个人网站备案说明,优秀网页设计作品网站,网站建设实验代码,如何办好公司网站minio sdk使用自签名https证书错误处理 1.问题描述1.1 报错日志1.2 maven 依赖配置1.3 当前spring MinioClient配置 2.问题分析3.问题解决3.1 使用受信任的证书3.2 忽略证书验证3.2.1 minio客户端3.2.2 minio sdk 忽略证书验证3.2.2.1 拓展: 补充minioclient请求日志 4. 问题总… minio sdk使用自签名https证书错误处理 1.问题描述1.1 报错日志1.2 maven 依赖配置1.3 当前spring MinioClient配置 2.问题分析3.问题解决3.1 使用受信任的证书3.2 忽略证书验证3.2.1 minio客户端3.2.2 minio sdk 忽略证书验证3.2.2.1 拓展: 补充minioclient请求日志 4. 问题总结5.附录 1.问题描述
minio 8.4.4 使用自签名的https的api连接会报错证书错误
1.1 报错日志
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target1.2 maven 依赖配置 !--minio java sdk--dependencygroupIdio.minio/groupIdartifactIdminio/artifactIdversion8.4.4/versionexclusionsexclusiongroupIdcom.squareup.okhttp3/groupIdartifactIdokhttp/artifactId/exclusion/exclusions/dependencydependencygroupIdcom.squareup.okhttp3/groupIdartifactIdokhttp/artifactIdversion4.10.0/version/dependency1.3 当前spring MinioClient配置
Configuration
EnableConfigurationProperties(MinioProperties.class)
public class MinioConfig {Beanpublic MinioClient minioClient(MinioProperties properties){properties.check();return MinioClient.builder().endpoint(properties.getEndpoint()).credentials(properties.getAccessKey(), properties.getSecretKey()).build();}
}2.问题分析
通常是因为MinIO默认情况下会验证服务器的TLS证书。在生产环境中使用自签名证书并不推荐因为它们不受信任的证书颁发机构CA签署可能会导致安全问题。
3.问题解决
3.1 使用受信任的证书
为了在生产环境中确保安全性建议获取一个受信任的SSL证书可以从证书颁发机构CA购买或者使用免费的证书颁发机构例如Let’s Encrypt获取SSL证书。
3.2 忽略证书验证
3.2.1 minio客户端
在MinIO客户端例如mc命令行工具中可以使用–insecure选项来忽略证书验证。例如
mc --insecure command这会告诉MinIO客户端不要验证服务器的TLS证书。请注意这种做法会降低安全性不建议在生产环境中使用。
3.2.2 minio sdk 忽略证书验证
在使用Java SDK与自签名证书的服务器进行通信时一般可以通过自定义SSLContext来忽略证书验证。
MinIO的Java SDKversion 8.0.6及以上允许自定义OkHttpClient我们可以使用httpClient方法传递一个自定义的OkHttpClient实例。以便在HTTP、正常HTTPS和自签名HTTPS之间实现兼容性
下面是如何使用自定义的OkHttpClient实现对HTTP、正常HTTPS和自签名HTTPS的兼容性
Configuration
EnableConfigurationProperties(MinioProperties.class)
public class MinioConfig {private static final Logger LOGGER LoggerFactory.getLogger(MinioConfig.class);Beanpublic MinioClient minioClient(MinioProperties properties){properties.check();// Create a trust manager that does not validate certificate chainsTrustManager[] trustAllCerts new TrustManager[] {new X509TrustManager() {public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[0];}public void checkClientTrusted(X509Certificate[] certs, String authType) {// Do nothing (trust any client certificate)}public void checkServerTrusted(X509Certificate[] certs, String authType) {// Do nothing (trust any server certificate)}}};// Install the all-trusting trust managerSSLContext sslContext null;try {sslContext SSLContext.getInstance(SSL);sslContext.init(null, trustAllCerts, new java.security.SecureRandom());} catch (Exception e) {LOGGER.error(Install the all-trusting trust manager error:{}, e.getMessage());}// Create a custom OkHttpClient that trusts all certificatesOkHttpClient customHttpClient new OkHttpClient.Builder().sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0]).hostnameVerifier((hostname, session) - true).build();// Set the custom SSLContext for MinioClientreturn MinioClient.builder().endpoint(properties.getEndpoint()).credentials(properties.getAccessKey(), properties.getSecretKey()).httpClient(customHttpClient).build();}}
在上面的代码中我们创建了一个SSLContext其中的X509TrustManager会信任所有证书无论其是否由信任的证书颁发机构CA签署。创建了一个自定义的OkHttpClient该客户端信任所有证书。然后我们使用MinioClient.builder()方法将自定义的OkHttpClient传递给httpClient()方法
这种方法会将所有证书都视为受信任的因此请仅在非生产环境中使用此方法以确保通信的安全性和完整性。在生产环境中建议使用受信任的SSL证书。
