|
|
这几天帮助同事解决了一个SSL证书过期的问题,在解决过程中,也学习了不少知识,也锻炼了自己的思维能力。
一、产生Weblogic Server的证书命令如下
keytool -genkey -alias weblogic -keyalg RSA -keysize 1024 -dname "CN=10.10.10.12,OU=testing,O=mingtian,L=beijing,S=beijing,C=CN" -keypass 111111 -keystore ./weblogic.jks -storepass 111111
keytool -certreq -alias weblogic -sigalg "MD5withRSA" -file ./certreq.pem -keypass 111111 -keystore ./weblogic.jks -storepass 111111
echo 请使用certreq.pem申请服务器证书
echo 请将服务器证书(server.cer)和根证书(root.cer)复制到本目录中
pause
#将CA添加到Java信任的CA清单中
keytool -import -alias root -trustcacerts -file ./root.cer -keystore ./weblogic.jks -storepass 111111
#导入Server的证书文件
keytool -import -alias server -trustcacerts -file ./server.cer -keypass 111111 -keystore ./weblogic.jks -storepass 111111
keytool -genkey -keystore "cacerts" -storepass 111111 -keyalg RSA
keytool -import -alias root -trustcacerts -file ./root.cer -keystore ./cacerts -storepass 111111
copy weblogic.jks weblogictrust.jks
二、产生Apache证书如下
openssl genrsa -out server.key 1024
openssl req -config openssl.cfg -new -key server.key -out server.csr
用server.csr申请服务器证书,下载BASE64格式服务器证书,命名为server.cer
下载BASE64格式CA证书,命名为ca.cer
del server.csr
三、SSL认证关系
1)User和Apache是双向认证
2)Apache和Weblogic是单向认证
四、问题
现在Apache总是不信任Weblogic,错误的日志如下
================New Request: [GET //usim/NumberUsageStat!default.action HTTP/1.1] =================
Thu Apr 14 08:51:05 2011 <5047130274226520> INFO: SSL is configured
Thu Apr 14 08:51:05 2011 <5047130274226520> INFO: SSL configured successfully
Thu Apr 14 08:51:05 2011 <5047130274226520> Using Uri //usim/NumberUsageStat!default.action
Thu Apr 14 08:51:05 2011 <5047130274226520> After trimming path: '//usim/NumberUsageStat!default.action'
Thu Apr 14 08:51:05 2011 <5047130274226520> The final request string is '//usim/NumberUsageStat!default.action'
Thu Apr 14 08:51:05 2011 <5047130274226520> SEARCHING id=[10.1.252.123:9002] from current ID=[10.1.252.123:9001]
Thu Apr 14 08:51:05 2011 <5047130274226520> SEARCHING id=[10.1.252.123:9002] from current ID=[10.1.252.123:9002]
Thu Apr 14 08:51:05 2011 <5047130274226520> The two ids matched
Thu Apr 14 08:51:05 2011 <5047130274226520> @@@FOUND...id=[10.1.252.123:9002], server_name=[218.206.191.83], server_port=[443]
Thu Apr 14 08:51:05 2011 <5047130274226520> attempt #0 out of a max of 5
Thu Apr 14 08:51:05 2011 <5047130274226520> general list: trying connect to '10.1.252.123'/9002/9002 at line 2696 for '//usim/NumberUsageStat!default.action'
Thu Apr 14 08:51:05 2011 <5047130274226520> New SSL URL: match = 0 oid = 22
Thu Apr 14 08:51:05 2011 <5047130274226520> Connect returns -1, and error no set to 245, msg 'Operation now in progress'
Thu Apr 14 08:51:05 2011 <5047130274226520> EINPROGRESS in connect() - selecting
Thu Apr 14 08:51:05 2011 <5047130274226520> Setting peerID for new SSL connection
Thu Apr 14 08:51:05 2011 <5047130274226520> 0000 0000 0a01 fc7b 0000 0000 0000 232a .......{......#*
