Spring Boot 1.4.1 SSL trustAnchorsexception
我正在运行Docker容器(docker-compose)内的Spring Boot微服务进行testing,最近试图从Spring Boot 1.4.0升级到1.4.1(也试过1.4.2),但是服务启动失败
InvalidAlgorithmParameterException:trustAnchors参数必须是非空exception。
我没有遇到任何运行Spring Boot 1.4.0的问题。 下面提供了用于其中一个服务的Dockerfile(一些敏感值已被replace,尝试1.4.2,结果相同。
当我在命令行上运行服务时会发生同样的行为,下面的Dockerfile中列出了所有的环境variables和Java参数。
这里是日志的摘录:
2016-11-10 08:10:06.645 ERROR [sbsa-account-om-service,,,] 1 --- [ main] o.apache.catalina.core.StandardService : Failed to start connector [Connector[HTTP/1.1-8762]] org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-8762]] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:167) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedConnectors(TomcatEmbeddedServletContainer.java:233) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.start(TomcatEmbeddedServletContainer.java:178) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.startEmbeddedServletContainer(EmbeddedWebApplicationContext.java:297) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.finishRefresh(EmbeddedWebApplicationContext.java:145) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:544) [spring-context-4.3.3.RELEASE.jar!/:4.3.3.RELEASE] at org.springframework.boot.context.embedded.EmbeddedWebApplicationContext.refresh(EmbeddedWebApplicationContext.java:122) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:761) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:371) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.boot.SpringApplication.run(SpringApplication.java:1186) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at org.springframework.boot.SpringApplication.run(SpringApplication.java:1175) [spring-boot-1.4.1.RELEASE.jar!/:1.4.1.RELEASE] at com.sbg.om.services.SbsaAccountOmServiceApplication.main(SbsaAccountOmServiceApplication.java:24) [classes!/:0.0.1-SNAPSHOT] at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_11] at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_11] at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_11] at java.lang.reflect.Method.invoke(Method.java:483) ~[na:1.8.0_11] at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) [app.jar:0.0.1-SNAPSHOT] at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) [app.jar:0.0.1-SNAPSHOT] at org.springframework.boot.loader.Launcher.launch(Launcher.java:50) [app.jar:0.0.1-SNAPSHOT] at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:58) [app.jar:0.0.1-SNAPSHOT] Caused by: org.apache.catalina.LifecycleException: service.getName(): "Tomcat"; Protocol handler start failed at org.apache.catalina.connector.Connector.startInternal(Connector.java:976) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] ... 21 common frames omitted Caused by: java.lang.IllegalArgumentException: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:244) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:874) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:590) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.catalina.connector.Connector.startInternal(Connector.java:969) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] ... 22 common frames omitted Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[na:1.8.0_11] at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[na:1.8.0_11] at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[na:1.8.0_11] at org.apache.tomcat.util.net.jsse.JSSEUtil.getParameters(JSSEUtil.java:341) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.tomcat.util.net.jsse.JSSEUtil.getTrustManagers(JSSEUtil.java:273) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:101) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] ... 27 common frames omitted 2016-11-10 08:10:06.691 INFO [sbsa-account-om-service,,,] 1 --- [ main] o.apache.catalina.core.StandardService : Stopping service Tomcat Dockerfile:
FROM webdizz/centos-java8 VOLUME /tmp ADD <app name>.jar app.jar ADD smoke-test.trust.jks /smoke-test.trust.jks # Environment vars for SSL keystore + truststore ENV security_x509_orgUnit=<org unit> ENV server_ssl_enabled="true" ENV security_sessions="stateless" ENV security_headers_hsts="all" ENV server_ssl_ciphers="TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA" ENV server_ssl_protocol="TLS" ENV server_ssl_keyStore="/smoke-test.trust.jks" ENV server_ssl_keyStorePassword=<password> ENV server_ssl_keyStoreType="JKS" ENV server_ssl_keyAlias=<alias> ENV server_ssl_keyPassword=<password> ENV ribbon_ReadTimeout="60000" ENV ribbon_IsSecure="true" ENV ribbon_IsHostnameValidationRequired="true" ENV ribbon_KeyStore="/smoke-test.trust.jks" ENV ribbon_KeyStorePassword=<password> ENV security_requireSsl="true" ENV server_ssl_trustStore="/smoke-test.trust.jks" ENV server_ssl_trustStorePassword=<password> ENV server_ssl_trustStoreType="JKS" ENV server_ssl_clientAuth="need" ENV ribbon_TrustStore="/smoke-test.trust.jks" ENV ribbon_TrustStorePassword=<password> ENV ribbon_IsClientAuthRequired="true" ENV PCI_CIPHER_KEY=<key> ENV liquibase_contexts=<context> # run actual Java app RUN sh -c 'touch /app.jar' EXPOSE 8762 EXPOSE 9997 ENTRYPOINT ["java", \ "-Djavax.net.ssl.trustStore=/smoke-test.trust.jks", \ "-Djavax.net.ssl.trustStorePassword=<password>", \ "-Djavax.net.ssl.trustStoreType=JKS", \ "-Djavax.net.debug=ssl", \ "-Dspring.profiles.active=testing", \ "-Dom.security.enabled=true", \ "-Dmanagement.security.enabled=true", \ "-Dom.security.x509.subjectPrincipalRegex=OU=(.*?)(?:,|$)", \ "-Dom.security.x509.roleConfiguration[0].roleNames[0]=<roleName>", \ "-Dom.security.x509.roleConfiguration[0].searchValues[0]=<value>", \ "-Dom.security.orderedPathRestrictions[0].pattern='/**'", \ "-Dom.security.orderedPathRestrictions[0].roles=<role>", \ "-Dom.security.orderedPathRestrictions[0].csrfDisabled=true", \ "-Xdebug", \ "-agentlib:jdwp=transport=dt_socket,address=9997,server=y,suspend=n", \ "-Dserver.port=8762", \ "-Deureka.instance.non-secure-port=0", \ "-Deureka.instance.secure-port=8762", \ "-Deureka.instance.hostname=<name>", \ "-Deureka.instance.nonSecurePortEnabled=false", \ "-Deureka.instance.securePortEnabled=true", \ "-Deureka.client.serviceUrl.defaultZone=<URL>", \ "-Dspring.application.name=sbsa-account-om-service", \ "-Deureka.instance.secureVirtualHostName=<name>", \ "-Djava.security.egd=file:/dev/./urandom", \ "-jar", \ "/app.jar"]
编辑:这是不一样的问题,在trustAnchors问题提到,因为我的问题是从春季启动版本1.4.0到1.4.1,唯一的变化是引导版本,所有其他configuration工作在Spring引导1.4下。 0已经保持不变。
结果发现,从Spring Boot 1.4.1开始,底层的Tomcat版本已经达到8.5.6,现在不接受任何其他证书types
Entry type: trustedCertEntry
我正在使用types为自签名的证书:
Entry type: PrivateKeyEntry
重新生成证书后,一切正常开始正常工作。