当我的 SSL 证书在 Payara 5 中更新和替换时,为什么我会收到 CertificateExpiredException?
Why do I get a CertificationExpiredException when my SSL Certificate has been renewed and repalced in Payara 5?
几个月来,我一直是 运行 Glassfish4 服务器,它为我基于 Websocket 的应用程序提供了 SSL 证书。我最近切换到 Payara5。当我设置 Payara 服务器时,一切都运行良好。现在,证书已经过期,在续订后(我一直这样做的相同过程),Payara 服务器仍然认为它使用的是旧证书。
我从一开始就经历的过程是:
- cert-bot 自动更新证书。
- 用我正在使用的密钥库中的新证书替换旧证书
- 重启服务器
这对我的 Glassfish 服务器有效,而且一直有效。但不是 Payara 服务器。在尝试解决这个问题时,我不得不恢复到 Glassfish。我在 Payara 的密钥库中检查了别名,它显示了新证书的到期日期。所以,据我所知,应该没问题。
我用来更新证书的命令如下:
openssl pkcs12 -export -in $LETS_ENCRYPT/live/www.mywebsite.com/fullchain.pem -inkey $LETS_ENCRYPT/live/www.mywebsite.com/privkey.pem -out $LETS_ENCRYPT/live/www.mywebsite.com/pkcs.p12 -name mywebsite.com
keytool -importkeystore -deststorepass *password* -destkeypass *password* -destkeystore $LETS_ENCRYPT/live/www.mywebsite.com/letsencrypt.jks -srckeystore $LETS_ENCRYPT/live/www.mywebsite.com/pkcs.p12 -srcstoretype PKCS12 -srcstorepass *password* -alias mywebsite.com
keytool -importkeystore -srckeystore $LETS_ENCRYPT/live/www.mywebsite.com/letsencrypt.jks -destkeystore $PAYARA_HOME/glassfish/domains/domain1/config/keystore.jks
$PAYARA_HOME/bin/asadmin restart-domain
我检查了密钥库后记:
keytool -v -list -keystore $PAYARA_HOME/glassfish/domains/domain1/config/keystore.jks -alias mywebsite.com
它显示:
Certificate[1]:
Owner: CN=www.mywebsite.com
Issuer: CN=Let's Encrypt Authority X3....
Serial number: ******
Valid from: Wed Apr 03 17:22:48 PDT 2019 until: Tue Jul 02 17:22:48 PDT 2019
来自客户端应用程序的错误显示:
…
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.glassfish.grizzly.ssl.SSLUtils.sslEngineWrap(SSLUtils.java:427)
at org.glassfish.grizzly.ssl.SSLConnectionContext.wrap(SSLConnectionContext.java:337)
at org.glassfish.grizzly.ssl.SSLUtils.handshakeWrap(SSLUtils.java:303)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:673)
at org.glassfish.grizzly.ssl.SSLFilter.doHandshakeStep(SSLFilter.java:308)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:598)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:310)
at org.glassfish.grizzly.filterchain.ExecutorResolver.execute(ExecutorResolver.java:95)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:515)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access0(WorkerThreadIOStrategy.java:33)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.run(Handshaker.java:966)
at sun.security.ssl.Handshaker.run(Handshaker.java:963)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:250)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:684)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501)
... 25 more
Caused by: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 31 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri May 17 12:21:27 PDT 2019
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 36 more
Which would indicate it is using the old certificate, or something along those lines.
我发现我有两个 keystore.jks 位置。我的 Payara 服务器默认位于
$PAYARA_HOME/glassfish/domains/domain1
不是
$PAYARA_HOME/glassfish/domains/domain1/配置
密钥库位置的 JVM 选项设置为:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks,
所以我认为我正在更改正确的密钥库。但是,我想 Payara 没有使用这个值,或者我把它设置错了。无论哪种方式,我只是将我的脚本文件更改为使用 domain1/keystore.jks 而不是 domain1/config/keystore.jks.
