Кассандра версия: 3.11
Я установил Cassandra в трех экземплярах ec2, два из которых я использую как семена. Я пытаюсь включить шифрование между узлами, но, похоже, он не определяет сертификаты как действительные на узле.
Это сообщение об ошибке, которое я вижу в логах при запуске cassandra:
$ ERROR [ACCEPT-/10.98.27.77] 2018-10-30 21:12:55,493 MessagingService.java:1329 - SSL handshake error for inbound connection from 19c460d7[SSL_NULL_WITH_NULL_NULL: Socket[addr=/10.98.20.35,port=49402,localport=7001]]
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[na:1.8.0_162]
at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) ~[na:1.8.0_162]
at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2038) ~[na:1.8.0_162]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1135) ~[na:1.8.0_162]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385) ~[na:1.8.0_162]
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:938) ~[na:1.8.0_162]
at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) ~[na:1.8.0_162]
at sun.security.ssl.AppInputStream.read(AppInputStream.java:71) ~[na:1.8.0_162]
at java.io.DataInputStream.readInt(DataInputStream.java:387) ~[na:1.8.0_162]
at org.apache.cassandra.net.MessagingService$SocketThread.run(MessagingService.java:1303) ~[apache-cassandra-3.11.2.jar:3.11.2]
[ec2-user@ ansible]$ ERROR [ACCEPT-/10.98.27.77] 2018-10-30 21:12:55,625 MessagingService.java:1329 - SSL handshake error for inbound connection from 7efd2f5a[SSL_NULL_WITH_NULL_NULL: Socket[addr=/10.98.4.223,port=57586,localport=7001]]
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
Это проверка сертификата на начальном узле:
keytool -list -keystore 10.98.4.223.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
10.98.4.223, Oct 30, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): D6:6A:DC:C4:81:1A:2F:15:68:62:
sedevcassandra-dc1-2.us-east-1f.portals.dev-spectrum.net, Oct 30, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 55:53:50:C2:9B:9C:9E:7
Информация о хранилище ключей от Yaml. Пароль, очевидно, правильный, так как я могу просмотреть сертификат вместе с ним:
server_encryption_options:
internode_encryption: all
keystore: /etc/cassandra/conf/10.98.27.77.jks
keystore_password: password
truststore: /etc/cassandra/conf/server-truststore.jks
truststore_password: password
Разрешения
Поставщики семян:
- class_name: org.apache.cassandra.locator.SimpleSeedProvider
parameters:
# seeds is actually a comma-delimited list of addresses.
# Ex: "<ip1>,<ip2>,<ip3>"
- seeds: "10.98.20.35,10.98.4.223"
Разрешения:
-r-x------ 1 cassandra cassandra 4.9K Oct 30 02:46 10.98.27.77.jks
-rw-r--r-- 1 root root 13K Oct 30 00:51 cassandra-env.sh
-rw-r--r-- 1 root root 13K Feb 14 2018 cassandra-env.sh.orig
-rw-r--r-- 1 root root 148 Jun 19 2017 cassandra-jaas.config
-rw-r--r-- 1 root root 1.2K Oct 30 00:51 cassandra-rackdc.properties
-rw-r--r-- 1 root root 1.4K Jun 19 2017 cassandra-topology.properties
-rw-r--r-- 1 root root 57K Oct 30 21:02 cassandra.yaml
-rw-r--r-- 1 root root 57K Feb 14 2018 cassandra.yaml.orig
-rw-r--r-- 1 root root 2.1K Jun 19 2017 commitlog_archiving.properties
-rw-r--r-- 1 root root 6.3K Jun 19 2017 cqlshrc.sample
-rw-r--r-- 1 root root 2.7K Feb 14 2018 hotspot_compiler
-rw-r--r-- 1 root root 9.8K Feb 14 2018 jvm.options
-rw-r--r-- 1 root root 1.2K Jun 19 2017 logback-tools.xml
-rw-r--r-- 1 root root 3.8K Oct 30 00:51 logback.xml
-rw-r--r-- 1 root root 1.6K Jun 19 2017 metrics-reporter-config-sample.yaml
-rw-r----- 1 cassandra cassandra 855 Oct 30 00:51 prometheus_java_exporter.yaml
-rw-r--r-- 1 root root 291 Jun 19 2017 README.txt
-r-x------ 1 cassandra cassandra 2.0K Oct 30 02:46 server-truststore.jks
drwxr-xr-x 2 root root 4.0K Oct 30 00:51 triggers
Адрес для прослушивания правильный, 10.98.27.77. Там нет широковещательный IP-адрес закомментирован.
Обновлена информация о хранилище ключей:
[ec2-user@devcassandra-dc1-2 keys]$ keytool -list -keystore 10.98.20.35.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
10.98.20.35, Oct 30, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 93:60:F3:30:F1:2B:84:E9:66:4A:13:14:94:05:F8:03:BC:4E:1B:82
sedevcassandra, Oct 30, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 55:53:50:C2:9B:9C:9E:7B:AA:35:1F:CA:8C:F6:E9:2B:76:BD:2E:62
[ec2-user@devcassandra-dc1-2 keys]$ keytool -list -keystore 10.98.27.77.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
10.98.27.77, Oct 30, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): 82:30:20:DB:60:8E:A1:4B:F6:24:68:E2:75:BB:9E:59:7D:13:5B:06
sedevcassandra, Oct 30, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 55:53:50:C2:9B:9C:9E:7B:AA:35:1F:CA:8C:F6:E9:2B:76:BD:2E:62
[ec2-user@devcassandra-dc1-2 keys]$ keytool -list -keystore 10.98.4.223.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
10.98.4.223, Oct 30, 2018, PrivateKeyEntry,
Certificate fingerprint (SHA1): D6:6A:DC:C4:81:1A:2F:15:68:62:CC:45:38:FD:5E:88:0E:5F:BF:3F
sedevcassandra, Oct 30, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 55:53:50:C2:9B:9C:9E:7B:AA:35:1F:CA:8C:F6:E9:2B:76:BD:2E:62
[ec2-user@devcassandra-dc1-2 keys]$ keytool -list -keystore server-truststore.jks
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entries
devcassandra, Oct 30, 2018, trustedCertEntry,
Certificate fingerprint (SHA1): 55:53:50:C2:9B:9C:9E:7B:AA:35:1F:CA:8C:F6:E9:2B:76:BD:2E:62