Fatal编程技术网
  • ssl/
  • SSL在用框架导致';通用斯伦金问题和#x27;(nginx)

SSL在用框架导致';通用斯伦金问题和#x27;(nginx)

ssl nginx playframework

SSL在用框架导致';通用斯伦金问题和#x27;(nginx),ssl,nginx,playframework,Ssl,Nginx,Playframework,我有一个由2台服务器组成的服务器结构:一台是包含内容的主服务器,另一台是运行Play的Scala服务器,负责用户管理,包括社交登录(fb、tw、g+)。两台服务器使用相同的通配符SSL证书 我最近将主服务器从Apache切换到nginx,出于某种原因,Scala服务器抱怨SSL不匹配(这在Apache下从来都不是问题) 当我尝试登录时,我从Play中得到以下错误: [error] s.c.ProviderController - Unable to log user in. An excepti

我有一个由2台服务器组成的服务器结构:一台是包含内容的主服务器,另一台是运行Play的Scala服务器,负责用户管理,包括社交登录(fb、tw、g+)。两台服务器使用相同的通配符SSL证书

我最近将主服务器从Apache切换到nginx,出于某种原因,Scala服务器抱怨SSL不匹配(这在Apache下从来都不是问题)

当我尝试登录时,我从Play中得到以下错误:

[error] s.c.ProviderController - Unable to log user in. An exception was thrown
java.net.ConnectException: General SSLEngine problem to https://www.example.com/login/corsValid
    at com.ning.http.client.providers.netty.NettyConnectListener.operationComplete(NettyConnectListener.java:103) ~[async-http-client.jar:na]
    at org.jboss.netty.channel.DefaultChannelFuture.notifyListener(DefaultChannelFuture.java:427) ~[netty.jar:na]
    at org.jboss.netty.channel.DefaultChannelFuture.notifyListeners(DefaultChannelFuture.java:413) ~[netty.jar:na]
    at org.jboss.netty.channel.DefaultChannelFuture.setFailure(DefaultChannelFuture.java:380) ~[netty.jar:na]
    at org.jboss.netty.handler.ssl.SslHandler.setHandshakeFailure(SslHandler.java:1417) ~[netty.jar:na]
    at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1293) ~[netty.jar:na]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1290) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:513) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:793) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761) ~[na:1.7.0_51]
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624) ~[na:1.7.0_51]
    at org.jboss.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1225) ~[netty.jar:na]
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.7.0_51]
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1694) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:278) ~[na:1.7.0_51]
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) ~[na:1.7.0_51]
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) ~[na:1.7.0_51]
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) ~[na:1.7.0_51]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) ~[na:1.7.0_51]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.7.0_51]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:283) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:138) ~[na:1.7.0_51]
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) ~[na:1.7.0_51]
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) ~[na:1.7.0_51]
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ~[na:1.7.0_51]
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[na:1.7.0_51]
    at sun.security.validator.Validator.validate(Validator.java:260) ~[na:1.7.0_51]
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) ~[na:1.7.0_51]
我跟踪了这个问题,发现
application.conf
需要为正在使用的SSL证书提供正确的参数。我创建了一个JKS和P12证书,并将其包含在conf文件中,但仍然出现了这个错误。(可能走错了路?也试过了…)

然而,当我添加
ws.acceptAnyCertificate=true
时,一切都很好,但这显然是一个安全漏洞,我不想做什么

为什么安装SSL证书如此痛苦

谢谢

我认为Play主要是一个应用程序框架,而不是一个web服务器

我们的play应用程序始终与Nginx web服务器(在DMZ中)进行不安全的通信,SSL/TLS通信通过Nginx终止。通过这种设计,如果您的Play应用程序是无状态的,您可以实现负载平衡

然后,如果需要,将自定义http头中的所有内容从Nginx转发到后端(例如客户端认证)进行验证

proxy_set_header APP-Cert-Verified $ssl_client_verify;
proxy_set_header APP-Client-Cert $ssl_client_cert;
proxy_set_header APP-Client-Cert-DN $ssl_client_s_dn;
您也可以在官方文档中找到:

奖励:如果证书过期,您可以在nginx中更轻松地更改证书,而不是重新启动您的Play应用程序

proxy_set_header APP-Cert-Verified $ssl_client_verify;
proxy_set_header APP-Client-Cert $ssl_client_cert;
proxy_set_header APP-Client-Cert-DN $ssl_client_s_dn;