无法连接到启用了 SSL 的 GCP 中的 Redis
Unable to connect to Redis in GCP which is SSL Enabled
我正在使用 Spring-boot-starter-redis 依赖关系连接到 Redis(下面是我从 gradle 依赖关系
中摘录的片段
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation 'org.springframework.boot:spring-boot-starter-data-redis'
compileOnly 'org.projectlombok:lombok:1.18.20'
annotationProcessor 'org.projectlombok:lombok:1.18.20'
}
我现在要迁移到 GCP,GCP 中的 redis 启用了 SSL,因此,我以这种方式配置了我的 spring 属性
spring.redis.ssl=true
spring.redis.host=xxxxxx
spring.redis.port=6378
当我禁用 ssl 时,它工作得很好。但是当我启用它时,我得到以下错误..有没有办法在 Spring 配置中注入 PEM 证书?
[Request processing failed; nested exception is org.springframework.data.redis.RedisConnectionFailureException: Unable to connect to Redis; nested exception is io.lettuce.core.RedisConnectionException: Unable to connect to xx.xx.xx.xx:6378] with root cause
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1334) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174) ~[na:na]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[na:na]
at java.base/java.security.AccessController.doPrivileged(Native Method) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[na:na]
请帮忙
我是这样解决的
spring-boot-starter-data-redis 依赖默认使用 Lettuce- 要通过 ssl 连接到 Redis
spring.redis.ssl=true 属性 需要启用。
- 如果证书的 CA 是唯一的并且不是 Java 的 JKS 的一部分,那么您有两个选择,将密钥导入 JKS 或禁用 [=13=]
中给出的内容
For example, Lettuce is a popular Java client for Redis. Their documentation provides an example for connecting natively with TLS (see Example 47). Given that the Java Security Manager does not allow self-signed certificates by default, an additional option needs to be specified in the Redis URI construction .withVerifyPeer(false)
我禁用了 SSL Verification。连接仍将通过 SSL 进行,但仅验证我通过配置一个 bean 禁用了它。
我也不担心 man-in-the-middle-attack,因为我的 Redis 只暴露给我的 GKE 集群。所以这个解决方案对我来说很好
@Configuration
public class RedisSSLConfiguration {
@Bean
@ConditionalOnProperty("spring.redis.ssl")
public LettuceClientConfigurationBuilderCustomizer builderCustomizer() {
return builder -> builder.useSsl().disablePeerVerification();
}
}
我正在使用 Spring-boot-starter-redis 依赖关系连接到 Redis(下面是我从 gradle 依赖关系
dependencies {
implementation 'org.springframework.boot:spring-boot-starter-web'
implementation 'org.springframework.boot:spring-boot-starter-actuator'
implementation 'org.springframework.boot:spring-boot-starter-data-redis'
compileOnly 'org.projectlombok:lombok:1.18.20'
annotationProcessor 'org.projectlombok:lombok:1.18.20'
}
我现在要迁移到 GCP,GCP 中的 redis 启用了 SSL,因此,我以这种方式配置了我的 spring 属性
spring.redis.ssl=true
spring.redis.host=xxxxxx
spring.redis.port=6378
当我禁用 ssl 时,它工作得很好。但是当我启用它时,我得到以下错误..有没有办法在 Spring 配置中注入 PEM 证书?
[Request processing failed; nested exception is org.springframework.data.redis.RedisConnectionFailureException: Unable to connect to Redis; nested exception is io.lettuce.core.RedisConnectionException: Unable to connect to xx.xx.xx.xx:6378] with root cause
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:276) ~[na:na]
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1334) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1231) ~[na:na]
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1174) ~[na:na]
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1074) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1061) ~[na:na]
at java.base/java.security.AccessController.doPrivileged(Native Method) ~[na:na]
at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1008) ~[na:na]
请帮忙
我是这样解决的
spring-boot-starter-data-redis依赖默认使用 Lettuce- 要通过 ssl 连接到 Redis
spring.redis.ssl=true属性 需要启用。 - 如果证书的 CA 是唯一的并且不是 Java 的 JKS 的一部分,那么您有两个选择,将密钥导入 JKS 或禁用 [=13=]
For example, Lettuce is a popular Java client for Redis. Their documentation provides an example for connecting natively with TLS (see Example 47). Given that the Java Security Manager does not allow self-signed certificates by default, an additional option needs to be specified in the Redis URI construction
.withVerifyPeer(false)
我禁用了 SSL Verification。连接仍将通过 SSL 进行,但仅验证我通过配置一个 bean 禁用了它。
我也不担心 man-in-the-middle-attack,因为我的 Redis 只暴露给我的 GKE 集群。所以这个解决方案对我来说很好
@Configuration
public class RedisSSLConfiguration {
@Bean
@ConditionalOnProperty("spring.redis.ssl")
public LettuceClientConfigurationBuilderCustomizer builderCustomizer() {
return builder -> builder.useSsl().disablePeerVerification();
}
}