Jetty 11.使用godaddy证书安全连接失败

编程问答 2022-04-30

问题描述

我正在尝试使用 Godaddy 证书来创建安全的 http 连接。

首先,我使用自签名证书测试了我的代码并且工作正常,但是当我尝试使用来自 Godaddy 的证书时,我在 Firefox 上有一个 SSL_ERROR_HANDSHAKE_FAILURE_ALERT,在 Chrome 中有一个 ERR_SSL_PROTOCOL_ERROR。没有例外。没有错误日志。没有消息。

Secure Connection Failed

An error occurred during a connection to servername.com:8443. SSL peer was unable to negotiate an acceptable set of security parameters.

Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT

    The page you are trying to view cannot be shown because the authenticity of the received data Could not be verified.
    Please contact the website owners to inform them of this problem.

异常前的调试日志:

[server-33] DEBUG org.eclipse.jetty.util.thread.QueuedThreadPool  - Runner started for QueuedThreadPool[server]@33e5ccce{STARTED,8<=12<=200,i=0,r=-1,q=0}[ReservedThreadExecutor@627551fb{s=1/16,p=0}]
[server-22] DEBUG org.eclipse.jetty.io.socketChannelEndPoint  - Key interests updated 1 -> 0 on SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,r=/127.0.0.1:41822,OPEN,fill=FI,flush=-,to=4/30000}{io=0/0,kio=0,kro=1}->SslConnection@1008464{NOT_HANDSHAKING,eio=-1/-1,di=-1,fill=INTERESTED,flush=IDLE}~>DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,to=4/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,0 of -1},g=HttpGenerator@c862f5c{s=START}]=>HttpChanneloverHttp@525f5018{s=HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0},r=0,c=false/false,a=IDLE,uri=null,age=0}
[server-22] DEBUG org.eclipse.jetty.io.ManagedSelector  - Selector sun.nio.ch.EPollSelectorImpl@3fc1893b waiting with 1 keys
[server-33] DEBUG org.eclipse.jetty.util.thread.QueuedThreadPool  - run SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,to=5/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,age=0}:runFillable:BLOCKING in QueuedThreadPool[server]@33e5ccce{STARTED,p=0}]
[server-33] DEBUG org.eclipse.jetty.io.FillInterest  - fillable FillInterest@6d28095a{SSLC.NBReadCB@1008464{SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,age=0}}}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - >c.onFillable SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,fill=-,to=5/30000}{io=0/0,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - onFillable SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,to=6/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,age=0}
[server-33] DEBUG org.eclipse.jetty.io.FillInterest  - fillable FillInterest@66f8bebc{AC.ReadCB@1ae6359c{httpconnection@1ae6359c::DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,to=6/30000}}}
[server-33] DEBUG org.eclipse.jetty.server.httpconnection  - httpconnection@1ae6359c::DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,to=6/30000} onFillable enter HttpChannelState@3f48616b{s=IDLE rs=BLOCKING os=OPEN is=IDLE awp=false se=false i=true al=0} null
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - >fill SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,fill=IDLE,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - fill NOT_HANDSHAKING
[server-33] DEBUG org.eclipse.jetty.io.socketChannelEndPoint  - filled 517 HeapByteBuffer@7a6e94fa[p=0,l=517,c=17408,r=517]={<<<\x16\x03\x01\x02\x00\x01\x00\x01\xFc\x03\x03\xCc\xB0>\x1f8"\xCf\xD6-^m\x04\xC0\xC3...\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - net filled=517
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - fill starting handshake SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,to=0/30000}{io=0/0,eio=517/-1,to=7/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - unwrap net_filled=517 Status = OK HandshakeStatus = NEED_TASK bytesConsumed = 517 bytesProduced = 0 encryptedBuffer=[p=517,r=0] unwrapBuffer=DirectByteBuffer@73daf2e[p=0,l=0,r=0]={<<<>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00} appBuffer=DirectByteBuffer@73daf2e[p=0,r=0]={<<<>>>\x00\x00\x00\x00\x00\x00\x00\x00\x00...\x00\x00\x00\x00\x00\x00\x00}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - fill NEED_TASK
[server-33] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory  - SNI matching for type=host_name (0),value=hayquecomer.com
[server-33] DEBUG org.eclipse.jetty.util.ssl.SslContextFactory  - SNI host name hayquecomer.com
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/EC on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.util.ssl.SniX509ExtendedKeyManager  - Chose explicit alias null/RSA on sun.security.ssl.SSLEngineImpl@3dd0a710
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - fill NEED_WRAP
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - >flush SslConnection@1008464::SocketChannelEndPoint@2e9703df{l=/127.0.1.1:8443,to=31/30000}{io=0/0,kro=1}->SslConnection@1008464{NEED_WRAP,eio=0/-1,to=39/30000}=>httpconnection@1ae6359c[p=HttpParser{s=START,age=0}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - flush b[0]=HeapByteBuffer@3335b1d9[p=0,c=0,r=0]={<<<>>>}
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - flush NEED_WRAP
[server-33] DEBUG org.eclipse.jetty.io.ssl.SslConnection  - DecryptedEndPoint@38876f9b{l=/127.0.1.1:8443,to=39/30000} stored flush exception
javax.net.ssl.SSLHandshakeException: No available authentication scheme
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:117)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:311)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:267)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.onProduceCertificate(CertificateMessage.java:955)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateProducer.produce(CertificateMessage.java:944)
    at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:440)
    at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.goServerHello(ClientHello.java:1252)
    at java.base/sun.security.ssl.ClientHello$T13ClientHelloConsumer.consume(ClientHello.java:1188)
    at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.onClientHello(ClientHello.java:851)
    at java.base/sun.security.ssl.ClientHello$ClientHelloConsumer.consume(ClientHello.java:812)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1247)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:691)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1192)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:627)
    at org.eclipse.jetty.server.httpconnection.fillRequestBuffer(httpconnection.java:354)
    at org.eclipse.jetty.server.httpconnection.onFillable(httpconnection.java:265)
    at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:324)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:528)
    at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:377)
    at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:163)
    at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:105)
    at org.eclipse.jetty.io.socketChannelEndPoint$1.run(SocketChannelEndPoint.java:106)
    at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:894)
    at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1038)
    at java.base/java.lang.Thread.run(Thread.java:830)

