Falha na verificação do certificado TLS do Cassandra

Esta é a documentação da Apigee e da Apigee híbrida.
Confira a documentação da Apigee Edge.

Sintomas

O processo de verificação de certificado TLS em pods do Cassandra pode falhar com um erro semelhante ao seguinte: 

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:261)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:698)
...
Suppressed: javax.net.ssl.SSLHandshakeException: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1309)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1270)
...

Causas possíveis

Causa Descrição Instruções de solução de problemas aplicáveis para
O certificado da AC da Apigee não corresponde aos clusters da Apigee Se o certificado da AC da Apigee não corresponder entre os clusters, a verificação de certificado TLS no Cassandra poderá falhar. Apigee híbrido

Pré-requisitos

  • O kubectl precisa ser instalado e configurado para acessar clusters da Apigee.
  • O jq é necessário para formatar o conteúdo JSON.
  • O keytool é necessário para imprimir certificados TLS.
  • O cmctl é necessário para a renovação de certificados usando o Gerenciador de certificados.

Causa: o certificado da CA do Apigee não corresponde aos clusters do Apigee.

Diagnóstico

  1. Leia o segredo apigee-ca e imprima o certificado de CA da Apigee de todos os clusters usando o seguinte comando: 
    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d | keytool -printcert | grep Version -B 10

    Um exemplo de saída:

    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d | keytool -printcert | grep Version -B 10
Owner: CN=apigee-hybrid, O=apigee + O=cluster.local
Issuer: CN=apigee-hybrid, O=apigee + O=cluster.local
Serial number: afcc2ef957cebfd52b118b0b1622021
Valid from: Wed Oct 30 03:09:23 UTC 2024 until: Sat Oct 28 03:09:23 UTC 2034
Certificate fingerprints:
        SHA1: 32:D9:77:54:B1:FC:CB:6C:9E:28:C1:04:25:49:0D:F5:7C:88:A5:6C
        SHA256: 7C:97:31:3B:56:CD:A3:EF:88:A7:DC:17:AE:D5:F2:A7:6A:48:B3:FC:AA:04:F0:6B:9F:43:C4:5C:6E:15:DE:37
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
  2. Leia o secret apigee-cassandra-default-tls e verifique se o certificado de CA da Apigee acima foi usado ao gerar o certificado do Cassandra. O secret apigee-cassandra-default-tls contém o certificado de CA da Apigee em ca.crt: 
    kubectl -n apigee get secret apigee-cassandra-default-tls -o json | jq -r '.data["ca.crt"]' | base64 -d | keytool -printcert | grep Version -B 10

    Um exemplo de saída:

    kubectl -n apigee get secret apigee-cassandra-default-tls -o json | jq -r '.data["ca.crt"]' | base64 -d | keytool -printcert | grep Version -B 10
Owner: CN=apigee-hybrid, O=apigee + O=cluster.local
Issuer: CN=apigee-hybrid, O=apigee + O=cluster.local
Serial number: afcc2ef957cebfd52b118b0b1622021
Valid from: Wed Oct 30 03:09:23 UTC 2024 until: Sat Oct 28 03:09:23 UTC 2034
Certificate fingerprints:
        SHA1: 32:D9:77:54:B1:FC:CB:6C:9E:28:C1:04:25:49:0D:F5:7C:88:A5:6C
        SHA256: 7C:97:31:3B:56:CD:A3:EF:88:A7:DC:17:AE:D5:F2:A7:6A:48:B3:FC:AA:04:F0:6B:9F:43:C4:5C:6E:15:DE:37
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
  3. No exemplo acima, o número de série do certificado da AC do Apigee encontrado no secret apigee-ca corresponde ao certificado da AC do Apigee encontrado no secret apigee-cassandra-default-tls: afcc2ef957cebfd52b118b0b1622021. Isso confirma que o certificado do Cassandra foi assinado pelo mesmo certificado de CA do Apigee. Para verificar isso, siga as etapas abaixo.
  4. Extraia o arquivo PEM do certificado da CA da Apigee: 
    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-ca.crt

    Um exemplo de saída:

    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-ca.crt
cat apigee-ca.crt
-----BEGIN CERTIFICATE-----
MIIBvjCCAWSgAwIBAgIQCvzC75V86/1SsRiwsWIgITAKBggqhkjOPQQDAjA/MSUw
DQYDVQQKEwZhcGlnZWUwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMRYwFAYDVQQDEw1h
cGlnZWUtaHlicmlkMB4XDTI0MTAzMDAzMDkyM1oXDTM0MTAyODAzMDkyM1owPzEl
MA0GA1UEChMGYXBpZ2VlMBQGA1UEChMNY2x1c3Rlci5sb2NhbDEWMBQGA1UEAxMN
YXBpZ2VlLWh5YnJpZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNSow7pxNvjj
R/jV66nY/w/tn22tu7oXyZS8tAFBnP7D2fFfIdk4tJub3gw/CsoyNa1cKXwAt7Tw
SLp1iGJ3CY+jQjBAMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRSjN/cNNbg2kvmddskzdurglxuwTAKBggqhkjOPQQDAgNIADBFAiBp
pCgNNC8TVEgF8jR5RK9dXZJRcNY39nFY4DqbH6bUJwIhAPdzx5gee3BIWYwlQAYX
CgtCf4blLNq3KlBWTO993XoY
-----END CERTIFICATE-----
  5. Extraia o arquivo pem do certificado do Cassandra: 
    kubectl -n apigee get secrets apigee-cassandra-default-tls -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-cassandra-default-tls.crt

    Um exemplo de saída:

    kubectl -n apigee get secrets apigee-cassandra-default-tls -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-cassandra-default-tls.crt
cat apigee-cassandra-default-tls.crt
-----BEGIN CERTIFICATE-----
MIIDSDCCAu6gAwIBAgIQZcYk/VOfGUQEzpLbAvyyNjAKBggqhkjOPQQDAjA/MSUw
DQYDVQQKEwZhcGlnZWUwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMRYwFAYDVQQDEw1h
cGlnZWUtaHlicmlkMB4XDTI0MTAzMDAzMTAyMFoXDTM0MTAyODAzMTAyMFowPDE6
MDgGA1UEAxMxYXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZS5zdmMuY2x1
c3Rlci5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6k8YyB
m/AV9cgexU8fZ4OFw8M72oxWEF44sFezZB7NpCqIFBxAM/7iL0tF2qU4S4gpcabD
bn30fKKID8651Kytc7KHGT13Nlj9vQRjd0HJD8Qa8YtRcmGKtp+1fbQOcMPxvuNA
CzaQyuPwieYKc6D9DpDDkPPCmjVwfaxHmNpdswrt0NQbSecg/xZPXbpzOZ6bUFha
2vTvSTomiDKIPGhWrMnEMJDjFyjpdYND74HnYgw1XGnC4SQNts/kvXligbVmW+Rz
oyV7n99eN6cE5J/FHDgiHrBRZUw8ujP2l/p7Y96NcMBnXCsQu6RsCDltXqX1f1pG
sIjUAFAZZvM0pDECAwEAAaOCAQIwgf8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
FFKM39w01uDaS+Z12yTN26uCXG7BMIGeBgNVHREEgZYwgZOCGGFwaWdlZS1jYXNz
YW5kcmEtZGVmYXVsdIIfYXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZYIj
YXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZS5zdmOCMWFwaWdlZS1jYXNz
YW5kcmEtZGVmYXVsdC5hcGlnZWUuc3ZjLmNsdXN0ZXIubG9jYWwwCgYIKoZIzj0E
AwIDSAAwRQIhANt7WYfSbS4a14Fvf3IXcG+/p3iEGg61suK8jOxtgJMyAiBG3z7Y
kgR7SWNzSoom4Oznq9NSub7v75kfQJFKEtP0Mg==
-----END CERTIFICATE-----
  6. Verifique o certificado do Cassandra usando o certificado da CA do Apigee: 
    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt

    Exemplo de saída:

    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt
apigee-cassandra-default-tls.crt: OK

    Exemplo de saída de falha:

    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt
CN = apigee-cassandra-default.apigee.svc.cluster.local
error 20 at 0 depth lookup: unable to get local issuer certificate
error apigee-cassandra-default-tls.crt: verification failed

Resolução

  1. Selecione um cluster do Apigee que tenha o certificado de AC correto.
  2. Exporte o secret do certificado da CA do Apigee desse cluster para um arquivo: 
    kubectl -n cert-manager get secret apigee-ca -o yaml > apigee-ca.yaml
  3. Aplique o secret do certificado da CA da Apigee acima a todos os outros clusters, selecionando um cluster por vez. Em seguida, realize todas as etapas restantes em todos os clusters: 
    kubectl -n cert-manager apply -f apigee-ca.yaml
  4. Exporte todos os certificados disponíveis no namespace apigee para um arquivo de backup: 
    kubectl -n apigee get certificates --all -o yaml > all-certificates.yaml
  5. Execute o seguinte comando cmctl para renovar todos os certificados encontrados no namespace apigee: 
    cmctl renew --namespace=apigee --all

