Cassandra TLS 证书验证失败

您正在查看 ApigeeApigee Hybrid 文档。
查看 Apigee Edge 文档。

表现

Cassandra Pod 中的 TLS 证书验证流程可能会失败,并显示类似于以下内容的错误:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:261)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:698)
...
Suppressed: javax.net.ssl.SSLHandshakeException: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1309)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1270)
...

可能的原因

原因 说明 适用的问题排查说明
Apigee CA 证书在各个 Apigee 集群中不匹配 如果 Apigee CA 证书在各个集群中不匹配,Cassandra 中的 TLS 证书验证可能会失败。 Apigee Hybrid

前提条件

  • 需要安装并配置 kubectl 才能访问 Apigee 集群。
  • 必须使用 jq 对 JSON 内容进行格式设置。
  • 必须使用 keytool 才能输出 TLS 证书。
  • 必须使用 cmctl 才能通过 Cert Manager 重新签发证书。

原因:Apigee CA 证书在 Apigee 集群之间不匹配

诊断

  1. 使用以下命令读取 apigee-ca Secret 并输出所有集群的 Apigee CA 证书:
    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d | keytool -printcert | grep Version -B 10

    输出示例:

    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d | keytool -printcert | grep Version -B 10
Owner: CN=apigee-hybrid, O=apigee + O=cluster.local
Issuer: CN=apigee-hybrid, O=apigee + O=cluster.local
Serial number: afcc2ef957cebfd52b118b0b1622021
Valid from: Wed Oct 30 03:09:23 UTC 2024 until: Sat Oct 28 03:09:23 UTC 2034
Certificate fingerprints:
        SHA1: 32:D9:77:54:B1:FC:CB:6C:9E:28:C1:04:25:49:0D:F5:7C:88:A5:6C
        SHA256: 7C:97:31:3B:56:CD:A3:EF:88:A7:DC:17:AE:D5:F2:A7:6A:48:B3:FC:AA:04:F0:6B:9F:43:C4:5C:6E:15:DE:37
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
  2. 读取 apigee-cassandra-default-tls Secret,并验证在生成 Cassandra 证书时是否使用了上述 Apigee CA 证书。apigee-cassandra-default-tls Secret 包含 ca.crt 下的 Apigee CA 证书:
    kubectl -n apigee get secret apigee-cassandra-default-tls -o json | jq -r '.data["ca.crt"]' | base64 -d | keytool -printcert | grep Version -B 10

    输出示例:

    kubectl -n apigee get secret apigee-cassandra-default-tls -o json | jq -r '.data["ca.crt"]' | base64 -d | keytool -printcert | grep Version -B 10
Owner: CN=apigee-hybrid, O=apigee + O=cluster.local
Issuer: CN=apigee-hybrid, O=apigee + O=cluster.local
Serial number: afcc2ef957cebfd52b118b0b1622021
Valid from: Wed Oct 30 03:09:23 UTC 2024 until: Sat Oct 28 03:09:23 UTC 2034
Certificate fingerprints:
        SHA1: 32:D9:77:54:B1:FC:CB:6C:9E:28:C1:04:25:49:0D:F5:7C:88:A5:6C
        SHA256: 7C:97:31:3B:56:CD:A3:EF:88:A7:DC:17:AE:D5:F2:A7:6A:48:B3:FC:AA:04:F0:6B:9F:43:C4:5C:6E:15:DE:37
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
  3. 在上面的示例中,apigee-ca Secret 中找到的 Apigee CA 证书的序列号与 apigee-cassandra-default-tls Secret 中找到的 Apigee CA 证书匹配:afcc2ef957cebfd52b118b0b1622021。这可以确认 Cassandra 证书已由同一 Apigee CA 证书签名。我们可以通过以下步骤进一步验证这一点。
  4. 提取 Apigee CA 证书 pem 文件:
    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-ca.crt

    输出示例:

