使用 Lets Encrypt SSL 证书保护 Netty 服务器

Secure Netty Server with Lets Encrypt SSL Certificates

我有一个 RESTful netty 服务器,它将向请求的用户提供一些数据。我想使用 Let's Encrypt 生成的 SSL 证书来保护此服务器。

我目前有这个用于我的 ChannelInitializer,其中 CHAIN_FILE 是对 fullchain.pem 的文件引用,PRIVATE_FILE 是对 privkey.pem.[=13= 的文件引用]

    ChannelPipeline pipeline = channel.pipeline();
    SslContext sslContext = SslContextBuilder.forServer(CHAIN_FILE, PRIVATE_FILE).build();
    pipeline.addLast("ssl", sslContext.newHandler(channel.alloc()));
    pipeline.addLast(new HttpServerCodec()); // A combination of HttpRequestDecoder and HttpResponseEncoder which enables easier server side HTTP implementation.
    pipeline.addLast(new HttpObjectAggregator(Integer.MAX_VALUE)); // Aggregates HttpMessage and HttpContents into a single FullHttpResponse/FullHttpRequest
    pipeline.addLast(new HttpServerHandler()); // Handles incoming HttpRequests

每当我尝试向服务器发出请求时,我都会收到错误消息:

[io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73740d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a43616368652d436f6e74726f6c3a206d61782d6167653d300d0a7365632d63682d75613a2022476f6f676c65204368726f6d65223b763d223839222c20224368726f6d69756d223b763d223839222c20223b4e6f742041204272616e64223b763d223939220d0a7365632d63682d75612d6d6f62696c653a203f300d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f38392e302e343338392e313134205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f617669662c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e382c6170706c69636174696f6e2f7369676e65642d65786368616e67653b763d62333b713d302e390d0a5365632d46657463682d536974653a206e6f6e650d0a5365632d46657463682d4d6f64653a206e617669676174650d0a5365632d46657463682d557365723a203f310d0a5365632d46657463682d446573743a20646f63756d656e740d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e390d0a436f6f6b69653a20696f3d414e444b736c6953336c6374366a4b47414141430d0a0d0a
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.util.concurrent.SingleThreadEventExecutor.run(SingleThreadEventExecutor.java:989) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.util.internal.ThreadExecutorMap.run(ThreadExecutorMap.java:74) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[PaperSpigot.jar:git-Paper-449]
    at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73740d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a43616368652d436f6e74726f6c3a206d61782d6167653d300d0a7365632d63682d75613a2022476f6f676c65204368726f6d65223b763d223839222c20224368726f6d69756d223b763d223839222c20223b4e6f742041204272616e64223b763d223939220d0a7365632d63682d75612d6d6f62696c653a203f300d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f38392e302e343338392e313134205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f617669662c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e382c6170706c69636174696f6e2f7369676e65642d65786368616e67653b763d62333b713d302e390d0a5365632d46657463682d536974653a206e6f6e650d0a5365632d46657463682d4d6f64653a206e617669676174650d0a5365632d46657463682d557365723a203f310d0a5365632d46657463682d446573743a20646f63756d656e740d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e390d0a436f6f6b69653a20696f3d414e444b736c6953336c6374366a4b47414141430d0a0d0a
    at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1246) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[PaperSpigot.jar:git-Paper-449]
    at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[PaperSpigot.jar:git-Paper-449]
    ... 17 more

我对网络服务器很陌生,所以我真的只能想到两件事:

  1. 我向 SslContextBuilder#forServer 传递了完全错误的东西。如果是这样我需要通过什么
  2. 我在某处读到这可能意味着 http 与 https 不匹配。

我一开始可能不需要保护它,但我想了解为什么它会失败,因为我很可能 运行 将来会变成类似的东西。提前致谢。

编辑:

Concision 的建议是正确的。我的客户没有通过 HTTPS 请求。该请求现已被接受并且 returns 结果正确,但由于出现新错误,连接仍然不安全:

[04:43:38 WARN]: [io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:475) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.util.concurrent.SingleThreadEventExecutor.run(SingleThreadEventExecutor.java:989) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.util.internal.ThreadExecutorMap.run(ThreadExecutorMap.java:74) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[PaperSpigot.jar:git-Paper-449]
        at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
        at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
        at sun.security.ssl.TransportContext.fatal(TransportContext.java:337) ~[?:?]
        at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]
        at sun.security.ssl.TransportContext.dispatch(TransportContext.java:186) ~[?:?]
        at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) ~[?:?]
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) ~[?:?]
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) ~[?:?]
        at io.netty.handler.ssl.SslHandler$SslEngineType.unwrap(SslHandler.java:282) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[PaperSpigot.jar:git-Paper-449]
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[PaperSpigot.jar:git-Paper-449]
        ... 15 more

这让我相信我传递给 SslContextBuilder#forServer() 的参数是完全错误的。我目前只是传递 letsencrypt 为我生成的原始 cert.pem 和 privkey.pem 文件。

犯了一些愚蠢的错误:

首先,我的服务器仍然指向端口 80 (HTTP) 而不是 443 (HTTPS)。 另外,我传递 fullchain.pem 而不是 cert.pem 作为 #forServer 方法的第一个参数。

如简述所述,第一个错误是由于我的客户端试图通过 HTTP 而不是 HTTPS 发出请求