Thu Apr 14 08:51:05 2011 <5047130274226520> Local Port of the socket is 54637
Thu Apr 14 08:51:05 2011 <5047130274226520> Remote Host 10.1.252.123 Remote Port 9002
Thu Apr 14 08:51:05 2011 <5047130274226520> general list: created a new connection to '10.1.252.123'/9002 for '//usim/NumberUsageStat!default.action', Local port:54637
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Accept]=[image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, */*]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Referer]=[http://218.206.191.83/CTRMApplicationWeb/jsp/usim/usim.jsp?url=/usim/NumberUsageStat!default.action&itemid=2071&e=615045379]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Accept-Language]=[zh-cn]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Accept-Encoding]=[gzip, deflate]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[User-Agent]=[Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; GreenBrowser)]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Host]=[218.206.191.83]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Connection]=[Keep-Alive]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs from clnt:[Cookie]=[JSESSIONID=JKV8NmDP7YqlgdJnK2CkmZGSNyTvldHzMj6Cc112Q3l72tynfzJ7!1628161420]
Thu Apr 14 08:51:05 2011 <5047130274226520> URL::sendHeaders(): meth='GET' file='//usim/NumberUsageStat!default.action' protocol='HTTP/1.1'
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Accept]=[image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml+xml, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/QVOD, */*]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Referer]=[http://218.206.191.83/CTRMApplicationWeb/jsp/usim/usim.jsp?url=/usim/NumberUsageStat!default.action&itemid=2071&e=615045379]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Accept-Language]=[zh-cn]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Accept-Encoding]=[gzip, deflate]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[User-Agent]=[Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; GreenBrowser)]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Host]=[218.206.191.83]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Cookie]=[JSESSIONID=JKV8NmDP7YqlgdJnK2CkmZGSNyTvldHzMj6Cc112Q3l72tynfzJ7!1628161420]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Connection]=[Keep-Alive]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[WL-Proxy-SSL]=[true]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[WL-Proxy-Client-Cert]=[MIIGEzCCBPugAwIBAgIKE+zNOgAAAAABEDANBgkqhkiG9w0BAQUFADBVMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEY21jYzEUMBIGCgmSJomT8ixkARkWBHVzaW0xEjAQBgNVBAMTCXVzaW0uY21jYzAeFw0xMDA1MTkwOTAxMDZaFw0xMTA1MTkwOTAxMDZaMGQxEzARBgoJkiaJk/IsZAEZFgNjb20xFDASBgoJkiaJk/IsZAEZFgRjbWNjMRQwEgYKCZImiZPyLGQBGRYEdXNpbTEOMAwGA1UEAxMFVXNlcnMxETAPBgNVBAMTCGNoZW5nZmFuMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDkIB/ql2dbOESzjeH5L+Nmnb605aQ2r3FgMyHRn/p9BMvHI6gA3oFMxs