Я пытаюсь настроить HTTPS-соединение с помощью Glassfish, используя это руководство с PKSC # 7. Создание хранилища ключей, генерация запросов, получение сертификата от CA, добавление его в хранилище ключей и импорт из моего хранилища ключей в хранилище ключей Glassfish прошли успешно, без ошибок.
keytool -v -list -keystore показывает два сертификата по умолчанию и один добавленный. Когда я пытаюсь запустить домен Glassfish, у меня появляется ошибка:
[2018-10-26T15:51:12.497+0300] [glassfish 4.1] [WARNING] [] [javax.enterprise.network.config] [tid: _ThreadID=45 _ThreadName=admin-listener(3)] [timeMillis: 1540558272497] [levelValue: 900] [[
GRIZZLY0050: SSL support could not be configured!
java.io.IOException: A MultiException has 2 exceptions. They are:
1. java.lang.Error: java.security.UnrecoverableKeyException: Cannot recover key
2. java.lang.IllegalStateException: Unable to perform operation: post construct on com.sun.enterprise.security.ssl.SSLUtils
at org.glassfish.grizzly.config.ssl.JSSE14SocketFactory.init(JSSE14SocketFactory.java:162)
at org.glassfish.grizzly.config.SSLConfigurator.initializeSSLContext(SSLConfigurator.java:249)
at org.glassfish.grizzly.config.SSLConfigurator.configureSSL(SSLConfigurator.java:131)
at org.glassfish.grizzly.config.SSLConfigurator$InternalSSLContextConfigurator.createSSLContext(SSLConfigurator.java:389)
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:180)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:262)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.portunif.PUFilter.handleRead(PUFilter.java:231)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
at java.lang.Thread.run(Thread.java:748)
]]
[2018-10-26T15:51:12.497+0300] [glassfish 4.1] [WARNING] [] [org.glassfish.grizzly.filterchain.DefaultFilterChain] [tid: _ThreadID=45 _ThreadName=admin-listener(3)] [timeMillis: 1540558272497] [levelValue: 900] [[
GRIZZLY0013: Exception during FilterChain execution
java.lang.NullPointerException
at org.glassfish.grizzly.ssl.SSLEngineConfigurator.createSSLEngine(SSLEngineConfigurator.java:185)
at org.glassfish.grizzly.ssl.SSLBaseFilter.handleRead(SSLBaseFilter.java:262)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.portunif.PUFilter.handleRead(PUFilter.java:231)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:284)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:201)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:133)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:112)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:561)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:112)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:117)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:56)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:137)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:565)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:545)
at java.lang.Thread.run(Thread.java:748)
]]
Вот так выглядит сертификат:
Alias name: host
Creation date: Oct 26, 2018
Entry type: PrivateKeyEntry
Certificate chain length: 3
Certificate[1]:
Owner: CN=host.domain.ru, OU=IT, O=Organization, L=Moscow, ST=Moscow, C=RU
Issuer: CN=Organization Sub2 CA 2012, DC=domain, DC=ru
Serial number: 2b89cd70000200000747
Valid from: Fri Oct 26 14:19:45 MSK 2018 until: Sun Oct 25 14:19:45 MSK 2020
Certificate fingerprints:
MD5: 9C:78:B7:66:72:05:CC:76:62:C4:0D:E0:1D:A2:1B:AF
SHA1: BD:7A:08:68:F8:78:40:B8:7C:D9:B3:24:8A:73:BD:01:3E:46:B9:2C
SHA256: 93:6B:DC:CF:26:65:4D:32:9E:64:2F:CB:5C:27:3B:F5:D6:DD:66:F6:81:47:FC:B2:3A:EB:2C:AC:E0:31:3B:5D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 12 00 57 00 65 00 62 00 53 00 65 00 72 00 76 ...W.e.b.S.e.r.v
0010: 00 65 00 72 .e.r
#2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=Organization%20Sub2%20CA%202012,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=ru?cACertificate?base?objectClass=certificationAuthority
,
accessMethod: caIssuers
accessLocation: URIName: http://ca.domain.ru/CertData/ca-sub2.domain.ru_Organization%20Sub2%20CA%202012(2).crt
]
]
#3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AB A5 46 66 63 1B 99 DF 8B 1F B1 3D 65 CA 23 7B ..Ffc......=e.#.