    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-ca.crt
cat apigee-ca.crt
-----BEGIN CERTIFICATE-----
MIIBvjCCAWSgAwIBAgIQCvzC75V86/1SsRiwsWIgITAKBggqhkjOPQQDAjA/MSUw
DQYDVQQKEwZhcGlnZWUwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMRYwFAYDVQQDEw1h
cGlnZWUtaHlicmlkMB4XDTI0MTAzMDAzMDkyM1oXDTM0MTAyODAzMDkyM1owPzEl
MA0GA1UEChMGYXBpZ2VlMBQGA1UEChMNY2x1c3Rlci5sb2NhbDEWMBQGA1UEAxMN
YXBpZ2VlLWh5YnJpZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNSow7pxNvjj
R/jV66nY/w/tn22tu7oXyZS8tAFBnP7D2fFfIdk4tJub3gw/CsoyNa1cKXwAt7Tw
SLp1iGJ3CY+jQjBAMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRSjN/cNNbg2kvmddskzdurglxuwTAKBggqhkjOPQQDAgNIADBFAiBp
pCgNNC8TVEgF8jR5RK9dXZJRcNY39nFY4DqbH6bUJwIhAPdzx5gee3BIWYwlQAYX
CgtCf4blLNq3KlBWTO993XoY
-----END CERTIFICATE-----
  5. 提取 Cassandra 证书 pem 文件:
    kubectl -n apigee get secrets apigee-cassandra-default-tls -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-cassandra-default-tls.crt

    输出示例:

    kubectl -n apigee get secrets apigee-cassandra-default-tls -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-cassandra-default-tls.crt
cat apigee-cassandra-default-tls.crt
-----BEGIN CERTIFICATE-----
MIIDSDCCAu6gAwIBAgIQZcYk/VOfGUQEzpLbAvyyNjAKBggqhkjOPQQDAjA/MSUw
DQYDVQQKEwZhcGlnZWUwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMRYwFAYDVQQDEw1h
cGlnZWUtaHlicmlkMB4XDTI0MTAzMDAzMTAyMFoXDTM0MTAyODAzMTAyMFowPDE6
MDgGA1UEAxMxYXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZS5zdmMuY2x1
c3Rlci5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6k8YyB
m/AV9cgexU8fZ4OFw8M72oxWEF44sFezZB7NpCqIFBxAM/7iL0tF2qU4S4gpcabD
bn30fKKID8651Kytc7KHGT13Nlj9vQRjd0HJD8Qa8YtRcmGKtp+1fbQOcMPxvuNA
CzaQyuPwieYKc6D9DpDDkPPCmjVwfaxHmNpdswrt0NQbSecg/xZPXbpzOZ6bUFha
2vTvSTomiDKIPGhWrMnEMJDjFyjpdYND74HnYgw1XGnC4SQNts/kvXligbVmW+Rz
oyV7n99eN6cE5J/FHDgiHrBRZUw8ujP2l/p7Y96NcMBnXCsQu6RsCDltXqX1f1pG
sIjUAFAZZvM0pDECAwEAAaOCAQIwgf8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
FFKM39w01uDaS+Z12yTN26uCXG7BMIGeBgNVHREEgZYwgZOCGGFwaWdlZS1jYXNz
YW5kcmEtZGVmYXVsdIIfYXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZYIj
YXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZS5zdmOCMWFwaWdlZS1jYXNz
YW5kcmEtZGVmYXVsdC5hcGlnZWUuc3ZjLmNsdXN0ZXIubG9jYWwwCgYIKoZIzj0E
AwIDSAAwRQIhANt7WYfSbS4a14Fvf3IXcG+/p3iEGg61suK8jOxtgJMyAiBG3z7Y
kgR7SWNzSoom4Oznq9NSub7v75kfQJFKEtP0Mg==
-----END CERTIFICATE-----
  6. 使用 Apigee CA 证书验证 Cassandra 证书:
    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt

    成功示例输出:

    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt
apigee-cassandra-default-tls.crt: OK

    失败示例输出:

    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt
CN = apigee-cassandra-default.apigee.svc.cluster.local
error 20 at 0 depth lookup: unable to get local issuer certificate
error apigee-cassandra-default-tls.crt: verification failed

解决方法

  1. 选择具有正确 Apigee CA 证书的 Apigee 集群。
  2. 将该集群中的 Apigee CA 证书 Secret 导出到文件中:
    kubectl -n cert-manager get secret apigee-ca -o yaml > apigee-ca.yaml
  3. 通过一次选择一个集群,在所有集群中执行所有剩余步骤,将上述 Apigee CA 证书 Secret 应用于所有其他集群:
    kubectl -n cert-manager apply -f apigee-ca.yaml
  4. apigee 命名空间中所有现有的证书导出到备用文件:
    kubectl -n apigee get certificates --all -o yaml > all-certificates.yaml
  5. 执行以下 cmctl 命令以重新签发 apigee 命名空间中找到的所有证书:
    cmctl renew --namespace=apigee --all