02mHjNVHdV9m7YZcdbqkkVIfMfzWjLZs797S3qSPjowmva0+8KkklvJFUEHg3RnXM3RV0MjMzv5K05fofTyEug0zHIFkzYh0zqofPMblg2l3uGxugMuwIDAQABo4IDWDCCA1QwCwYDVR0PBAQDAgWgMCkGA1UdJQQiMCAGCisGAQQBgjcKAwQGCCsGAQUFBwMEBggrBgEFBQcDAjAdBgNVHQ4EFgQUezbV6S0IA5ve8EiwNmllO1viEK0wHwYDVR0jBBgwFoAU2r2X8DH98mgxXAfOEifHaZ2IVI0wggEXBgNVHR8EggEOMIIBCjCCAQagggECoIH/hoG9bGRhcDovLy9DTj11c2ltLmNtY2MsQ049aHAtODA0YzY5Y2QzN2Q5LENOPUNEUCxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1Db25maWd1cmF0aW9uLERDPXVzaW0sREM9Y21jYyxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50hj1odHRwOi8vaHAtODA0YzY5Y2QzN2Q5LnVzaW0uY21jYy5jb20vQ2VydEVucm9sbC91c2ltLmNtY2MuY3JsMIIBKwYIKwYBBQUHAQEEggEdMIIBGTCBrQYIKwYBBQUHMAKGgaBsZGFwOi8vL0NOPXVzaW0uY21jYyxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz11c2ltLERDPWNtY2MsREM9Y29tP2NBQ2VydGlmaWNhdGU/YmFzZT9vYmplY3RDbGFzcz1jZXJ0aWZpY2F0aW9uQXV0aG9yaXR5MGcGCCsGAQUFBzAChltodHRwOi8vaHAtODA0YzY5Y2QzN2Q5LnVzaW0uY21jYy5jb20vQ2VydEVucm9sbC9ocC04MDRjNjljZDM3ZDkudXNpbS5jbWNjLmNvbV91c2ltLmNtY2MuY3J0MBcGCSsGAQQBgjcUAgQKHggAVQBzAGUAcjAxBgNVHREEKjAooCYGCisGAQQBgjcUAgOgGAwWY2hlbmdmYW5AdXNpbS5jbWNjLmNvbTBEBgkqhkiG9w0BCQ8ENzA1MA4GCCqGSIb3DQMCAgIAgDAOBggqhkiG9w0DBAICAIAwBwYFKw4DAgcwCgYIKoZIhvcNAwcwDQYJKoZIhvcNAQEFBQADggEBAEgykQifcC0Z9uE6ikYNLdjjQuRVjs9NJ/suH81XQ0wTO2/qemOA0YgsTDPitvYzyurr5u3tijssxRTWy4Ij+45Z9xy+RvoS5BWDZasSW10BiXzl3mP0Xz0rIWmjn3pYDuoKc3qZmEKF3MCAVLDr/yPrws8YbeSDjAE4zsKEz4oEAI67F3gNK85Vl7gosRCFwEiUsZanO9oDc02/3DhlLKUXYjhCY5V40Aa5wNXljOEACDgS05sisXM+WvSzOoLBg8XVkFgi4VEuG9wWuQC7548f2v49hPEsksz4k6F+Oxl16gGsPfoPyxq5JgyfawmjknjT7F938eXK6Wj4qOd9s/E=]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[WL-Proxy-Client-IP]=[211.137.58.245]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[Proxy-Client-IP]=[211.137.58.245]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[X-Forwarded-For]=[211.137.58.245]
Thu Apr 14 08:51:05 2011 <5047130274226520> Hdrs to WLS:[X-WebLogic-Force-JVMID]=[unset]
Thu Apr 14 08:51:05 2011 <5047130274226520> INFO: No CA was trusted, validation failed
Thu Apr 14 08:51:05 2011 <5047130274226520> ERROR: SSLWrite failed
Thu Apr 14 08:51:05 2011 <5047130274226520> SEND failed (ret=-1) at 789 of file ../nsapi/URL.cpp
Thu Apr 14 08:51:05 2011 <5047130274226520> *******Exception type [WRITE_ERROR_TO_SERVER] raised at line 790 of ../nsapi/URL.cpp
Thu Apr 14 08:51:05 2011 <5047130274226520> Marking 10.1.252.123:9002 as bad
Thu Apr 14 08:51:05 2011 <5047130274226520> got exception in sendRequest phase: WRITE_ERROR_TO_SERVER [os error=0, line 790 of ../nsapi/URL.cpp]: at line 3078
Thu Apr 14 08:51:05 2011 <5047130274226520> INFO: Closing SSL context
Thu Apr 14 08:51:05 2011 <5047130274226520> Failing over after WRITE_ERROR_TO_SERVER exception in sendRequest()
五、解决
将Weblogic自己产生的证书的CA导入到Apache既可以解决。
六、总结
遇到问题,还是需要将用到的原理先搞懂,将问题来龙去脉整理清楚,然后由浅入深分步排查。 |
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2017-1-2 11:42:56
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