Ssl 如何正确导入此远程服务器证书（.crt文件），以便从WSO2 ESB应用程序执行HTTPS请求？

我是WSO2 ESB的新手，我正在疯狂地尝试从已实现的API正确实现HTTPS POST调用。似乎我有一些与SSL证书相关的问题无法解决

因此，基本上我有以下情况：

从我的bash shell中，我可以对HTTPS上公开的远程Web服务执行CURL调用，并将其证书传递到相关的.crt文件中。我从Firefox中导出了该证书文件：

$ curl --cacert 52708968.crt https://XX.YY.ZZ.WW/myProject/xml/manager
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   129  100   129    0     0    201      0 --:--:-- --:--:-- --:--:--   201<?xml version="1.0" encoding="UTF-8"?>
<response><error>XML document does not appear to begin with "&lt;?xml"</error></response>

但这样做会产生以下错误：

在执行CURL调用的shell中，我获得此超时：

$ curl -v http://localhost:8280/registerResource/registerResource/
* timeout on name lookup is not supported
*   Trying ::1...
* TCP_NODELAY set
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8280 (#0)
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0> GET /registerResource/registerResource/ HTTP/1.1
> Host: localhost:8280
> User-Agent: curl/7.53.0
> Accept: */*
>
  0     0    0     0    0     0      0      0 --:--:--  0:03:00 --:--:--     0* Empty reply from server
  0     0    0     0    0     0      0      0 --:--:--  0:03:00 --:--:--     0
* Connection #0 to host localhost left intact
curl: (52) Empty reply from server

2在WSO2 ESB控制台中，我获得以下异常：

[2017-03-13 12:24:31,276]  INFO - LogMediator message = "Welcome to Resource Registration Service"
[2017-03-13 12:24:31,284]  INFO - TimeoutHandler This engine will expire all callbacks after GLOBAL_TIMEOUT: 120 seconds, irrespective of the timeout action, after the specified or optional timeout
[2017-03-13 12:24:31,564] ERROR - TargetHandler I/O error: handshake alert:  unrecognized_name
javax.net.ssl.SSLProtocolException: handshake alert:  unrecognized_name
    at sun.security.ssl.ClientHandshaker.handshakeAlert(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.recvAlert(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.readRecord(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.unwrap(Unknown Source)
    at javax.net.ssl.SSLEngine.unwrap(Unknown Source)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doUnwrap(SSLIOSession.java:245)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:280)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
    at java.lang.Thread.run(Unknown Source)
[2017-03-13 12:24:31,603]  WARN - EndpointContext Endpoint : QueryWsEP with address https://XX.YY.ZZ.WW/MYPROJECT/xml/manager will be marked SUSPENDED as it failed
[2017-03-13 12:24:31,604]  WARN - EndpointContext Suspending endpoint : QueryWsEP with address https://XX.YY.ZZ.WW/MYPROJECT/xml/manager - current suspend duration is : 30000ms - Next retry after : Mon Mar 13 12:25:01 CET 2017
[2017-03-13 12:27:31,317]  WARN - SourceHandler Connection time out after request is read: http-incoming-1 Socket Timeout : 180000 Remote Address : /127.0.0.1:52188

