java - 使用 Lets Encrypt SSL 证书保护 Netty 服务器
问题描述
我有一个 RESTful netty 服务器,它将向请求的用户提供一些数据。我想使用 Let's Encrypt 生成的 SSL 证书来保护此服务器。
我目前有这个用于我的 ChannelInitializer,其中 CHAIN_FILE 是对 fullchain.pem 的文件引用,PRIVATE_FILE 是对 privkey.pem 的文件引用。
ChannelPipeline pipeline = channel.pipeline();
SslContext sslContext = SslContextBuilder.forServer(CHAIN_FILE, PRIVATE_FILE).build();
pipeline.addLast("ssl", sslContext.newHandler(channel.alloc()));
pipeline.addLast(new HttpServerCodec()); // A combination of HttpRequestDecoder and HttpResponseEncoder which enables easier server side HTTP implementation.
pipeline.addLast(new HttpObjectAggregator(Integer.MAX_VALUE)); // Aggregates HttpMessage and HttpContents into a single FullHttpResponse/FullHttpRequest
pipeline.addLast(new HttpServerHandler()); // Handles incoming HttpRequests
每当我尝试向服务器发出请求时,我都会收到错误消息:
[io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73740d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a43616368652d436f6e74726f6c3a206d61782d6167653d300d0a7365632d63682d75613a2022476f6f676c65204368726f6d65223b763d223839222c20224368726f6d69756d223b763d223839222c20223b4e6f742041204272616e64223b763d223939220d0a7365632d63682d75612d6d6f62696c653a203f300d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f38392e302e343338392e313134205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f617669662c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e382c6170706c69636174696f6e2f7369676e65642d65786368616e67653b763d62333b713d302e390d0a5365632d46657463682d536974653a206e6f6e650d0a5365632d46657463682d4d6f64653a206e617669676174650d0a5365632d46657463682d557365723a203f310d0a5365632d46657463682d446573743a20646f63756d656e740d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e390d0a436f6f6b69653a20696f3d414e444b736c6953336c6374366a4b47414141430d0a0d0a
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[PaperSpigot.jar:git-Paper-449]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73740d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a43616368652d436f6e74726f6c3a206d61782d6167653d300d0a7365632d63682d75613a2022476f6f676c65204368726f6d65223b763d223839222c20224368726f6d69756d223b763d223839222c20223b4e6f742041204272616e64223b763d223939220d0a7365632d63682d75612d6d6f62696c653a203f300d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f38392e302e343338392e313134205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f617669662c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e382c6170706c69636174696f6e2f7369676e65642d65786368616e67653b763d62333b713d302e390d0a5365632d46657463682d536974653a206e6f6e650d0a5365632d46657463682d4d6f64653a206e617669676174650d0a5365632d46657463682d557365723a203f310d0a5365632d46657463682d446573743a20646f63756d656e740d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e390d0a436f6f6b69653a20696f3d414e444b736c6953336c6374366a4b47414141430d0a0d0a
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1246) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[PaperSpigot.jar:git-Paper-449]
... 17 more
我是网络服务器的新手,所以我真的只能想到两件事:
- 我将 SslContextBuilder#forServer 传递给完全错误的事情。如果是这样,我需要通过什么
- 我在某处读到这可能意味着 http 与 https 不匹配。
我可能不需要首先保护它,但我想了解为什么它会失败,因为我将来很可能会遇到类似的事情。提前致谢。
编辑:
Concision 的建议是正确的。我的客户没有通过 HTTPS 请求。该请求现在被接受并正确返回结果,但由于出现新错误,连接仍然不安全:
[04:43:38 WARN]: [io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:475) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[PaperSpigot.jar:git-Paper-449]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:337) ~[?:?]
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:186) ~[?:?]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[?:?]
at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) ~[?:?]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[PaperSpigot.jar:git-Paper-449]
... 15 more
这让我相信我传递给 SslContextBuilder#forServer() 的参数是完全错误的。我目前只是传递 letencrypt 为我生成的原始 cert.pem 和 privkey.pem 文件。
解决方案
犯了几个愚蠢的错误:
一方面,我的服务器仍然指向端口 80 (HTTP) 而不是 443 (HTTPS)。此外,我传递 fullchain.pem 而不是 cert.pem 作为 #forServer 方法的第一个参数。
正如简洁所说,第一个错误是由于我的客户试图通过 HTTP 而不是 HTTPS 发出请求
推荐阅读
- photoshop-script - 选择在 Photoshop Scripts 中保存文件的位置
- android-studio - 缩放保存在 android 设备上的图像
- python - 如何从 REST API 下载 JSON 数据集
- python - 有什么解决方案可以解决这个问题吗?
- google-bigquery - 使用 Python API 客户端在 BigQuery 中上传 UDF
- bash - Bash 脚本不会在输入命令时退出
- r - 将函数应用于数据框所有列的每列因子
- javascript - 根据索引删除数组元素
- ajax - 在 WordPress 中通过 AJAX 加载 PAGE 内容
- asp.net-core-mvc - 内联编辑数据表。ASP.NET 核心 MVC