    输出示例:

    cmctl renew --namespace=apigee --all

  Manually triggered issuance of Certificate apigee/apigee-cassandra-default
  Manually triggered issuance of Certificate apigee/apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-connect-agent-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-datastore-guardrails-tls
  Manually triggered issuance of Certificate apigee/apigee-istiod
  Manually triggered issuance of Certificate apigee/apigee-mart-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-metrics-adapter-apigee-telemetry
  Manually triggered issuance of Certificate apigee/apigee-redis-default
  Manually triggered issuance of Certificate apigee/apigee-redis-envoy-default
  Manually triggered issuance of Certificate apigee/apigee-runtime-demo-hybrid-de-dev-b276d3f
  Manually triggered issuance of Certificate apigee/apigee-serving-cert
  Manually triggered issuance of Certificate apigee/apigee-synchronizer-demo-hybrid-de-dev-b276d3f
  Manually triggered issuance of Certificate apigee/apigee-udca-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-watcher-demo-hybrid-de-5fdc6d2

    此步骤应使用新导入的 Apigee CA 证书重新签发所有 Apigee 运行时证书,这应该可以解决此问题。

  6. 根据 UTC 时间检查所有证书的发放日期,并验证它们是否已被重新签发:
    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notBefore)"'
date -u

    输出示例:

    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notBefore)"'

  apigee-cassandra-default: 2024-12-16T04:19:58Z
  apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:58Z
  apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:58Z
  apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:59Z
  apigee-connect-agent-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:00Z
  apigee-datastore-guardrails-tls: 2024-12-16T04:20:01Z
  apigee-istiod: 2024-12-16T04:20:02Z
  apigee-mart-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:02Z
  apigee-metrics-adapter-apigee-telemetry: 2024-12-16T04:20:03Z
  apigee-redis-default: 2024-12-16T04:20:04Z
  apigee-redis-envoy-default: 2024-12-16T04:20:04Z
  apigee-runtime-demo-hybrid-de-dev-b276d3f: 2024-12-16T04:20:04Z
  apigee-serving-cert: 2024-12-16T04:20:04Z
  apigee-synchronizer-demo-hybrid-de-dev-b276d3f: 2024-12-16T04:20:05Z
  apigee-udca-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:06Z
  apigee-watcher-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:07Z

  date -u
  Mon Dec 16 04:23:45 AM UTC 2024
  7. 检查所有证书的失效日期,并确认已相应地延长证书的有效期:
    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notAfter)"'

    输出示例:

    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notAfter)"'

  apigee-cassandra-default: 2034-12-14T04:19:58Z
  apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:58Z
  apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:58Z
  apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:59Z
  apigee-connect-agent-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:00Z
  apigee-datastore-guardrails-tls: 2024-12-16T05:20:01Z
  apigee-istiod: 2024-12-18T04:20:02Z
  apigee-mart-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:02Z
  apigee-metrics-adapter-apigee-telemetry: 2034-12-14T04:20:03Z
  apigee-redis-default: 2034-12-14T04:20:04Z
  apigee-redis-envoy-default: 2034-12-14T04:20:04Z
  apigee-runtime-demo-hybrid-de-dev-b276d3f: 2034-12-14T04:20:04Z
  apigee-serving-cert: 2025-03-16T04:20:04Z
  apigee-synchronizer-demo-hybrid-de-dev-b276d3f: 2034-12-14T04:20:05Z
  apigee-udca-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:06Z
  apigee-watcher-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:07Z

必须收集的诊断信息

如果按照上述说明操作后问题仍然存在,请收集以下诊断信息,然后与 Google Cloud Customer Care 联系:

  1. Google Cloud 项目 ID。
  2. Apigee Hybrid 组织。
  3. 来自来源和新区域的 overrides.yaml 文件,遮盖了任何敏感信息。
  4. Apigee Hybrid must-gather 中的命令的输出。
  5. Apigee Hybrid Cassandra must-gather 中的命令输出。