Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

我用gen_tlcp_certs.sh脚本生成证书,但证书还是不能使用;ssl命令没有用tongsuo用的最新的openssl;必须要用铜锁吗? #805

Open
yangmen opened this issue Jun 27, 2024 · 12 comments
Open

我用gen_tlcp_certs.sh脚本生成证书,但证书还是不能使用;ssl命令没有用tongsuo用的最新的openssl;必须要用铜锁吗? #805

yangmen opened this issue Jun 27, 2024 · 12 comments
Assignees
@johnshajiang
Labels
question Further information is requested

Comments

@yangmen
Copy link

yangmen commented Jun 27, 2024
edited
Loading 

com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
  com.tencent.kona.sun.security.validator.ValidatorException: PKIX path building failed: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  	at com.tencent.kona.sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:391)
  	at com.tencent.kona.sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:245)
  	at com.tencent.kona.sun.security.validator.Validator.validate(Validator.java:256)
  	at com.tencent.kona.sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:286)
  	at com.tencent.kona.sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:145)
  	at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.checkServerCerts(TLCPCertificate.java:729)
  	at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.onCertificate(TLCPCertificate.java:499)
  	at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.consume(TLCPCertificate.java:388)
  	at com.tencent.kona.sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:424)
  	at com.tencent.kona.sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:502)
  	at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
  	at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1263)
  	at java.security.AccessController.doPrivileged(Native Method)
  	at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1208)
  	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
  	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
  	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
  	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
  	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
  	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
  	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
  	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
  	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
  	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
  	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
  	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
  	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
  	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
  	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
  	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
  	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
  	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
  	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
  	at java.lang.Thread.run(Thread.java:750)
  Caused by: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  	at com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
  	at com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
  	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
  	at com.tencent.kona.sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:386)
  	... 36 more}

)
com.tencent.kona.ssl|ALL|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.753 CST|SSLSessionImpl.java:1268|Invalidated session:  Session(1719484669414|SSL_NULL_WITH_NULL_NULL)
com.tencent.kona.ssl|ALL|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.754 CST|SSLSessionImpl.java:1268|Invalidated session:  Session(1719484669703|TLCP_ECC_SM4_GCM_SM3)
com.tencent.kona.ssl|WARNING|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.754 CST|SSLEngineOutputRecord.java:182|outbound has closed, ignore outbound application data
com.tencent.kona.ssl|FINE|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.755 CST|SSLEngineOutputRecord.java:530|WRITE: TLCPv1.1 alert, length = 2
com.tencent.kona.ssl|FINE|D0|nioEventLoopGroup-2-1|2024-06-27 18:37:49.755 CST|SSLEngineOutputRecord.java:551|Raw write (
  0000: 15 01 01 00 02 02 2E                               .......
)
[nioEventLoopGroup-2-1] WARN io.netty.channel.DefaultChannelPipeline - An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:499)
	at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
	at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
	at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
	at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
	at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
	at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724)
	at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650)
	at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562)
	at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
	at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
	at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
	at java.lang.Thread.run(Thread.java:750)
Caused by: javax.net.ssl.SSLHandshakeException: (certificate_unknown) PKIX path building failed: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.tencent.kona.sun.security.ssl.Alert.createSSLException(Alert.java:131)
	at com.tencent.kona.sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
	at com.tencent.kona.sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
	at com.tencent.kona.sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
	at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.checkServerCerts(TLCPCertificate.java:751)
	at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.onCertificate(TLCPCertificate.java:499)
	at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.consume(TLCPCertificate.java:388)
	at com.tencent.kona.sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:424)
	at com.tencent.kona.sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:502)
	at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1277)
	at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1263)
	at java.security.AccessController.doPrivileged(Native Method)
	at com.tencent.kona.sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1208)
	at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1651)
	at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1497)
	at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338)
	at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387)
	at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529)
	at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468)
	... 17 more
Caused by: com.tencent.kona.sun.security.validator.ValidatorException: PKIX path building failed: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.tencent.kona.sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:391)
	at com.tencent.kona.sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:245)
	at com.tencent.kona.sun.security.validator.Validator.validate(Validator.java:256)
	at com.tencent.kona.sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:286)
	at com.tencent.kona.sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:145)
	at com.tencent.kona.sun.security.ssl.TLCPCertificate$TLCPCertificateConsumer.checkServerCerts(TLCPCertificate.java:729)
	... 31 more
Caused by: com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
	at com.tencent.kona.sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at com.tencent.kona.sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:386)
	... 36 more

