我爲我的域名購買了證書(來自comodo),它包含3個文件:私鑰,證書和ca-bundle文件。如何將證書鏈添加到netty服務器?
我將它添加到我的apache服務器/ mod_ssl中,它完美地工作。我可以輕鬆配置,因爲它有3個配置參數:SSLCertificateFile,SSLCertificateKeyFile,SSLCertificateChainFile。
我想添加到我的其他Java應用程序,使用Netty作爲網絡庫。 以下是我的服務器代碼:
SslContext sslContext = null;
File cert = new File(Config.CERT_FILE_PATH);
File key = new File(Config.KEY_FILE_PATH);
sslContext = SslContextBuilder.forServer(cert, key).build();
ServerBootstrap b = new ServerBootstrap();
b.group(bossGroup, workerGroup)
.channel(NioServerSocketChannel.class)
.localAddress(port)
.childOption(ChannelOption.TCP_NODELAY, true)
.childOption(ChannelOption.SO_KEEPALIVE, true)
.childHandler(new WebServerInitializer(sslCtx));
Channel ch = b.bind().sync().channel();
隨着Config.CERT_FILE_PATH
是我的證書文件路徑,Config.KEY_FILE_PATH
是我的私有密鑰文件的路徑。
但問題是一些瀏覽器說證書錯誤(更多細節是在Mac OS瀏覽器,瀏覽器不信任我的證書)。
我做了一些研究,發現我的netty http服務器沒有發送完整的證書鏈給客戶端(包含我的證書的中間證書),它只發送我的證書(我通過KeyStore Explorer工具檢查)。
我嘗試將Config.CERT_FILE_PATH
值替換爲ca-bundle文件的路徑或將證書文件的值附加到ca-bundle文件並使用新文件,但仍然不成功。拋出異常:
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: decrypt_error
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:358)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:230)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:308)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:294)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:846)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:131)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:511)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:468)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:382)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:354)
at io.netty.util.concurrent.SingleThreadEventExecutor$2.run(SingleThreadEventExecutor.java:112)
at io.netty.util.concurrent.DefaultThreadFactory$DefaultRunnableDecorator.run(DefaultThreadFactory.java:137)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLException: Received fatal alert: decrypt_error
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1646)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1614)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1780)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1075)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:901)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:775)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1135)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1025)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:965)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:327)
... 12 more
如何將我的證書與ca-bundle正確添加到netty服務器?
爲什麼其他瀏覽器(除了基於鉻的瀏覽器在Mac上的Windows和Mac上的所有瀏覽器)仍然與我的錯誤服務器一起工作?
我以錯誤的順序連接這些證書,正確的順序是我的證書服務器在證書鏈之前 – Viet