自签名证书、Java、Hudson 和 JIRA
我正在尝试设置 Hudson JIRA 插件。我们的 JIRA 服务器使用自签名 SSL 证书进行保护。我已经使用 keytool 命令插入了我的网络浏览器存储的证书,并让 Hudson 找到它。但现在它抱怨:
java.security.cert.CertificateException: No subject alternative names present
证书的通用名称是“未知”,并且我在证书中没有看到任何主题备用名称
$ openssl x509 -in Unknown -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1214507595 (0x4863ea4b)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
Validity
Not Before: Jun 26 19:13:15 2008 GMT
Not After : May 5 19:13:15 2018 GMT
Subject: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
[omitted]
Signature Algorithm: md5WithRSAEncryption
[omitted]
(标识信息已编辑并在括号中注明。)
有没有办法将主题备用名称附加到此证书?或者还有其他办法吗?或者我被迫破解 Hudson Jira 插件?
I'm trying to set up the Hudson JIRA plugin. Our JIRA server is secured with an self-signed SSL certificate. I've inserted the certificate my web browser has stored using the keytool command, and gotten Hudson to find it. But now it complains:
java.security.cert.CertificateException: No subject alternative names present
The common name of the certificate is "Unknown", and I do not see any subject alternative names in the certificate
$ openssl x509 -in Unknown -text -noout
Certificate:
Data:
Version: 1 (0x0)
Serial Number: 1214507595 (0x4863ea4b)
Signature Algorithm: md5WithRSAEncryption
Issuer: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
Validity
Not Before: Jun 26 19:13:15 2008 GMT
Not After : May 5 19:13:15 2018 GMT
Subject: C=US, ST=NJ, L=[Our town], O=[Our company], OU=[Our project], CN=Unknown
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public Key: (1024 bit)
[omitted]
Signature Algorithm: md5WithRSAEncryption
[omitted]
(Identifying info redacted and noted in brackets.)
Is there a way to attach a subject alternate name to this certificate? Or is there some other way? Or am I forced to hack the Hudson Jira plugin?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
用于访问 Jira 服务器的主机名(例如 https://jira.acme.com/)必须与主题名称的
CN字段之一匹配,或者在不匹配时,证书的主题备用名称之一。RFC 2818 中有详细说明:
在您的情况下,Java 会抱怨,因为
CN(“未知”)和Subject Alternative Name(因为你没有)确实与你的 Jira 服务器的主机名匹配。因此,要么使用适当的
CN生成证书,例如使用keytool:创建密钥对和自签名证书
$ keytool -genkey -alias jira_acme_com -keyalg RSA -keysize 2048 -validity 365 -keystore jira_acme_com.jks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: jira.acme.com What is the name of your organizational unit? [Unknown]: Our project What is the name of your organization? [Unknown]: Our company What is the name of your City or Locality? [Unknown]: Our town What is the name of your State or Province? [Unknown]: NJ What is the two-letter country code for this unit? [Unknown]: US Is CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US correct? [no]: y Enter key password for (RETURN if same as keystore password):查看个人证书信息
$ keytool -list -v -keystore jira_acme_com.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: jira_acme_com Creation date: Sep 4, 2010 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US Issuer: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US Serial number: 4c81e9a9 Valid from: Sat Sep 04 10:39:37 CEST 2010 until: Sun Sep 04 10:39:37 CEST 2011 Certificate fingerprints: MD5: 15:6A:E3:14:E2:78:F4:95:41:E6:33:C9:F8:8B:64:23 SHA1: CD:A6:9A:84:18:E8:62:50:2C:DC:2F:89:22:F6:BA:E9:1A:63:F6:C6 Signature algorithm name: SHA1withRSA Version: 3并设置 Tomcat 以使用密钥库。
当然,如果您想创建多宿主证书,则必须使用 OpenSSL(keytool 无法添加 X509 扩展,例如主题备用名称)。这些链接是极好的资源:
更新: 鉴于您无法更改证书(您确实应该提到这一点),临时解决方案可能是更改所需计算机的本地
/etc/hosts文件来解析Unknown到机器的真实IP。这样您就可以从这些计算机访问 https://Unknown/。但显然,这更像是一种肮脏的黑客行为,而不是真正的解决方案,而且无法扩展。
联系管理员以获得真正的“好”证书仍然是真正好的解决方案。
资源
参考资料
The hostname used to access your Jira server (e.g. jira.acme.com in https://jira.acme.com/) must either match one of the
CNfields of the subject name or, when it doesn't, one of theSubject Alternative Nameof the cert.This is detailed in the RFC 2818:
In your case, Java is complaining because neither the
CN("Unknown") nor aSubject Alternative Name(since you have none) did match the hostname of your Jira server.So, either generate a certificate with the appropriate
CN, for example usingkeytool:To create a keypair and self-signed certificate