因此，我找到了本教程：

这只是说将-djse.enableSNIExtension=false添加到JVM属性中。因此，我将其添加到Eclipse服务器设置的服务器VM参数中：

再次执行CURL调用以执行ESB应用程序流，现在我获得了以下不同的异常：

[2017-03-14 13:05:58,883]  INFO - LogMediator message = "Welcome to Resource Registration Service"
[2017-03-14 13:05:58,891]  INFO - TimeoutHandler This engine will expire all callbacks after GLOBAL_TIMEOUT: 120 seconds, irrespective of the timeout action, after the specified or optional timeout
[2017-03-14 13:06:03,788] ERROR - TargetHandler I/O error: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Handshaker.checkThrown(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.wrap(Unknown Source)
    at javax.net.ssl.SSLEngine.wrap(Unknown Source)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doWrap(SSLIOSession.java:237)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:271)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.isAppInputReady(SSLIOSession.java:410)
    at org.apache.http.impl.nio.reactor.AbstractIODispatch.inputReady(AbstractIODispatch.java:119)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:159)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:338)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:316)
    at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:277)
    at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:105)
    at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:586)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLEngineImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
    at sun.security.ssl.Handshaker.processLoop(Unknown Source)
    at sun.security.ssl.Handshaker$1.run(Unknown Source)
    at sun.security.ssl.Handshaker$1.run(Unknown Source)
    at java.security.AccessController.doPrivileged(Native Method)
    at sun.security.ssl.Handshaker$DelegatedTask.run(Unknown Source)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doRunTask(SSLIOSession.java:255)
    at org.apache.http.nio.reactor.ssl.SSLIOSession.doHandshake(SSLIOSession.java:293)
    ... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
    at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
    at sun.security.validator.Validator.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
    ... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
    at java.security.cert.CertPathBuilder.build(Unknown Source)
    ... 24 more
[2017-03-14 13:06:03,815]  WARN - EndpointContext Endpoint : QueryWsEP with address https://XX.YY.ZZ.WW/MYPROJECT/xml/manager will be marked SUSPENDED as it failed
[2017-03-14 13:06:03,816]  WARN - EndpointContext Suspending endpoint : QueryWsEP with address https://XX.YY.ZZ.WW/MYPROJECT/xml/manager - current suspend duration is : 30000ms - Next retry after : Tue Mar 14 13:06:33 CET 2017

似乎是与证书相关的东西…因为它找不到证书…所以我想：好的，在第一个CURL请求中，您已经手动将此证书添加到52708968.crt文件中，我还必须将此证书添加到WSO2 ESB服务器中

因此，我访问WSO2 ESB管理面板并：

1 Keystore->List，在这里我可以找到wso2carbon.jks文件：

2然后我单击导入证书按钮，将我的52708968.crt添加到此密钥库，我已完成：

3因此，此证书似乎已正确添加到我的密钥库中，事实上，现在我可以在证书列表中看到：

因此，应该导入通过HTTPS连接到外部web服务的证书

4我重新启动了服务器，并再次执行启动WSO2 ESB应用程序执行流的请求：

curl -v http://localhost:8280/registerResource/registerResource/

但我仍然获得了之前的例外

---

怎么可能呢？证书设置在密钥库中。怎么了？我错过了什么？如何尝试解决此问题？

尝试将证书导入：

[WSO2_HOME]/repository/resources/security/client-truststore.jks
[WSO2_HOME]/repository/resources/security/wso2carbon.jks

使用：

keytool -importcert -file $path/your_certificate.cer -keystore client-truststore.jks -alias "youralias"

keytool -importcert -file $path/your_certificate.cer -keystore wso2carbon.jks -alias "youralias"

---

我到底要做什么？我必须在我的控制台中执行这两个操作？疑问：1你提到的你的证书是什么？是我的52708968.crt文件还是其他文件？2我该用什么来代替你的别名？3这两个statmens到底是做什么的？TNX使用这两种语句，您可以在密钥库中导入远程证书…别名可以是任何名称，而_certificate.cer是cer格式的证书，请尝试使用.crt任何方式…是，您可以在windows或linux控制台中执行…keytool随jdk/jremmm一起提供，我尝试执行keytool-importcert-file 52708968.crt-keystore client-truststore.jks-alias registerWS，但它要求我输入密钥库密码。我丢失了一些东西，但是这个密码是什么？它是在创建一个新的密钥库，所以我可能需要插入一个新密码还是一个现有的密钥库？默认密码=wso2carbon

[WSO2_HOME]/repository/resources/security/client-truststore.jks
[WSO2_HOME]/repository/resources/security/wso2carbon.jks

keytool -importcert -file $path/your_certificate.cer -keystore client-truststore.jks -alias "youralias"

keytool -importcert -file $path/your_certificate.cer -keystore wso2carbon.jks -alias "youralias"