我使用以下命令创建了密钥库:

keytool -import -alias intermediate -trustcacerts -file gd_bundle-g2-g1.crt -keystore main.keystore -storetype jks
keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.crt -keystore main.keystore

在绝望的时刻还尝试了:

keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.pem -keystore main.keystore


openssl crl2pkcs7 -nocrl -certfile 4331e701f4d1b69.crt -out 4331e701f4d1b69.p7b -certfile gd_bundle-g2-g1.crt
keytool -import -alias main -trustcacerts -file 4331e701f4d1b69.p7b -keystore main.keystore

命令:

keytool -list -v -keystore main.keystore

命令显示两个键:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: intermediate
Creation date: May 26,2021
Entry type: trustedCertEntry
...
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 
...
Alias name: main
Creation date: May 26,2021
Entry type: trustedCertEntry
...
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions: 
...

我的代码使用自签名证书。我只更改文件名:

  public void start() throws ServerException,FileNotFoundException {
    QueuedThreadPool threadPool = new QueuedThreadPool();
    threadPool.setName("server");
    server = new Server(threadPool);
    HttpConfiguration httpConfig = new HttpConfiguration();
    httpConfig.addCustomizer(new SecureRequestCustomizer(false));
    httpconnectionFactory http11 = new httpconnectionFactory(httpConfig);
    SslContextFactory.Server sslContextFactory = new SslContextFactory.Server();
    File file = new File("/home/esteban/.../ssl/main.keystore");
    if (!file.exists()) {
      throw new FileNotFoundException(file.toString());
    }

    sslContextFactory.setKeyStorePath(file.toString());
    sslContextFactory.setKeyStorePassword("password");

    SslConnectionFactory tls = new SslConnectionFactory(sslContextFactory,http11.getProtocol());
    ServerConnector connector = new ServerConnector(server,tls,http11);
    connector.setPort(8443);
    server.addConnector(connector);
    server.setHandler(new AbstractHandler() {
      @Override
      public void handle(String target,Request jettyRequest,HttpServletRequest request,HttpServletResponse response) throws IOException {
        response.getWriter().print("nada");
        jettyRequest.setHandled(true);
        response.setStatus(200);
        response.setHeader("X-URL",request.getRequestURI());
        response.setHeader("X-HOST",request.getServerName());
      }
    });

    try {
      server.start();
    } catch (Exception e) {
      throw new ServerException(e);
    }
  }

我确实尝试在我的计算机上使用 /etc/hosts 以获得正确的主机名并在远程服务器上获得相同的结果。

我没有更多想法。我需要一些新鲜的。

解决方法

暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!

如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。

小编邮箱:dio#foxmail.com (将#修改为@)

javajavajettyssl