证书中的主机名在 OAuth 请求中不匹配
Hostname in certificate didn't match in OAuth request
我已经通过openssl创建了证书
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
并通过 java 中的 keytool 导入 tls.crt
keytool -import -file C:\Code_Base\Certificates\NGINX_150\tls.crt -storepass changeit -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
但我得到了
16:30:21,046 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator]
(http-/0.0.0.0:8080-1) failed to turn code into token:
javax.net.ssl.SSLException: hostname in certificate didn't match:
<135.209.100.150> != at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:159)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:561)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:536)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109)
[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at
org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
[httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at
org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107)
[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at
org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327)
[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at
org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273)
[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at
org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130)
[keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:208)
[keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at
org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:39)
[keycloak-as7-adapter-2.4.0.Final.jar:2.4.0.Final] at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at
org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187)
[keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
[jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
[jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at
java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_152]
当您的 SSL/TLS 证书的 common name (or SANs) 与尝试访问您的服务时其他服务连接到的主机 + 域名不匹配时,会发生常见名称不匹配错误。
您的 CommonName (CN=nginxsvc) 应与服务的主机和域名/IP 相匹配。因此,如果您的服务位于 nginxservice.yourdomain.com,则证书公用名也应为 nginxservice.yourdomain.com。如果您仅将 IP 用于开发目的,您也可以使用该 IP,直到您拥有用于您的服务的 DNS 条目。
我已经通过openssl创建了证书
Openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout tls.key -out tls.crt -subj "/CN=nginxsvc/O=nginxsvc"
并通过 java 中的 keytool 导入 tls.crt
keytool -import -file C:\Code_Base\Certificates\NGINX_150\tls.crt -storepass changeit -keystore "C:\Program Files\Java\jdk1.8.0_152\jre\lib\security\cacerts"
但我得到了
16:30:21,046 ERROR [org.keycloak.adapters.OAuthRequestAuthenticator] (http-/0.0.0.0:8080-1) failed to turn code into token: javax.net.ssl.SSLException: hostname in certificate didn't match: <135.209.100.150> != at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:238) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:159) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:140) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.verifyHostname(SSLSocketFactory.java:561) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:536) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.keycloak.adapters.SniSSLSocketFactory.connectSocket(SniSSLSocketFactory.java:109) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) [httpclient-4.3.6.redhat-1.jar:4.3.6.redhat-1] at org.keycloak.adapters.ServerRequest.invokeAccessCodeToToken(ServerRequest.java:107) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.resolveCode(OAuthRequestAuthenticator.java:327) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.OAuthRequestAuthenticator.authenticate(OAuthRequestAuthenticator.java:273) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.RequestAuthenticator.authenticate(RequestAuthenticator.java:130) [keycloak-adapter-core-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.authenticateInternal(AbstractKeycloakAuthenticatorValve.java:208) [keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at org.keycloak.adapters.jbossweb.KeycloakAuthenticatorValve.authenticate(KeycloakAuthenticatorValve.java:39) [keycloak-as7-adapter-2.4.0.Final.jar:2.4.0.Final] at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:478) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.keycloak.adapters.tomcat.AbstractKeycloakAuthenticatorValve.invoke(AbstractKeycloakAuthenticatorValve.java:187) [keycloak-tomcat-core-adapter-2.4.0.Final.jar:2.4.0.Final] at org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) [jboss-as-web-7.5.0.Final-redhat-21.jar:7.5.0.Final-redhat-21] at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:854) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) [jbossweb-7.5.7.Final-redhat-1.jar:7.5.7.Final-redhat-1] at java.lang.Thread.run(Thread.java:748) [rt.jar:1.8.0_152]
当您的 SSL/TLS 证书的 common name (or SANs) 与尝试访问您的服务时其他服务连接到的主机 + 域名不匹配时,会发生常见名称不匹配错误。
您的 CommonName (CN=nginxsvc) 应与服务的主机和域名/IP 相匹配。因此,如果您的服务位于 nginxservice.yourdomain.com,则证书公用名也应为 nginxservice.yourdomain.com。如果您仅将 IP 用于开发目的,您也可以使用该 IP,直到您拥有用于您的服务的 DNS 条目。