使用ssl从火花连接到mongo坞。
使用ssl从火花连接到mongo坞。
提问于 2018-05-15 13:02:02
出于测试目的,我希望使用mongo火花连接器连接到MongoDB docker实例到Spark。
设置MongoDB的凭据--我使用此脚本为SSL生成所有keys & certs:
#Root CA key
openssl genrsa -out rootCA.key 2048
#Root CA crt
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt -subj "/C=US/ST=CA/L=Santa Monica/O=test/OU=IT/CN=127.0.0.1:27117"
#Mongodb key
openssl genrsa -out mongodb.key 2048
#Mongodb csr
openssl req -new -key mongodb.key -out mongodb.csr -subj "/C=US/ST=CA/L=Santa Monica/O=test/OU=IT/CN=127.0.0.1:27117"
#Mongodb crt
openssl x509 -req -in mongodb.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256
#PEM files
cat mongodb.key mongodb.crt rootCA.crt > mongodb.pem
cat rootCA.key rootCA.crt > rootCA.pem
# Clean
rm mongo.pkc mongo-truststore
# Add mongo to keystore
openssl pkcs12 -CAfile rootCA.pem -export -in mongodb.pem -out mongo.pkc -password pass:test12
# Add root ca to trust store
echo "y" | keytool -importcert -trustcacerts -file rootCA.crt -keystore mongo-truststore -storepass test12然后运行一个docker实例:
docker run -d \
--name testmongo \
-e MONGO_INITDB_ROOT_USERNAME=test \
-e MONGO_INITDB_ROOT_PASSWORD=test12 \
-e MONGODB_DBNAME=testdb \
-v $sslpath:/etc/ssl/ \
-p 27117:27017 \
mongo:3.6 \
--sslMode requireSSL \
--sslPEMKeyFile /etc/ssl/mongodb.pem \
--auth到目前一切尚好。实际上,我可以使用像3T mongochef这样的工具,使用SSL & SCRAM (username & password)连接到这个实例。
但是,将Spark与以下选项一起使用:
-Djavax.net.ssl.keyStoreType=pkcs12 -Djavax.net.ssl.keyStore=local-files/ssl/mongo.pkc -Djavax.net.ssl.keyStorePassword=test12 -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStore=local-files/ssl/mongo-truststore -Djavax.net.ssl.trustStorePassword=test12 -Djavax.net.debug=truea的结果:
java.security.cert.CertificateException:没有可供选择的主题名称
完整产出:
com.mongodb.MongoSocketWriteException: Exception sending message
at com.mongodb.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:465)
at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:208)
at com.mongodb.connection.CommandHelper.sendMessage(CommandHelper.java:89)
at com.mongodb.connection.CommandHelper.executeCommand(CommandHelper.java:32)
at com.mongodb.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:85)
at com.mongodb.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:45)
at com.mongodb.connection.InternalStreamConnection.open(InternalStreamConnection.java:116)
at com.mongodb.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:113)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names present
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1506)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
at com.mongodb.connection.SocketStream.write(SocketStream.java:75)
at com.mongodb.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:204)
... 7 more
Caused by: java.security.cert.CertificateException: No subject alternative names present
at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:144)
at sun.security.util.HostnameChecker.match(HostnameChecker.java:93)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:200)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1488)
... 16 more使用调试,我实际上可以看到keystores被正确加载,但不知何故,127.0.0.1 IP无法与证书相匹配。
我不想使用hostnames,因为我想在某个时候在CI机器上运行它。
我都试过了:
HttpsURLConnection.setDefaultHostnameVerifier(
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER)以及:
javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
override def verify(hostname: String, sslSession: SSLSession): Boolean = {
// hostname == "127.0.0.1"
true
}
})无济于事:
回答 1
Stack Overflow用户
回答已采纳
发布于 2018-05-15 13:54:39
我想通了。正在检查subjectAltName,但不在自签名证书中。
顶替
openssl x509 -req -in mongodb.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256使用
openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -in mongodb.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out mongodb.crt -days 500 -sha256帮我修好了
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/50350925
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号