Eureka -无法使用双向SSL注册eureka服务器本身

Question

我一直试图建立两个ssl来保护微服务之间的通信。当服务A想注册到EurekaServer时，它实际上是工作的。但是，当我尝试将eureka注册到相同的eureka服务器或其他eureka实例时，我总是得到一个错误的证书异常。

这是我来自尤里卡服务器的application.yml

server:
  port: ${SERVER_SSL_PORT:${PORT:10100}}
  ssl:
    enabled: true
    client-auth: need
    key-alias: ${JKS_ALIAS}
    key-password: ${JKS_KEY_PASSWORD}
    key-store-type: ${JKS_TYPE}
    key-store-provider: ${JKS_PROVIDER:SUN}
    key-store: ${JKS_PATH}
    key-store-password: ${JKS_KEY_PASSWORD}
    trust-store: ${JKS_PATH}
    trust-store-password: ${JKS_KEY_PASSWORD}
    trust-store-provider: ${JKS_PROVIDER:SUN}
    trust-store-type: ${JKS_TYPE}

## EUREKA CONFIGURATION
eureka:
  client:
    enabled: true
    register-with-eureka: true
    fetch-registry: false
    service-url:
      defaultZone: ${SVC_REGISTRY:https://localhost:14102/eureka}
    prefer-same-zone-eureka: true
    healthcheck:
      enabled: true
    tls:
      enabled: true
      key-store: ${JKS_PATH}
      key-password: ${JKS_KEY_PASSWORD}
      key-store-type: ${JKS_TYPE}
      key-store-password: ${JKS_KEYSTORE_PASSWORD}
      trust-store: ${JKS_PATH}
      trust-store-password: ${JKS_KEY_PASSWORD}
      trust-store-type: ${JKS_TYPE}
  instance:
    instance-id: ${SERVER_NAME:${spring.application.name}:${server.port}}@${eureka.instance.hostname}
    hostname: ${SERVER_HOST:localhost}
    home-page-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}
    status-page-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/info
    health-check-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/health
    secure-health-check-url: https://${eureka.instance.hostname}:${server.port}${server.contextPath:}${management.endpoints.web.base-path:}/health
    lease-renewal-interval-in-seconds: 10
    prefer-ip-address: true
    metadata-map:
      instanceId: ${eureka.instance.instance-id}
      zone: ${SERVER_ZONE:local}
    non-secure-port-enabled: false
    secure-port-enabled: true
    secure-port: ${server.port}

我还尝试添加此配置以修改JerseyClient

    @Bean
    @SneakyThrows
    public DiscoveryClient.DiscoveryClientOptionalArgs discoveryClientOptionalArgs2() {
        

        DiscoveryClient.DiscoveryClientOptionalArgs args = new DiscoveryClient.DiscoveryClientOptionalArgs();

        EurekaJerseyClientImpl.EurekaJerseyClientBuilder clientBuilder = new EurekaJerseyClientImpl.EurekaJerseyClientBuilder()
                .withClientName("DiscoveryClient-HTTPClient-Custom")
                .withUserAgent("Java-EurekaClient")
                .withConnectionTimeout(config.getEurekaServerConnectTimeoutSeconds() * 1000)
                .withReadTimeout(config.getEurekaServerReadTimeoutSeconds() * 1000)
                .withMaxConnectionsPerHost(config.getEurekaServerTotalConnectionsPerHost())
                .withMaxTotalConnections(config.getEurekaServerTotalConnections())
                .withConnectionIdleTimeout(config.getEurekaConnectionIdleTimeoutSeconds() * 1000)
                .withEncoderWrapper(CodecWrappers.getEncoder(config.getEncoderName()))
                .withDecoderWrapper(CodecWrappers.resolveDecoder(config.getDecoderName(), config.getClientDataAccept()))
                .withCustomSSL(sslContext());
               
        EurekaJerseyClient jerseyClient = clientBuilder.build();
        args.setEurekaJerseyClient(jerseyClient);//Provide custom EurekaJerseyClient to override default one
        return args;
    }

    @Bean
    public SSLContext sslContext() throws Exception {
        log.info("initialize ssl context bean with keystore {} ", env.getProperty("JKS_PATH"));
        char[] password = env.getProperty("JKS_KEY_PASSWORD").toCharArray();
        return new SSLContextBuilder()
                .loadTrustMaterial(ResourceUtils.getFile(env.getProperty("JKS_PATH")), password).build();
    }

但我一直在犯这个错误

2022-09-01 18:44:01.522 INFO 26829 - tbeatExecutor-0 c.n.d.s.t.d.RedirectingEurekaHttpClient :请求执行错误.endpoint=DefaultEndpoint{ serviceUrl='https://XXXXXXXXXXXXXXXXXXXX:DDDD/eureka/}，exception=javax.net.ssl.SSLHandshakeException:收到致命警报: bad_certificate stacktrace=com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException:收到致命警报: bad_certificate at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:187) at com.sun.jersey.api.client.Client.handle(Client.java:652) at com.sun.jersey.api.client.WebResource.handle(WebResource.java:682) at com.sun.jersey.api.client.WebResource.access$200(( com.sun.jersey.api.client.WebResource$Builder.put(WebResource.java:529) )

证书应该是可以的，因为它是我用来在服务A和注册表之间使用2路SSL的证书。我还用有效的证书在真正的服务器上测试这一点。

有线索吗？

提前感谢！欣赏它

Answer 1

我找到了问题的根源。我的财产是真的

prefer-ip-address: true

但是它应该是假的，因为我的证书有主机名注册，而不是it。因此，当它试图验证证书时，它是比较不同的主机名和ip，并抛出bad_certificate异常。