在Docker构build文件中使用自定义Cert设置Jetty Runner
我目前正在创build一个Docker文件来构build我们的java应用程序,而且我遇到了一个问题,就是不得不使用自定义的.cert键来使用logstash-logback-forwarder来loginSSL,而webapp本身也需要做SSL连接(连接到SOAP SSL)。 事情是,我可以loginSSL,并且Web应用程序可以安全地使用SOAP API(它始终能够做到这一点),但是我不能同时做到这一点。
对于初学者来说,这里是我的docker构build文件的相关部分
ADD logstash-forwarder.crt /root/logstash-forwarder.crt RUN (cd /root && /usr/java/latest/bin/keytool -import -file logstash-forwarder.crt -alias logstash -storepass SOMEPASS -noprompt -keystore logstash.keystore) 这添加了crt文件,然后使用keytool导入到keyStore中。 我正在使用logstash-logback-forwarder,它使用标准的SSLSocketFactory (即https://github.com/logstash/logstash-logback-encoder/blob/master/src/main/java/net/logstash/logback/appender/ SSLLogstashTcpSocketAppender.java )
然后我运行我的java网站(通过jetty-webrunner),使用这个命令
CMD java -Dlogback.configurationFile=/root/logback.xml \ -Djavax.net.ssl.keyStorePassword=SOMEPASS \ -Djavax.net.ssl.keyStoreType=pkcs12 \ -Djavax.net.ssl.trustStoreType=jks \ -Djavax.net.ssl.trustStore=logstash.keystore \ -Djavax.net.ssl.trustStorePassword=SOMEPASS \ -server -ea -XX:+UseConcMarkSweepGC \ -XX:+CMSClassUnloadingEnabled \ -Xmx2048M -jar jetty-runner-9.2.3.v20140905.jar \ --port 8080 \ --lib "/root/lib" \ --config jetty.xml \ jetty-web.xml
现在使用以下命令,安全日志logging在SSL上正常工作,问题是,webapp不再能够安全地连接到它需要使用的SOAP API,我得到以下错误(提供了java stacktrace)
AxisFault faultCode: {http://schemas.xmlsoap.org/soap/envelope/}Server.userException faultSubcode: faultString: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target faultActor: faultNode: faultDetail: {http://xml.apache.org/axis/}stackTrace:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1917) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:301) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:295) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1471) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:936) at sun.security.ssl.Handshaker.process_record(Handshaker.java:871) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1043) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1343) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1371) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355) at org.apache.axis.components.net.JSSESocketFactory.create(JSSESocketFactory.java:186) at org.apache.axis.transport.http.HTTPSender.getSocket(HTTPSender.java:191) at org.apache.axis.transport.http.HTTPSender.writeToSocket(HTTPSender.java:404) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:138) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812)
现在显然,如果我完全删除SSL(显然日志将停止工作),这样做
CMD java -Dlogback.configurationFile=/root/logback.xml \ -server -ea -XX:+UseConcMarkSweepGC \ -XX:+CMSClassUnloadingEnabled \ -Xmx2048M -jar jetty-runner-9.2.3.v20140905.jar \ --port 8080 \ --lib "/root/lib" \ --config jetty.xml \ jetty-web.xml
通过轴的SOAP apis工作正常,但SSL日志logging没有。 我知道你可以使用keytool来组合keystores,但是我不知道该如何去做(比用大多数非java应用程序倾向于做的单个标志来传递.crt文件要复杂得多)。 你将如何导入.keystore,使其正常工作(以及等效的docker命令是什么?)
服务器正在运行JDK 8