Uploading tlcp-server-crt.zip…

Tasks
Beta Give feedback
No tasks being tracked yet.
@johnshajiang
Copy link
Collaborator

你的证书没有上传成功。

@johnshajiang
Copy link
Collaborator

建议先用Tongsuo的s_server和s_client测试你的证书。

@johnshajiang johnshajiang self-assigned this Jun 27, 2024
@johnshajiang johnshajiang added the question Further information is requested label Jun 27, 2024
@yangmen
Copy link
Author

yangmen commented Jun 28, 2024

你好,这是我生成的所有证书
tlcp-crt.zip

@johnshajiang
Copy link
Collaborator

这么多证书,你具体是如何使用的?

另外,如果只是测试,可以不用重新生成证书。
直接使用仓库里的测试证书就可以吧。

@yangmen
Copy link
Author

yangmen commented Jun 28, 2024

你好,我用了铜锁生成的证书就可以了;必须要用铜锁吗? 我上传的证书是用openssl生成的就能用;
还有一个问题,kona keytool生成tlcp的证书? 能给一个案例吗?

@johnshajiang
Copy link
Collaborator

你好,我用了铜锁生成的证书就可以了;必须要用铜锁吗? 我上传的证书是用openssl生成的就能用;

我一般也是使用Tongsuo生成测试证书。

还有一个问题,kona keytool生成tlcp的证书? 能给一个案例吗?

kona keytool是指的com.tencent.kona.pkix.tool.KeyTool

@yangmen
Copy link
Author

yangmen commented Jun 28, 2024

你好,我用了铜锁生成的证书就可以了;必须要用铜锁吗? 我上传的证书是用openssl生成的就能用;

我一般也是使用Tongsuo生成测试证书。

还有一个问题,kona keytool生成tlcp的证书? 能给一个案例吗?

kona keytool是指的com.tencent.kona.pkix.tool.KeyTool

是的

@yangmen
Copy link
Author

yangmen commented Jun 28, 2024
edited by johnshajiang
Loading

这么多证书,你具体是如何使用的?

另外,如果只是测试,可以不用重新生成证书。 直接使用仓库里的测试证书就可以吧。

使用你在工程案例中的脚本gen_tlcp_certs.sh生成的,在netty的client和server端使用。

@johnshajiang
Copy link
Collaborator

使用你在工程案例中的脚本gen_tlcp_certs.sh生成的,在netty的client和server端使用。

我的测试就没问题啊。

@yangmen
Copy link
Author

yangmen commented Jun 28, 2024

你好,我用了铜锁生成的证书就可以了;必须要用铜锁吗? 我上传的证书是用openssl生成的就能用;

我一般也是使用Tongsuo生成测试证书。

还有一个问题,kona keytool生成tlcp的证书? 能给一个案例吗?

kona keytool是指的com.tencent.kona.pkix.tool.KeyTool

是的

请问kona中的keytool能不能生成tlcp的证书? 有没有具体的例子

@johnshajiang
Copy link
Collaborator

可以参考KeyToolTest.java

@johnshajiang
Copy link
Collaborator

@yangmen
请问,你的问题是否得到的解决?
如果已经解决了,请关闭该issue。
若有新的问题,欢迎提交新的issue。

另外,若你认为本项目具有意义,请为它打星 ;-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@johnshajiang johnshajiang

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@yangmen @johnshajiang