Spring 启动管理员:客户端无法通过 https 向管理服务器注册
Spring boot admin: Client can't register with admin server over https
我有一些 spring-boot 微服务,它们在 spring-boot-admin (SBA) 中注册。当我在本地 运行 微服务和 SBA 服务器时,客户端可以通过 HTTP 向 SBA 服务器注册自己。
当我将应用程序部署到 Kubernetes 集群时,通过 HTTPS(通过 Ingress)向 SBA 注册,我在日志中得到 javax.net.ssl.SSLHandshakeException
d.c.b.a.c.r.ApplicationRegistrator : Failed to register application as Application(name=my-app, managementUrl=https://my-app-dev.mydomain.com/actuator, healthUrl=https://my-app-dev.mydomain.com/actuator/health, serviceUrl=https://my-app-dev.mydomain.com) at spring-boot-admin ([https://my-admin-dev.mydomain.com/instances]): I/O error on POST request for "https://my-admin-dev.mydomain.com/instances": Received fatal alert: protocol_version; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version. Further attempts are logged on DEBUG level
在微服务(SBA 客户端)中,我使用了以下依赖项
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>2.4.0</version>
</dependency>
以及 application.yaml
中的以下内容
spring.boot.admin.client:
url: "https://my-admin-dev.mydomain.com"
instance.service-url: "https://my-app-dev.mydomain.com"
我能够查看 spring-boot-admin-starter-client
代码。首先,我从日志消息中的 ApplicationRegistrator
开始,这使我找到了一个可覆盖的 BlockingRegistrationClient
实例(耶!)
public class SpringBootAdminClientAutoConfiguration {
...
@Configuration(proxyBeanMethods = false)
@ConditionalOnBean(RestTemplateBuilder.class)
public static class BlockingRegistrationClientConfig {
@Bean
@ConditionalOnMissingBean
public BlockingRegistrationClient registrationClient(ClientProperties client) {
RestTemplateBuilder builder = new RestTemplateBuilder().setConnectTimeout(client.getConnectTimeout())
.setReadTimeout(client.getReadTimeout());
if (client.getUsername() != null && client.getPassword() != null) {
builder = builder.basicAuthentication(client.getUsername(), client.getPassword());
}
return new BlockingRegistrationClient(builder.build());
}
}
按照我的指导使用 this post,我能够创建一个 RestTemplate
,并将信任库加载到 SSLContext
。然后我可以用我自己的包装自定义 RestTemplate
.
的实例覆盖 BlockingRegistrationClient
@Bean
public BlockingRegistrationClient registrationClient(
@Value("${ssl.protocol}") String protocol,
@Value("${ssl.trustStore.path}") String trustStorePath,
@Value("${ssl.trustStore.password}") String trustStorePassword,
ClientProperties client) throws Exception {
SSLContext sslContext = SSLContextBuilder.create()
.loadTrustMaterial(new File(trustStorePath), trustStorePassword.toCharArray())
.setProtocol(protocol)
.build();
CloseableHttpClient httpClient = HttpClientBuilder.create()
.setSSLContext(sslContext)
.build();
RestTemplateBuilder builder = new RestTemplateBuilder()
.setConnectTimeout(client.getConnectTimeout())
.setReadTimeout(client.getReadTimeout())
.requestFactory(() -> new HttpComponentsClientHttpRequestFactory(httpClient));
if (client.getUsername() != null && client.getPassword() != null) {
builder = builder.basicAuthentication(client.getUsername(), client.getPassword());
}
return new BlockingRegistrationClient(builder.build());
}
application.yaml
ssl:
protocol: TLSv1.2
trustStore:
path: "/opt/java/openjdk/lib/security/cacerts"
password: "*****"
我有一些 spring-boot 微服务,它们在 spring-boot-admin (SBA) 中注册。当我在本地 运行 微服务和 SBA 服务器时,客户端可以通过 HTTP 向 SBA 服务器注册自己。
当我将应用程序部署到 Kubernetes 集群时,通过 HTTPS(通过 Ingress)向 SBA 注册,我在日志中得到 javax.net.ssl.SSLHandshakeException
d.c.b.a.c.r.ApplicationRegistrator : Failed to register application as Application(name=my-app, managementUrl=https://my-app-dev.mydomain.com/actuator, healthUrl=https://my-app-dev.mydomain.com/actuator/health, serviceUrl=https://my-app-dev.mydomain.com) at spring-boot-admin ([https://my-admin-dev.mydomain.com/instances]): I/O error on POST request for "https://my-admin-dev.mydomain.com/instances": Received fatal alert: protocol_version; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: protocol_version. Further attempts are logged on DEBUG level
在微服务(SBA 客户端)中,我使用了以下依赖项
<dependency>
<groupId>de.codecentric</groupId>
<artifactId>spring-boot-admin-starter-client</artifactId>
<version>2.4.0</version>
</dependency>
以及 application.yaml
spring.boot.admin.client:
url: "https://my-admin-dev.mydomain.com"
instance.service-url: "https://my-app-dev.mydomain.com"
我能够查看 spring-boot-admin-starter-client
代码。首先,我从日志消息中的 ApplicationRegistrator
开始,这使我找到了一个可覆盖的 BlockingRegistrationClient
实例(耶!)
public class SpringBootAdminClientAutoConfiguration {
...
@Configuration(proxyBeanMethods = false)
@ConditionalOnBean(RestTemplateBuilder.class)
public static class BlockingRegistrationClientConfig {
@Bean
@ConditionalOnMissingBean
public BlockingRegistrationClient registrationClient(ClientProperties client) {
RestTemplateBuilder builder = new RestTemplateBuilder().setConnectTimeout(client.getConnectTimeout())
.setReadTimeout(client.getReadTimeout());
if (client.getUsername() != null && client.getPassword() != null) {
builder = builder.basicAuthentication(client.getUsername(), client.getPassword());
}
return new BlockingRegistrationClient(builder.build());
}
}
按照我的指导使用 this post,我能够创建一个 RestTemplate
,并将信任库加载到 SSLContext
。然后我可以用我自己的包装自定义 RestTemplate
.
BlockingRegistrationClient
@Bean
public BlockingRegistrationClient registrationClient(
@Value("${ssl.protocol}") String protocol,
@Value("${ssl.trustStore.path}") String trustStorePath,
@Value("${ssl.trustStore.password}") String trustStorePassword,
ClientProperties client) throws Exception {
SSLContext sslContext = SSLContextBuilder.create()
.loadTrustMaterial(new File(trustStorePath), trustStorePassword.toCharArray())
.setProtocol(protocol)
.build();
CloseableHttpClient httpClient = HttpClientBuilder.create()
.setSSLContext(sslContext)
.build();
RestTemplateBuilder builder = new RestTemplateBuilder()
.setConnectTimeout(client.getConnectTimeout())
.setReadTimeout(client.getReadTimeout())
.requestFactory(() -> new HttpComponentsClientHttpRequestFactory(httpClient));
if (client.getUsername() != null && client.getPassword() != null) {
builder = builder.basicAuthentication(client.getUsername(), client.getPassword());
}
return new BlockingRegistrationClient(builder.build());
}
application.yaml
ssl:
protocol: TLSv1.2
trustStore:
path: "/opt/java/openjdk/lib/security/cacerts"
password: "*****"