IBM Liberty和Cloudant之间的SSL握手失败
我正在用https运行IBMLiberty服务器(在IBM容器上),并带有自签名证书(在server.xml中描述) 我正在连接到IBMCloudAnt数据库以满足数据库的需要。在我将liberty服务器切换到https之前,一切正常。我得到以下例外IBM Liberty和Cloudant之间的SSL握手失败,ssl,ssl-certificate,ibm-cloud,websphere-liberty,cloudant,Ssl,Ssl Certificate,Ibm Cloud,Websphere Liberty,Cloudant,我正在用https运行IBMLiberty服务器(在IBM容器上),并带有自签名证书(在server.xml中描述) 我正在连接到IBMCloudAnt数据库以满足数据库的需要。在我将liberty服务器切换到https之前,一切正常。我得到以下例外 [ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.cloudant.com, O="Cloudant, Inc.", L=Boston, ST=M
[ERROR ] CWPKI0022E: SSL HANDSHAKE FAILURE: A signer with SubjectDN CN=*.cloudant.com, O="Cloudant, Inc.", L=Boston, ST=Massachusetts, C=US was sent from the target host. The signer might need to be added to local trust store /opt/ibm/wlp/output/defaultServer/resources/security/key.jks, located in SSL configuration alias defaultSSLConfig. The extended error message from the SSL handshake exception is: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:
java.security.cert.CertPathValidatorException: The certificate issued by CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US is not trusted; internal cause is:
java.security.cert.CertPathValidatorException: Certificate chaining error
我按照这里的文档将openssl s_client-connect cloudant.com:443-showcerts>cloudant.cert生成的cloudant证书导入liberty truststore,但这并没有解决问题
非常感谢您的帮助。请尝试:openssl s_客户端-连接xxxxx-bluemix.cloudant.com:443,其中xxxxx-bluemix.cloudant.com指的是您的bluemix cloudant服务实例
您可以通过从Cloudant服务实例启动Bluemix中的Cloudant仪表板来获取服务实例域。单击右上角的API选项卡。我很晚才意识到这个错误,但这有助于解决问题。
cloudant.com
,bluemix.cloudant.com
,xxxxx-bluemix.cloudant.com
的证书都是不同的,我不得不使用xxxxx-bluemix.cloudant.com
。另外,我还有一个问题,那就是我的默认信任存储的位置/opt/ibm/wlp/output/defaultServer/resources/security/key.jks
直到我在Dockerfile中使用securityUtility createSSLCertificate
自由实用程序生成自签名证书时才存在。因此,这必须在导入bluemix cloudant证书之前完成。