使用Java中的gRPC(仅使用CA)对服务器执行客户端身份验证
问题使用Java中的gRPC(仅使用CA)对服务器执行客户端身份验证,java,ssl,kubernetes,grpc,ca,Java,Ssl,Kubernetes,Grpc,Ca,问题 我正在尝试使用gRPC在Java中创建一个客户机。我已被授予访问kubernetes命名空间的权限,以测试客户端。然而,我所拥有的只是集群的证书颁发机构和一个承载令牌 apiVersion: v1 clusters: - cluster: certificate-authority: /etc/ssl/certs/devwat-dal13-cruiser15-ca-bundle.pem server: https://<host-ip>:<port>
我正在尝试使用
gRPC
在Java中创建一个客户机。我已被授予访问kubernetes
命名空间的权限,以测试客户端。然而,我所拥有的只是集群的证书颁发机构和一个承载令牌
apiVersion: v1
clusters:
- cluster:
certificate-authority: /etc/ssl/certs/devwat-dal13-cruiser15-ca-bundle.pem
server: https://<host-ip>:<port>
name: devwat-dal13-cruiser15
contexts:
- context:
cluster: devwat-dal13-cruiser15
namespace: interns
user: devwat-dal13-cruiser15-sa-interns-editor
name: devwat-dal13-cruiser15-interns
current-context: devwat-dal13-cruiser15-interns
kind: Config
preferences: {}
users:
- name: devwat-dal13-cruiser15-sa-interns-editor
user:
token: <token>
pod类型为ClusterIP
,正在通过端口8443
转发到localhost
错误
运行此命令时,我会得到以下堆栈跟踪:
SEVERE: Exception has occurred:
io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:210)
io.grpc.StatusRuntimeException: UNAVAILABLE
at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:210)
at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:191)
at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:124)
at grpc.trainer.v2.TrainerGrpc$TrainerBlockingStub.getAllTrainingsJobs(TrainerGrpc.java:695)
at me.mikeygulati.grpc.TrainerClient.getAllTrainingsJobs(TrainerClient.java:70)
at me.mikeygulati.grpc.TrainerClient.main(TrainerClient.java:138)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:648)
at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:482)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1020)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1127)
at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:210)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:138)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No name matching localhost found
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:221)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:644)
... 26 more
Jul 24, 2018 10:52:05 AM me.mikeygulati.grpc.TrainerClient main
从我在网上看到的情况来看,之所以会出现这种情况,是因为CA
上的Common Name
与主机名不匹配,在我的例子中是localhost
。我尝试使用覆盖权限
,以便它与CA
中的通用名称
匹配,但我得到了相同的错误
因此,我相当肯定这不是正确的方法。我觉得应该向我提供一个客户机证书和一个带有kubernetes
集群的客户机密钥,但我没有这样做,我想问一下我所做的事情是否有问题。找到了答案
我的公司有一个客户证书(
client.crt
),我应该用它来代替CA
。当我使用该证书而不是正确的权限权限时,错误就消失了。只知道要考虑服务器SSL证书有效,服务器的CN必须匹配主机名,而发行者的证书(CA)需要被信任。
SEVERE: Exception has occurred:
io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:210)
io.grpc.StatusRuntimeException: UNAVAILABLE
at io.grpc.stub.ClientCalls.toStatusRuntimeException(ClientCalls.java:210)
at io.grpc.stub.ClientCalls.getUnchecked(ClientCalls.java:191)
at io.grpc.stub.ClientCalls.blockingUnaryCall(ClientCalls.java:124)
at grpc.trainer.v2.TrainerGrpc$TrainerBlockingStub.getAllTrainingsJobs(TrainerGrpc.java:695)
at me.mikeygulati.grpc.TrainerClient.getAllTrainingsJobs(TrainerClient.java:70)
at me.mikeygulati.grpc.TrainerClient.main(TrainerClient.java:138)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:648)
at io.netty.internal.tcnative.SSL.readFromSSL(Native Method)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.readPlaintextData(ReferenceCountedOpenSslEngine.java:482)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1020)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1127)
at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:210)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1215)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1127)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1162)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:489)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:428)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:265)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1359)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:935)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:134)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:645)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:580)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:497)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:459)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:858)
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:138)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.security.cert.CertificateException: No name matching localhost found
at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:231)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:221)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:644)
... 26 more
Jul 24, 2018 10:52:05 AM me.mikeygulati.grpc.TrainerClient main