如何将 SSL 与 AppDynamics RabbitMQ 监控插件一起使用
How to use SSL with AppDynamics RabbitMQ Monitoring Plugin
我正在尝试使用独立的 RabbitMQ 为 AppDynamics 设置 rabbitmq 机器代理。
https://www.appdynamics.com/community/exchange/extension/rabbitmq-monitoring-extension/
RabbitMQ 3.6.15
AppDynamics Controller 4.5.14.2417
AppD MachineAgent 4.5.14.2283
AppD Rabb
itMQ 监控插件 2.0.2
RabbitMQ 上的 curl API 工作正常
curl -i -k -u user:pass https://127.0.0.1:15672/api/vhosts
HTTP/1.1 200 OK
Celery Flower 可以通过以下配置选项与兔子正常对话
--ca_certs=/opt/ca/cacert.pem --broker_api=https://user:pass@127.0.0.1:15672/api/
我的rabbitMQ Monitoring插件在config.yml
中是这样配置的
servers:
- host: "127.0.0.1"
port: 15672
useSSL: true
username: "user"
password: "pass"
encryptedPassword: ""
displayName : "RabbitMQ"
connection:
socketTimeout: 10000
connectTimeout: 10000
在我的故障排除中,我按照本指南将 /opt/ca/cacert.pem 添加到 Java 密钥库。 https://github.com/MichalHecko/SSLPoke
我初始化机器代理如下
java -Djavax.net.ssl.trustStore=/opt/trustStore.keystore -Djavax.net.ssl.trustStorePassword=password -jar /opt/machineagent-bundle-64bit-linux-4.5.14.2293/machineagent.jar
在 machineagent-bundle-64bit-linux-4.5.14.2293/logs/machine-agent.log[= 中,监视器对每个 RabbitMQ api 调用仍然出现以下错误18=]
[Monitor-Task-Thread6] 02 Oct 2019 20:02:37,671 DEBUG OptionalMetricsCollector - MetircsCollector Phaser arrived for RabbitMQ
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,671 DEBUG UrlBuilder - The url is initialized to https://127.0.0.1:15672/api/queues
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,672 INFO MetricsCollector - Fetching the RabbitMQ Stats for stat child: Queues from the URL {}https://127.0.0.1:15672/api/queues
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,672 DEBUG HttpClientUtils - Invoking the URL [https://127.0.0.1:15672/api/queues]
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,672 DEBUG Http4ClientBuilder - Added the BasicScheme to uri [https://127.0.0.1:15672]
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,679 ERROR HttpClientUtils - The response is null for the URL https://127.0.0.1e:15672/api/queues
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,679 ERROR HttpClientUtils - Exception while executing the request [https://127.0.0.1:15672/api/queues]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at com.appdynamics.extensions.http.HttpClientUtils.getResponse(HttpClientUtils.java:119)
at com.appdynamics.extensions.http.HttpClientUtils.getResponseAsJson(HttpClientUtils.java:68)
at com.appdynamics.extensions.http.HttpClientUtils.getResponseAsJson(HttpClientUtils.java:45)
at com.appdynamics.extensions.rabbitmq.metrics.MetricsCollector.run(MetricsCollector.java:103)
at com.appdynamics.extensions.MonitorThreadPoolExecutor.run(MonitorThreadPoolExecutor.java:102)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 33 more
我错过了什么?谢谢!
了解此错误最重要的是这一行的含义:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SSL 证书通过建立证书链或信任层次结构来工作。例如,如果我去 https://www.google.com 并查看他们的证书,这就是我所看到的:
有一个 google 证书,它位于他们的 servers/CDN 上,然后是一个中间证书,它也位于他们的 servers/CDN 上,然后是一个受信任的根 CA 证书,它位于client keystore 并且是隐式信任的。因此,当有人浏览 google、b/c 他们拥有根 CA 证书并信任它时,浏览器(客户端)将相信服务器实际上是他们所说的,并将建立安全连接到网站。
因此回到您的错误,无论 CA 颁发 RabbitMQ 使用的服务器证书,监视器都不会将其识别为受信任的。要解决此错误,请执行以下操作:
- 查看服务器证书并确保它可以被验证。 openssl 对此很有效; 运行:
openssl s_client -connect 127.0.0.1:15672 -showcerts 并查看证书链。
- 验证您的 java 密钥库信任根 CA。您可以使用
keystore 工具查看这些证书:keytool -list -v -keystore </path/to/keystore> -storepass <pass>。确保上面列出的证书在密钥库中。
还有一些其他问题需要注意:
- java 使用的是什么密钥库并不总是很明显。 jdk 有一个默认密钥库,每个应用程序都可以使用自己的密钥库,就像您在上面所做的那样。确保您知道正在使用的密钥库。尽管它会添加大量日志记录,但将
-Djavax.net.debug=all 添加到命令行可能会有所帮助。
- 小心将单独的服务器证书添加到密钥库。这将有效,直到服务器证书过期。依赖受信任的 CA 证书要好得多,这些证书通常在平台级别维护。添加个人证书通常被认为是一种反模式。
我正在尝试使用独立的 RabbitMQ 为 AppDynamics 设置 rabbitmq 机器代理。 https://www.appdynamics.com/community/exchange/extension/rabbitmq-monitoring-extension/
RabbitMQ 3.6.15
AppDynamics Controller 4.5.14.2417
AppD MachineAgent 4.5.14.2283
AppD Rabb
itMQ 监控插件 2.0.2
RabbitMQ 上的 curl API 工作正常
