自签名证书、Java、Hudson 和 JIRA

发布于 2024-09-16 14:11:37 字数 1059 浏览 8 评论 0原文

我正在尝试设置 Hudson JIRA 插件。我们的 JIRA 服务器使用自签名 SSL 证书进行保护。我已经使用 keytool 命令插入了我的网络浏览器存储的证书,并让 Hudson 找到它。但现在它抱怨:

java.security.cert.CertificateException: No subject alternative names present

证书的通用名称是“未知”,并且我在证书中没有看到任何主题备用名称

$ openssl x509 -in Unknown -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1214507595 (0x4863ea4b)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
        Validity
            Not Before: Jun 26 19:13:15 2008 GMT
            Not After : May  5 19:13:15 2018 GMT
        Subject: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                [omitted]
    Signature Algorithm: md5WithRSAEncryption
        [omitted]

(标识信息已编辑并在括号中注明。)

有没有办法将主题备用名称附加到此证书?或者还有其他办法吗?或者我被迫破解 Hudson Jira 插件?

I'm trying to set up the Hudson JIRA plugin. Our JIRA server is secured with an self-signed SSL certificate. I've inserted the certificate my web browser has stored using the keytool command, and gotten Hudson to find it. But now it complains:

java.security.cert.CertificateException: No subject alternative names present

The common name of the certificate is "Unknown", and I do not see any subject alternative names in the certificate

$ openssl x509 -in Unknown -text -noout
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 1214507595 (0x4863ea4b)
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
        Validity
            Not Before: Jun 26 19:13:15 2008 GMT
            Not After : May  5 19:13:15 2018 GMT
        Subject: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                [omitted]
    Signature Algorithm: md5WithRSAEncryption
        [omitted]

(Identifying info redacted and noted in brackets.)

Is there a way to attach a subject alternate name to this certificate? Or is there some other way? Or am I forced to hack the Hudson Jira plugin?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

梦醒灬来后我 2024-09-23 14:11:38

用于访问 Jira 服务器的主机名(例如 https://jira.acme.com/)必须与主题名称的 CN 字段之一匹配,或者在不匹配时,证书的主题备用名称之一。

RFC 2818 中有详细说明:

在某些情况下,URI 是指定的
作为 IP 地址而不是
主机名。在这种情况下,iPAddress
subjectAltName 必须出现在
证书并且必须完全匹配
URI 中的 IP。

在您的情况下,Java 会抱怨,因为 CN (“未知”)和 Subject Alternative Name (因为你没有)确实与你的 Jira 服务器的主机名匹配。

因此,要么使用适当的 CN 生成证书,例如使用 keytool

创建密钥对和自签名证书

$ keytool -genkey -alias jira_acme_com -keyalg RSA -keysize 2048 -validity 365 -keystore jira_acme_com.jks
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  jira.acme.com
What is the name of your organizational unit?
  [Unknown]:  Our project
What is the name of your organization?
  [Unknown]:  Our company
What is the name of your City or Locality?
  [Unknown]:  Our town
What is the name of your State or Province?
  [Unknown]:  NJ
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US correct?
  [no]:  y

Enter key password for 
        (RETURN if same as keystore password): 

查看个人证书信息

$ keytool -list -v -keystore jira_acme_com.jks 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: jira_acme_com
Creation date: Sep 4, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Issuer: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Serial number: 4c81e9a9
Valid from: Sat Sep 04 10:39:37 CEST 2010 until: Sun Sep 04 10:39:37 CEST 2011
Certificate fingerprints:
     MD5:  15:6A:E3:14:E2:78:F4:95:41:E6:33:C9:F8:8B:64:23
     SHA1: CD:A6:9A:84:18:E8:62:50:2C:DC:2F:89:22:F6:BA:E9:1A:63:F6:C6
     Signature algorithm name: SHA1withRSA
     Version: 3

设置 Tomcat 以使用密钥库。

当然,如果您想创建多宿主证书,则必须使用 OpenSSL(keytool 无法添加 X509 扩展,例如主题备用名称)。这些链接是极好的资源:

更新: 鉴于您无法更改证书(您确实应该提到这一点),临时解决方案可能是更改所需计算机的本地 /etc/hosts 文件来解析 Unknown到机器的真实IP。

123.123.123.123    Unknown

这样您就可以从这些计算机访问 https://Unknown/。但显然,这更像是一种肮脏的黑客行为,而不是真正的解决方案,而且无法扩展。

联系管理员以获得真正的“好”证书仍然是真正好的解决方案。

资源

参考资料

The hostname used to access your Jira server (e.g. jira.acme.com in https://jira.acme.com/) must either match one of the CN fields of the subject name or, when it doesn't, one of the Subject Alternative Name of the cert.

This is detailed in the RFC 2818:

In some cases, the URI is specified
as an IP address rather than a
hostname. In this case, the iPAddress
subjectAltName must be present in the
certificate and must exactly match the
IP in the URI.

In your case, Java is complaining because neither the CN ("Unknown") nor a Subject Alternative Name (since you have none) did match the hostname of your Jira server.

