netty 使用 kubernetes 证书终止 tls
netty terminate tls using kubernetes certificate
我正在尝试终止 Kubernetes 集群中 netty 网络服务器中的 TLS。
我正在使用 cert-manager 来管理我网站的证书
这是结果
kubernetes get secret websitesslcert-staging -o yaml
apiVersion: v1
data:
tls.crt: REDACTED=
tls.key: REDACTED=
kind: Secret
metadata:
annotations:
cert-manager.io/alt-names: mysite.com
cert-manager.io/certificate-name: websitesslcert-staging
cert-manager.io/common-name: mysite.com
cert-manager.io/ip-sans: ""
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-staging
cert-manager.io/uri-sans: ""
creationTimestamp: "2021-10-17T00:00:00Z"
name: websitesslcert-staging
namespace: default
resourceVersion: "123456"
uid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
type: kubernetes.io/tls
kubernetes 的格式。io/tls 描述为 in the Kubernetes docs。
The public/private key pair must exist beforehand. The public key
certificate for --cert must be .PEM encoded (Base64-encoded DER
format), and match the given private key for --key. The private key
must be in what is commonly called PEM private key format,
unencrypted. In both cases, the initial and the last lines from PEM
(for example, --------BEGIN CERTIFICATE----- and -------END
CERTIFICATE---- for a certificate) are not included.
我有一个 Java (Netty) 应用程序必须 terminate TLS。
在本地我可以复制秘密(“tls.crt”和“tls.key”)并将它们写入文件,但是我无法在我的本地服务器 Netty 4 中使用它们来接受 TLS 连接。
ChannelPipeline p = channel.pipeline();
SslContext sslCtx = SslContextBuilder.forServer(tlsKeyFile, tlsCertFile).build();
p.addLast("ssl", sslCtx.newHandler(channel.alloc()));
导致错误:
Execution error (CertificateException) at io.netty.handler.ssl.PemReader/readCertificates (PemReader.java:98).
found no certificates in input stream
将 --------BEGIN CERTIFICATE----- 和 --------END CERTIFICATE---- 添加到文件中会导致
Execution error (CertificateParsingException) at sun.security.x509.X509CertImpl/parse (X509CertImpl.java:1826).
signed overrun, bytes = 919
我应该如何处理这个问题,以便从 Netty 读取我的证书?
事实证明,yaml 输出中的证书是 base64 编码的。 base64 --decode 显示文件内容。
我正在尝试终止 Kubernetes 集群中 netty 网络服务器中的 TLS。
我正在使用 cert-manager 来管理我网站的证书
这是结果
kubernetes get secret websitesslcert-staging -o yaml
apiVersion: v1
data:
tls.crt: REDACTED=
tls.key: REDACTED=
kind: Secret
metadata:
annotations:
cert-manager.io/alt-names: mysite.com
cert-manager.io/certificate-name: websitesslcert-staging
cert-manager.io/common-name: mysite.com
cert-manager.io/ip-sans: ""
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-staging
cert-manager.io/uri-sans: ""
creationTimestamp: "2021-10-17T00:00:00Z"
name: websitesslcert-staging
namespace: default
resourceVersion: "123456"
uid: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
type: kubernetes.io/tls
kubernetes 的格式。io/tls 描述为 in the Kubernetes docs。
The public/private key pair must exist beforehand. The public key certificate for --cert must be .PEM encoded (Base64-encoded DER format), and match the given private key for --key. The private key must be in what is commonly called PEM private key format, unencrypted. In both cases, the initial and the last lines from PEM (for example, --------BEGIN CERTIFICATE----- and -------END CERTIFICATE---- for a certificate) are not included.
我有一个 Java (Netty) 应用程序必须 terminate TLS。 在本地我可以复制秘密(“tls.crt”和“tls.key”)并将它们写入文件,但是我无法在我的本地服务器 Netty 4 中使用它们来接受 TLS 连接。
ChannelPipeline p = channel.pipeline();
SslContext sslCtx = SslContextBuilder.forServer(tlsKeyFile, tlsCertFile).build();
p.addLast("ssl", sslCtx.newHandler(channel.alloc()));
导致错误:
Execution error (CertificateException) at io.netty.handler.ssl.PemReader/readCertificates (PemReader.java:98).
found no certificates in input stream
将 --------BEGIN CERTIFICATE----- 和 --------END CERTIFICATE---- 添加到文件中会导致
Execution error (CertificateParsingException) at sun.security.x509.X509CertImpl/parse (X509CertImpl.java:1826).
signed overrun, bytes = 919
我应该如何处理这个问题,以便从 Netty 读取我的证书?
事实证明,yaml 输出中的证书是 base64 编码的。 base64 --decode 显示文件内容。