    Um exemplo de saída:

    cmctl renew --namespace=apigee --all

  Manually triggered issuance of Certificate apigee/apigee-cassandra-default
  Manually triggered issuance of Certificate apigee/apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-connect-agent-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-datastore-guardrails-tls
  Manually triggered issuance of Certificate apigee/apigee-istiod
  Manually triggered issuance of Certificate apigee/apigee-mart-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-metrics-adapter-apigee-telemetry
  Manually triggered issuance of Certificate apigee/apigee-redis-default
  Manually triggered issuance of Certificate apigee/apigee-redis-envoy-default
  Manually triggered issuance of Certificate apigee/apigee-runtime-demo-hybrid-de-dev-b276d3f
  Manually triggered issuance of Certificate apigee/apigee-serving-cert
  Manually triggered issuance of Certificate apigee/apigee-synchronizer-demo-hybrid-de-dev-b276d3f
  Manually triggered issuance of Certificate apigee/apigee-udca-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-watcher-demo-hybrid-de-5fdc6d2

    Essa etapa vai emitir novamente todos os certificados do ambiente de execução do Apigee usando o certificado de CA do Apigee recém-importado, o que deve resolver o problema.

  6. Verifique a data de emissão de todos os certificados em relação ao horário UTC e confira se eles foram reemitidos: 
    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notBefore)"'
date -u

    Um exemplo de saída:

    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notBefore)"'

  apigee-cassandra-default: 2024-12-16T04:19:58Z
  apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:58Z
  apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:58Z
  apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:59Z
  apigee-connect-agent-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:00Z
  apigee-datastore-guardrails-tls: 2024-12-16T04:20:01Z
  apigee-istiod: 2024-12-16T04:20:02Z
  apigee-mart-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:02Z
  apigee-metrics-adapter-apigee-telemetry: 2024-12-16T04:20:03Z
  apigee-redis-default: 2024-12-16T04:20:04Z
  apigee-redis-envoy-default: 2024-12-16T04:20:04Z
  apigee-runtime-demo-hybrid-de-dev-b276d3f: 2024-12-16T04:20:04Z
  apigee-serving-cert: 2024-12-16T04:20:04Z
  apigee-synchronizer-demo-hybrid-de-dev-b276d3f: 2024-12-16T04:20:05Z
  apigee-udca-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:06Z
  apigee-watcher-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:07Z

  date -u
  Mon Dec 16 04:23:45 AM UTC 2024
  7. Verifique a data de validade de todos os certificados e confirme se ela foi estendida corretamente: 
    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notAfter)"'

    Um exemplo de saída:

    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notAfter)"'

  apigee-cassandra-default: 2034-12-14T04:19:58Z
  apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:58Z
  apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:58Z
  apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:59Z
  apigee-connect-agent-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:00Z
  apigee-datastore-guardrails-tls: 2024-12-16T05:20:01Z
  apigee-istiod: 2024-12-18T04:20:02Z
  apigee-mart-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:02Z
  apigee-metrics-adapter-apigee-telemetry: 2034-12-14T04:20:03Z
  apigee-redis-default: 2034-12-14T04:20:04Z
  apigee-redis-envoy-default: 2034-12-14T04:20:04Z
  apigee-runtime-demo-hybrid-de-dev-b276d3f: 2034-12-14T04:20:04Z
  apigee-serving-cert: 2025-03-16T04:20:04Z
  apigee-synchronizer-demo-hybrid-de-dev-b276d3f: 2034-12-14T04:20:05Z
  apigee-udca-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:06Z
  apigee-watcher-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:07Z

É necessário coletar informações de diagnóstico

Se o problema persistir mesmo depois de seguir as instruções acima, reúna as seguintes informações de diagnóstico e entre em contato com o Google Cloud Costumer Care:

  1. O ID do projeto do Google Cloud.
  2. A organização da Apigee híbrida.
  3. Os arquivos overrides.yaml da origem e das novas regiões, mascarando qualquer informação confidencial.
  4. As saídas dos comandos em must-gather da Apigee híbrida.
  5. As saídas dos comandos em must-gather do Cassandra híbrido da Apigee.