也许我搞砸了我的设置,这一切本可以避免。但我想我还是应该把它留在这里,以防其他人有类似的问题。
几个月来,我一直是 运行 Glassfish4 服务器,它为我基于 Websocket 的应用程序提供了 SSL 证书。我最近切换到 Payara5。当我设置 Payara 服务器时,一切都运行良好。现在,证书已经过期,在续订后(我一直这样做的相同过程),Payara 服务器仍然认为它使用的是旧证书。
我从一开始就经历的过程是:
- cert-bot 自动更新证书。
- 用我正在使用的密钥库中的新证书替换旧证书
- 重启服务器
这对我的 Glassfish 服务器有效,而且一直有效。但不是 Payara 服务器。在尝试解决这个问题时,我不得不恢复到 Glassfish。我在 Payara 的密钥库中检查了别名,它显示了新证书的到期日期。所以,据我所知,应该没问题。
我用来更新证书的命令如下:
openssl pkcs12 -export -in $LETS_ENCRYPT/live/www.mywebsite.com/fullchain.pem -inkey $LETS_ENCRYPT/live/www.mywebsite.com/privkey.pem -out $LETS_ENCRYPT/live/www.mywebsite.com/pkcs.p12 -name mywebsite.com
keytool -importkeystore -deststorepass *password* -destkeypass *password* -destkeystore $LETS_ENCRYPT/live/www.mywebsite.com/letsencrypt.jks -srckeystore $LETS_ENCRYPT/live/www.mywebsite.com/pkcs.p12 -srcstoretype PKCS12 -srcstorepass *password* -alias mywebsite.com
keytool -importkeystore -srckeystore $LETS_ENCRYPT/live/www.mywebsite.com/letsencrypt.jks -destkeystore $PAYARA_HOME/glassfish/domains/domain1/config/keystore.jks
$PAYARA_HOME/bin/asadmin restart-domain
我检查了密钥库后记:
keytool -v -list -keystore $PAYARA_HOME/glassfish/domains/domain1/config/keystore.jks -alias mywebsite.com
它显示:
Certificate[1]:
Owner: CN=www.mywebsite.com
Issuer: CN=Let's Encrypt Authority X3....
Serial number: ******
Valid from: Wed Apr 03 17:22:48 PDT 2019 until: Tue Jul 02 17:22:48 PDT 2019
来自客户端应用程序的错误显示:
…
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1214)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1186)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.glassfish.grizzly.ssl.SSLUtils.sslEngineWrap(SSLUtils.java:427)
at org.glassfish.grizzly.ssl.SSLConnectionContext.wrap(SSLConnectionContext.java:337)
at org.glassfish.grizzly.ssl.SSLUtils.handshakeWrap(SSLUtils.java:303)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:673)
at org.glassfish.grizzly.ssl.SSLFilter.doHandshakeStep(SSLFilter.java:308)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:598)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:310)
at org.glassfish.grizzly.filterchain.ExecutorResolver.execute(ExecutorResolver.java:95)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:260)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:177)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:109)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:88)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:53)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:515)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:89)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:94)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access0(WorkerThreadIOStrategy.java:33)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:114)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:569)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:549)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.run(Handshaker.java:966)
at sun.security.ssl.Handshaker.run(Handshaker.java:963)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
at org.glassfish.grizzly.ssl.SSLUtils.executeDelegatedTask(SSLUtils.java:250)
at org.glassfish.grizzly.ssl.SSLBaseFilter.doHandshakeStep(SSLBaseFilter.java:684)
... 17 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:281)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1501)
... 25 more
Caused by: java.security.cert.CertPathValidatorException: validity check failed
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:223)
at sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
at sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 31 more
Caused by: java.security.cert.CertificateExpiredException: NotAfter: Fri May 17 12:21:27 PDT 2019
at sun.security.x509.CertificateValidity.valid(CertificateValidity.java:274)
at sun.security.x509.X509CertImpl.checkValidity(X509CertImpl.java:629)
at sun.security.provider.certpath.BasicChecker.verifyValidity(BasicChecker.java:190)
at sun.security.provider.certpath.BasicChecker.check(BasicChecker.java:144)
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
... 36 more
Which would indicate it is using the old certificate, or something along those lines.
我发现我有两个 keystore.jks 位置。我的 Payara 服务器默认位于
$PAYARA_HOME/glassfish/domains/domain1
不是
$PAYARA_HOME/glassfish/domains/domain1/配置
密钥库位置的 JVM 选项设置为:
-Djavax.net.ssl.keyStore=${com.sun.aas.instanceRoot}/config/keystore.jks,
所以我认为我正在更改正确的密钥库。但是,我想 Payara 没有使用这个值,或者我把它设置错了。无论哪种方式,我只是将我的脚本文件更改为使用 domain1/keystore.jks 而不是 domain1/config/keystore.jks.
也许我搞砸了我的设置,这一切本可以避免。但我想我还是应该把它留在这里,以防其他人有类似的问题。