3.2.2.1 拓展: 补充minioclient请求日志
之前minioclient与服务器端交互使用默认的httpclient的客户端,请求没有打印详细日志. 既然上面自定义自己的httpclient那么可以补充自定义拦截器打印日志
public class CustomLoggingInterceptor implements Interceptor {Overridepublic Response intercept(Chain chain) throws IOException {Request request chain.request();long startTime System.nanoTime();System.out.println(Sending request request.url() on chain.connection() \n request.headers());Response response chain.proceed(request);long endTime System.nanoTime();System.out.println(Received response for response.request().url() in ((endTime - startTime) / 1e6) ms\n response.headers());MediaType contentType response.body().contentType();String content response.body().string();System.out.println(Response body:\n content);ResponseBody wrappedBody ResponseBody.create(contentType, content);return response.newBuilder().body(wrappedBody).build();}
}修改MinioConfig增加okhttp拦截器 // Create a custom OkHttpClient that trusts all certificatesOkHttpClient customHttpClient new OkHttpClient.Builder().sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0]).hostnameVerifier((hostname, session) - true).addInterceptor(new CustomLoggingInterceptor()) // Add custom interceptor here.build();效果
4. 问题总结
minio客户端本质使用httpclient与服务端交互,因此证书问题处理其实只是httpclient对证书的兼容处理。该处理方式可以运用到其他使用到httpclient的场景。
5.附录
代码优化
Configuration
EnableConfigurationProperties(MinioProperties.class)
public class MinioConfig {private static final Logger LOGGER LoggerFactory.getLogger(MinioConfig.class);Beanpublic MinioClient minioClient(MinioProperties properties){properties.check();OkHttpClient customHttpClient null;if (properties.getEndpoint().startsWith(https://)) {// 如果是HTTPS使用自定义的OkHttpClient处理自签名的HTTPS请求customHttpClient createCustomOkHttpClient();}MinioClient minioClient;if (customHttpClient ! null) {// 如果使用了自定义的OkHttpClientminioClient MinioClient.builder().endpoint(properties.getEndpoint()).credentials(properties.getAccessKey(), properties.getSecretKey()).httpClient(customHttpClient).build();} else {// 如果是普通HTTP使用默认的OkHttpClientminioClient MinioClient.builder().endpoint(properties.getEndpoint()).credentials(properties.getAccessKey(), properties.getSecretKey()).build();}return minioClient;}/*** Set the custom SSLContext for MinioClient* return*/private static OkHttpClient createCustomOkHttpClient() {// 创建自定义的OkHttpClient用于处理自签名的HTTPS请求// Create a trust manager that does not validate certificate chainsTrustManager[] trustAllCerts new TrustManager[] {new X509TrustManager() {public X509Certificate[] getAcceptedIssuers() {return new X509Certificate[0];}public void checkClientTrusted(X509Certificate[] certs, String authType) {// Do nothing (trust any client certificate)}public void checkServerTrusted(X509Certificate[] certs, String authType) {// Do nothing (trust any server certificate)}}};// Install the all-trusting trust managerSSLContext sslContext null;try {sslContext SSLContext.getInstance(SSL);sslContext.init(null, trustAllCerts, new java.security.SecureRandom());} catch (Exception e) {LOGGER.error(Install the all-trusting trust manager error:{}, e.getMessage());}// Create a custom OkHttpClient that trusts all certificatesOkHttpClient customHttpClient new OkHttpClient.Builder().sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustAllCerts[0]).hostnameVerifier((hostname, session) - true)// 增加minio http请求日志打印//.addInterceptor(new CustomLoggingInterceptor()) // Add custom interceptor here.build();return customHttpClient;}}