So, either generate a certificate with the appropriate CN, for example using keytool:

To create a keypair and self-signed certificate

$ keytool -genkey -alias jira_acme_com -keyalg RSA -keysize 2048 -validity 365 -keystore jira_acme_com.jks
Enter keystore password:  
Re-enter new password: 
What is your first and last name?
  [Unknown]:  jira.acme.com
What is the name of your organizational unit?
  [Unknown]:  Our project
What is the name of your organization?
  [Unknown]:  Our company
What is the name of your City or Locality?
  [Unknown]:  Our town
What is the name of your State or Province?
  [Unknown]:  NJ
What is the two-letter country code for this unit?
  [Unknown]:  US
Is CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US correct?
  [no]:  y

Enter key password for 
        (RETURN if same as keystore password): 

To view the personal information

$ keytool -list -v -keystore jira_acme_com.jks 
Enter keystore password:  

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: jira_acme_com
Creation date: Sep 4, 2010
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Issuer: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US
Serial number: 4c81e9a9
Valid from: Sat Sep 04 10:39:37 CEST 2010 until: Sun Sep 04 10:39:37 CEST 2011
Certificate fingerprints:
     MD5:  15:6A:E3:14:E2:78:F4:95:41:E6:33:C9:F8:8B:64:23
     SHA1: CD:A6:9A:84:18:E8:62:50:2C:DC:2F:89:22:F6:BA:E9:1A:63:F6:C6
     Signature algorithm name: SHA1withRSA
     Version: 3

And setup Tomcat to use the keystore.

Of, if you want to create a multihomed certificate, you'll have to use OpenSSL (keytool cannot add X509 extensions such as Subject Alternative Name). These links are excellent resources:

Update: Given that you can't change the certificate (you really should have mentioned that), a temporary solution could be to change the local /etc/hosts file of the required machines to resolve Unknown to the real IP of the machine.

123.123.123.123    Unknown

So that you could access https://Unknown/ from these machines. But obviously, this is more a dirty hack than a real solution and doesn't scale.

Contacting the admins to get a real "good" certificate is still the real good solution.

Resources

References

想你只要分分秒秒 2024-09-23 14:11:38

如果我没记错的话,SSL 要求证书的通用名称包含您尝试连接的主机名,这样客户端就可以验证该证书不仅在一般情况下受信任,而且在该位置也受信任。

我假设您正在使用 OpenSSL 生成证书。您没有设置 cn=[yourserver] 是否有原因?

当插件在通用名称中找不到正确的主机名时,可能会尝试在主题替代名称中查找它,而当由于没有 subjectAltName 而失败时,您会收到一条错误消息。

无论如何,如果您将其用于多个站点,则需要在 subjectAltName 中包含主机名。我找到了一个网站,其中记录了如何正确创建自签名证书。

http://library.linode.com/ssl-guides/subject- alt-name-ssl

希望这有帮助。

If I'm not mistaken, SSL requires that the common name of the certificate contain the hostname that you're attempting to connect to, that way the client side can validate that the certificate is not just trusted in general, but trusted for the location.

I'm assuming you're generating the certificate with OpenSSL. Is there a reason you're not setting the cn=[yourserver]?

It may be that when it cannot find the proper hostname in the common name, that the plug-in attempts to look for it in a subject alt name, and when that fails because there is no subjectAltName, you're getting a bad error message.

Anyway, if you're using this for multiple sites, you need to have the hostnames in the subjectAltName. I've found a site that documents how to create your self-signed cert properly.

http://library.linode.com/ssl-guides/subject-alt-name-ssl

Hope this helps.

娜些时光,永不杰束 2024-09-23 14:11:38

有几种可能的解决方案,每种方案都有自己的难题。

  • 为 JIRA 生成新证书,这次在生成证书的密钥对时指定 CN。

    我不明白为什么无法生成新证书;我非常确定 JIRA 服务器的其他客户端也遇到了一些问题,特别是来自浏览器的针对所描述的证书的警告。因此,所有客户端(和客户端应用程序)都必须重新测试,但如果自签名证书是由所有客户端信任的本地 CA 颁发的,那么这并不麻烦。

  • 编辑 DNS 条目以确保从 Hudson 服务器查找“未知”指向安装 JIRA 的服务器 [我确实提醒过某人,某些解决方案存在一些麻烦:-)]。这可确保存储在证书中的 CN 值与主机名匹配 - 您需要将 Hudson 配置为使用类似 http://Unknown/.... 的 URL。哦,只有当你处境非常困难时才使用这个;你不想解释你为什么这样做。

There are several possible solutions, each with its own set of pains.

  • Generate a new certificate for JIRA, this time specifying a CN when generating the secret key-pair for the certficate.

    I cannot see why a new certificate cannot be generated; I'm pretty sure that other client to the JIRA server are also encountering some issues, especially warnings from browsers, for the described certificate. All clients (and client applications) must therefore be re-tested, but this is not a pain, if the self-signed certificate has been issued by a local CA that is trusted by all clients.

  • Edit the DNS entries to ensure that the lookup to 'Unknown' from the Hudson server, points to the server where JIRA is installed [I did remind someone that there are pains associated with some of the solutions :-) ]. This ensures that the value of the CN stored in the certificate matches with the hostname - you'll need to configure Hudson to use a URL like http://Unknown/..... And oh, use this only if you're in a really tight spot; you don't want to be explaining why you did this.
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文