curl -i -k -u user:pass https://127.0.0.1:15672/api/vhosts
HTTP/1.1 200 OK
Celery Flower 可以通过以下配置选项与兔子正常对话
--ca_certs=/opt/ca/cacert.pem --broker_api=https://user:pass@127.0.0.1:15672/api/
我的rabbitMQ Monitoring插件在config.yml
中是这样配置的servers:
- host: "127.0.0.1"
port: 15672
useSSL: true
username: "user"
password: "pass"
encryptedPassword: ""
displayName : "RabbitMQ"
connection:
socketTimeout: 10000
connectTimeout: 10000
在我的故障排除中,我按照本指南将 /opt/ca/cacert.pem 添加到 Java 密钥库。 https://github.com/MichalHecko/SSLPoke
我初始化机器代理如下
java -Djavax.net.ssl.trustStore=/opt/trustStore.keystore -Djavax.net.ssl.trustStorePassword=password -jar /opt/machineagent-bundle-64bit-linux-4.5.14.2293/machineagent.jar
在 machineagent-bundle-64bit-linux-4.5.14.2293/logs/machine-agent.log[= 中,监视器对每个 RabbitMQ api 调用仍然出现以下错误18=]
[Monitor-Task-Thread6] 02 Oct 2019 20:02:37,671 DEBUG OptionalMetricsCollector - MetircsCollector Phaser arrived for RabbitMQ
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,671 DEBUG UrlBuilder - The url is initialized to https://127.0.0.1:15672/api/queues
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,672 INFO MetricsCollector - Fetching the RabbitMQ Stats for stat child: Queues from the URL {}https://127.0.0.1:15672/api/queues
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,672 DEBUG HttpClientUtils - Invoking the URL [https://127.0.0.1:15672/api/queues]
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,672 DEBUG Http4ClientBuilder - Added the BasicScheme to uri [https://127.0.0.1:15672]
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,679 ERROR HttpClientUtils - The response is null for the URL https://127.0.0.1e:15672/api/queues
[Monitor-Task-Thread4] 02 Oct 2019 20:02:37,679 ERROR HttpClientUtils - Exception while executing the request [https://127.0.0.1:15672/api/queues]
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1946)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:316)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:965)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1064)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1367)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1395)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1379)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
at com.appdynamics.extensions.http.HttpClientUtils.getResponse(HttpClientUtils.java:119)
at com.appdynamics.extensions.http.HttpClientUtils.getResponseAsJson(HttpClientUtils.java:68)
at com.appdynamics.extensions.http.HttpClientUtils.getResponseAsJson(HttpClientUtils.java:45)
at com.appdynamics.extensions.rabbitmq.metrics.MetricsCollector.run(MetricsCollector.java:103)
at com.appdynamics.extensions.MonitorThreadPoolExecutor.run(MonitorThreadPoolExecutor.java:102)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:262)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:330)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:237)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1621)
... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 33 more
我错过了什么?谢谢!
了解此错误最重要的是这一行的含义:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SSL 证书通过建立证书链或信任层次结构来工作。例如,如果我去 https://www.google.com 并查看他们的证书,这就是我所看到的:
有一个 google 证书,它位于他们的 servers/CDN 上,然后是一个中间证书,它也位于他们的 servers/CDN 上,然后是一个受信任的根 CA 证书,它位于client keystore 并且是隐式信任的。因此,当有人浏览 google、b/c 他们拥有根 CA 证书并信任它时,浏览器(客户端)将相信服务器实际上是他们所说的,并将建立安全连接到网站。
因此回到您的错误,无论 CA 颁发 RabbitMQ 使用的服务器证书,监视器都不会将其识别为受信任的。要解决此错误,请执行以下操作:
- 查看服务器证书并确保它可以被验证。 openssl 对此很有效; 运行:
openssl s_client -connect 127.0.0.1:15672 -showcerts并查看证书链。 - 验证您的 java 密钥库信任根 CA。您可以使用
keystore工具查看这些证书:keytool -list -v -keystore </path/to/keystore> -storepass <pass>。确保上面列出的证书在密钥库中。
还有一些其他问题需要注意:
- java 使用的是什么密钥库并不总是很明显。 jdk 有一个默认密钥库,每个应用程序都可以使用自己的密钥库,就像您在上面所做的那样。确保您知道正在使用的密钥库。尽管它会添加大量日志记录,但将
-Djavax.net.debug=all添加到命令行可能会有所帮助。 - 小心将单独的服务器证书添加到密钥库。这将有效,直到服务器证书过期。依赖受信任的 CA 证书要好得多,这些证书通常在平台级别维护。添加个人证书通常被认为是一种反模式。