrsajOo9OZ/dxhZBxdArWdgMqmC5R9kvPx3ypv
yM0rGaIrobj5y9QSm77ptraO02wJR4I/USsFAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAE+Bm7q05PdW3UZJ6ozl72/zuMDUQxDIiGQO+caNNyyqPy/d6A0+cwJ5J0JS
eQeS2Cg8knk5cjIsB5Ah3TuMnWPaOS7Eb8PrKjN7+up9ZxMMuIrLIUllYDFzfUMf
rMJ/mxR+8whKq9Umec3pAtGfzRwFdNJn9gqis71/02gK10cmq9MN0tyi7hD+9kTE
iC/mqJX5iCyiFluwRxlVP1tAPaD4RRtafpFHX9X9FYksUf/8mwr+3pNwfdBfIXW7
8A+k198jx326SbtQZBA5yWPTKpI9Mamm0704NjA2OH/0OceBq2rYv7GKfRYQxC4/
DUAlJYlfxCyqxjGqBp/RFMJ1Epg=
-----END CERTIFICATE-----
Bag Attributes
    friendlyName: rootca
    2.16.840.1.113894.746875.1.1: <Unsupported tag 6>
subject=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
issuer=/C=US/O=YourCompany/OU=TestCluster/CN=rootCa
-----BEGIN CERTIFICATE-----
MIIDEDCCAfgCCQC64l3iiXV4SDANBgkqhkiG9w0BAQsFADBKMQswCQYDVQQGEwJV
UzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rlc3RDbHVzdGVyMQ8w
DQYDVQQDDAZyb290Q2EwHhcNMjAwMzI0MTY1MzU2WhcNMjEwMzI0MTY1MzU2WjBK
MQswCQYDVQQGEwJVUzEUMBIGA1UECgwLWW91ckNvbXBhbnkxFDASBgNVBAsMC1Rl
c3RDbHVzdGVyMQ8wDQYDVQQDDAZyb290Q2EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDCC7NIswTCqQVoECBRuH8Z3HimZhLeLG+VWXJ6Um4TMB80MVgB
ToLfqSnGwS0yCB2G6tZWoN8joiz/3bbfYXLnVggj48z4ZMxykHmKwWcsRgScKPU9
BeZW2/trlplbIkOEy8J544Q9212d9r1jnMXCITPKVmi/GVCD+VBxqYbD9nLGdNwM
D4q+s2BrRIq+13U52ntA86rvI+Jgu4SNBp5yD089kmgnrbRJwUvtCLZYc87u0rp9
5KI+5iag0A7v0Xu2/Dh3fQMO+YQrsajOo9OZ/dxhZBxdArWdgMqmC5R9kvPx3ypv
yM0rGaIrobj5y9QSm77ptraO02wJR4I/USsFAgMBAAEwDQYJKoZIhvcNAQELBQAD
ggEBAE+Bm7q05PdW3UZJ6ozl72/zuMDUQxDIiGQO+caNNyyqPy/d6A0+cwJ5J0JS
eQeS2Cg8knk5cjIsB5Ah3TuMnWPaOS7Eb8PrKjN7+up9ZxMMuIrLIUllYDFzfUMf
rMJ/mxR+8whKq9Umec3pAtGfzRwFdNJn9gqis71/02gK10cmq9MN0tyi7hD+9kTE
iC/mqJX5iCyiFluwRxlVP1tAPaD4RRtafpFHX9X9FYksUf/8mwr+3pNwfdBfIXW7
8A+k198jx326SbtQZBA5yWPTKpI9Mamm0704NjA2OH/0OceBq2rYv7GKfRYQxC4/
DUAlJYlfxCyqxjGqBp/RFMJ1Epg=
-----END CERTIFICATE-----

有了这个 .pem 文件,我得到了这个空证书链错误

最佳答案

如果您使用 CA 签名证书,并按照 https://docs.datastax.com/en/cassandra-oss/3.0/cassandra/configuration/secureSSLCertWithCA.html 生成证书文件,cqlshrc中使用的cert文件是rootCa.crt。

这是一个例子:

[connection]
port = 9042
factory = cqlshlib.ssl.ssl_transport_factory

[ssl]
certfile = /var/tmp/rootCa.crt
validate = true
userkey = /var/tmp/rootCa.key  ;<<<<< optional for 2 way SSL only
usercert = /var/tmp/rootCa.crt  ;<<<< optional for 2 way SSL only

关于java - Cassandra 需要_client_auth : true problem,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/60832374/

上一篇:authentication - 如何在 Elixir 中的进程之间建立经过身份验证的链接?

下一篇:reactjs - 创建 React App - 无法获取本地颁发者证书

相关文章:

java - 将时间重置为午夜会减去一天

java - 在java中使用.jar程序复制目录

ssl - 如何使用 HTTPS 运行 Playframework 应用程序?

cassandra - 为什么不让每个节点都成为种子节点

java - 选择特定父级的所有复选框

java - 将数组列表转换为 json 对象字符串

.htaccess - 使用 htaccess 从特定文件夹中删除 SSL 集成

java - Oracle JDBC 瘦驱动程序 SSL

java - 如何在 java 中的 Cassandra 中注释/使用复合分区键?

linux - cassandra 已死,但 pid 文件存在于亚马逊 centos 6 上

©2024 IT工具网  联系我们