$ keytool -genkey -alias jira_acme_com -keyalg RSA -keysize 2048 -validity 365 -keystore jira_acme_com.jks Enter keystore password: Re-enter new password: What is your first and last name? [Unknown]: jira.acme.com What is the name of your organizational unit? [Unknown]: Our project What is the name of your organization? [Unknown]: Our company What is the name of your City or Locality? [Unknown]: Our town What is the name of your State or Province? [Unknown]: NJ What is the two-letter country code for this unit? [Unknown]: US Is CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US correct? [no]: y Enter key password for (RETURN if same as keystore password):To view the personal information
$ keytool -list -v -keystore jira_acme_com.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry Alias name: jira_acme_com Creation date: Sep 4, 2010 Entry type: PrivateKeyEntry Certificate chain length: 1 Certificate[1]: Owner: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US Issuer: CN=jira.acme.com, OU=Our project, O=Our company, L=Our town, ST=NJ, C=US Serial number: 4c81e9a9 Valid from: Sat Sep 04 10:39:37 CEST 2010 until: Sun Sep 04 10:39:37 CEST 2011 Certificate fingerprints: MD5: 15:6A:E3:14:E2:78:F4:95:41:E6:33:C9:F8:8B:64:23 SHA1: CD:A6:9A:84:18:E8:62:50:2C:DC:2F:89:22:F6:BA:E9:1A:63:F6:C6 Signature algorithm name: SHA1withRSA Version: 3And setup Tomcat to use the keystore.
Of, if you want to create a multihomed certificate, you'll have to use OpenSSL (keytool cannot add X509 extensions such as Subject Alternative Name). These links are excellent resources:
Update: Given that you can't change the certificate (you really should have mentioned that), a temporary solution could be to change the local
/etc/hostsfile of the required machines to resolveUnknownto the real IP of the machine.So that you could access https://Unknown/ from these machines. But obviously, this is more a dirty hack than a real solution and doesn't scale.
Contacting the admins to get a real "good" certificate is still the real good solution.
Resources
References
如果我没记错的话,SSL 要求证书的通用名称包含您尝试连接的主机名,这样客户端就可以验证该证书不仅在一般情况下受信任,而且在该位置也受信任。
我假设您正在使用 OpenSSL 生成证书。您没有设置
cn=[yourserver]是否有原因?当插件在通用名称中找不到正确的主机名时,可能会尝试在主题替代名称中查找它,而当由于没有 subjectAltName 而失败时,您会收到一条错误消息。
无论如何,如果您将其用于多个站点,则需要在 subjectAltName 中包含主机名。我找到了一个网站,其中记录了如何正确创建自签名证书。
http://library.linode.com/ssl-guides/subject- alt-name-ssl
希望这有帮助。
If I'm not mistaken, SSL requires that the common name of the certificate contain the hostname that you're attempting to connect to, that way the client side can validate that the certificate is not just trusted in general, but trusted for the location.
I'm assuming you're generating the certificate with OpenSSL. Is there a reason you're not setting the
cn=[yourserver]?It may be that when it cannot find the proper hostname in the common name, that the plug-in attempts to look for it in a subject alt name, and when that fails because there is no subjectAltName, you're getting a bad error message.
Anyway, if you're using this for multiple sites, you need to have the hostnames in the subjectAltName. I've found a site that documents how to create your self-signed cert properly.
http://library.linode.com/ssl-guides/subject-alt-name-ssl
Hope this helps.
有几种可能的解决方案,每种方案都有自己的难题。
为 JIRA 生成新证书,这次在生成证书的密钥对时指定 CN。
我不明白为什么无法生成新证书;我非常确定 JIRA 服务器的其他客户端也遇到了一些问题,特别是来自浏览器的针对所描述的证书的警告。因此,所有客户端(和客户端应用程序)都必须重新测试,但如果自签名证书是由所有客户端信任的本地 CA 颁发的,那么这并不麻烦。
http://Unknown/....的 URL。哦,只有当你处境非常困难时才使用这个;你不想解释你为什么这样做。There are several possible solutions, each with its own set of pains.
Generate a new certificate for JIRA, this time specifying a CN when generating the secret key-pair for the certficate.
I cannot see why a new certificate cannot be generated; I'm pretty sure that other client to the JIRA server are also encountering some issues, especially warnings from browsers, for the described certificate. All clients (and client applications) must therefore be re-tested, but this is not a pain, if the self-signed certificate has been issued by a local CA that is trusted by all clients.
http://Unknown/..... And oh, use this only if you're in a really tight spot; you don't want to be explaining why you did this.