0010: C9 36 8E 67 .6.g
]
]
#4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=Organization%20Sub2%20CA%202012(2),CN=ca-sub2,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=ru?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://ca.domain.ru/CertData/Organization%20Sub2%20CA%202012(2).crl]
]]
#5: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
#6: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
#7: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: host.domain.ru
DNSName: host
IPAddress: 192.168.1.2
]
#8: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EB B4 B5 9C EC E9 54 F5 0B 4E 28 7F C5 42 1A 72 ......T..N(..B.r
0010: 67 4C 77 7D gLw.
]
]
Certificate[2]:
Owner: CN=Organization Sub2 CA 2012, DC=domain, DC=ru
Issuer: CN=Organization Root CA 2012, O=Organization, C=RU
Serial number: 13a14d5b000100000013
Valid from: Tue May 23 07:10:54 MSK 2017 until: Mon May 23 07:20:54 MSK 2022
Certificate fingerprints:
MD5: 97:C4:6A:31:B3:5E:E9:88:29:CA:B7:9A:E6:D9:A7:93
SHA1: 7F:A8:97:D0:E3:78:DF:F0:F2:80:9A:ED:95:98:34:D8:B6:E3:61:78
SHA256: 05:A9:D5:F6:C7:6A:61:4F:86:FC:55:17:93:4E:AC:5F:DD:67:8D:14:A9:78:C6:45:00:8E:14:96:57:B5:92:2D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.20.2 Criticality=false
0000: 1E 0A 00 53 00 75 00 62 00 43 00 41 ...S.u.b.C.A
#2: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 03 02 00 02 .....
#3: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
0000: 04 14 C8 7B 2F 64 A1 97 C3 B7 51 92 FB 80 39 1B ..../d....Q...9.
0010: 18 C1 68 F5 D4 B5 ..h...
#4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: ldap:///CN=Organization%20Root%20CA%202012,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=ru?cACertificate?base?objectClass=certificationAuthority
,
accessMethod: caIssuers
accessLocation: URIName: http://ca.domain.ru/CertData/ROOTCA2012_Organization%20Root%20CA%202012(1).crt
]
]
#5: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: CE D4 E7 3B 6B 40 16 9C 5E B7 6D BF 27 1F AB 53 ...;k@..^.m.'..S
0010: 28 B6 69 58 (.iX
]
]
#6: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#7: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: ldap:///CN=Organization%20Root%20CA%202012(1),CN=ROOTCA2012,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=ru?certificateRevocationList?base?objectClass=cRLDistributionPoint, URIName: http://ca.domain.ru/Certdata/Organization%20Root%20CA%202012(1).crl]
]]
#8: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#9: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AB A5 46 66 63 1B 99 DF 8B 1F B1 3D 65 CA 23 7B ..Ffc......=e.#.
0010: C9 36 8E 67 .6.g
]
]
Certificate[3]:
Owner: CN=Organization Root CA 2012, O=Organization, C=RU
Issuer: CN=Organization Root CA 2012, O=Organization, C=RU
Serial number: 989edcff42e97b341aca016fa4624a9
Valid from: Tue May 23 06:46:02 MSK 2017 until: Sun May 23 06:56:02 MSK 2027
Certificate fingerprints:
MD5: 45:5A:86:8B:74:89:80:77:20:36:A4:96:EA:F4:63:1C
SHA1: F0:EB:7F:A2:27:DF:5E:36:BC:50:68:A0:4C:CA:D0:65:7E:9B:91:2D
SHA256: A1:32:BC:47:ED:83:59:F8:B0:9C:A5:C8:AA:A8:1E:BF:2F:5F:B4:1D:F5:E6:E9:C1:97:AB:99:F9:80:CC:E2:15
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 1.3.6.1.4.1.311.21.1 Criticality=false
0000: 02 03 01 00 01 .....
#2: ObjectId: 1.3.6.1.4.1.311.21.2 Criticality=false
0000: 04 14 AF 97 45 DA ED 0A CF 39 01 0A B0 8D 8E 75 ....E....9.....u
0010: 22 E2 3F 3C C5 40 ".?<.@
#3: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#4: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#5: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: CE D4 E7 3B 6B 40 16 9C 5E B7 6D BF 27 1F AB 53 ...;k@..^.m.'..S
0010: 28 B6 69 58 (.iX
]
]
Я не могу создать сертификат самостоятельно, я могу получить его только от CA в этой форме. В чем может быть причина этих ошибок и как я могу их устранить?