Cassandra TLS 证书验证失败

您正在查看 ApigeeApigee Hybrid 文档。
查看 Apigee Edge 文档。

表现

Cassandra pod 中的 TLS 证书验证流程可能会失败,并显示类似于以下内容的错误: 

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:261)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:698)
...
Suppressed: javax.net.ssl.SSLHandshakeException: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1309)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1270)
...

可能的原因

原因 说明 适用的问题排查说明
Apigee CA 证书在 Apigee 集群之间不匹配 如果各个集群中的 Apigee CA 证书不匹配,则 Cassandra 中的 TLS 证书验证可能会失败。 Apigee Hybrid

前提条件

  • 您需要安装并配置 kubectl,才能访问 Apigee 集群。
  • 若要设置 JSON 内容的格式,必须使用 jq
  • 如需打印 TLS 证书,必须使用 keytool
  • 如需使用 Cert Manager 重新颁发证书,必须使用 cmctl

原因:Apigee CA 证书在 Apigee 集群之间不匹配

诊断

  1. 使用以下命令读取 apigee-ca 密钥并输出所有集群的 Apigee CA 证书: 
    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d | keytool -printcert | grep Version -B 10

    输出示例:

    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d | keytool -printcert | grep Version -B 10
Owner: CN=apigee-hybrid, O=apigee + O=cluster.local
Issuer: CN=apigee-hybrid, O=apigee + O=cluster.local
Serial number: afcc2ef957cebfd52b118b0b1622021
Valid from: Wed Oct 30 03:09:23 UTC 2024 until: Sat Oct 28 03:09:23 UTC 2034
Certificate fingerprints:
        SHA1: 32:D9:77:54:B1:FC:CB:6C:9E:28:C1:04:25:49:0D:F5:7C:88:A5:6C
        SHA256: 7C:97:31:3B:56:CD:A3:EF:88:A7:DC:17:AE:D5:F2:A7:6A:48:B3:FC:AA:04:F0:6B:9F:43:C4:5C:6E:15:DE:37
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
  2. 读取 apigee-cassandra-default-tls 密文,并验证在生成 Cassandra 证书时是否使用了上述 Apigee CA 证书。apigee-cassandra-default-tls Secret 包含 ca.crt 下的 Apigee CA 证书: 
    kubectl -n apigee get secret apigee-cassandra-default-tls -o json | jq -r '.data["ca.crt"]' | base64 -d | keytool -printcert | grep Version -B 10

    输出示例:

    kubectl -n apigee get secret apigee-cassandra-default-tls -o json | jq -r '.data["ca.crt"]' | base64 -d | keytool -printcert | grep Version -B 10
Owner: CN=apigee-hybrid, O=apigee + O=cluster.local
Issuer: CN=apigee-hybrid, O=apigee + O=cluster.local
Serial number: afcc2ef957cebfd52b118b0b1622021
Valid from: Wed Oct 30 03:09:23 UTC 2024 until: Sat Oct 28 03:09:23 UTC 2034
Certificate fingerprints:
        SHA1: 32:D9:77:54:B1:FC:CB:6C:9E:28:C1:04:25:49:0D:F5:7C:88:A5:6C
        SHA256: 7C:97:31:3B:56:CD:A3:EF:88:A7:DC:17:AE:D5:F2:A7:6A:48:B3:FC:AA:04:F0:6B:9F:43:C4:5C:6E:15:DE:37
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
  3. 在上例中,apigee-ca Secret 中找到的 Apigee CA 证书的序列号与 apigee-cassandra-default-tls Secret 中找到的 Apigee CA 证书的序列号 afcc2ef957cebfd52b118b0b1622021 一致。这确认 Cassandra 证书已由同一 Apigee CA 证书签名。 我们可以按照以下步骤进一步验证。
  4. 提取 Apigee CA 证书 pem 文件: 
    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-ca.crt

    输出示例:

    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-ca.crt
cat apigee-ca.crt
-----BEGIN CERTIFICATE-----
MIIBvjCCAWSgAwIBAgIQCvzC75V86/1SsRiwsWIgITAKBggqhkjOPQQDAjA/MSUw
DQYDVQQKEwZhcGlnZWUwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMRYwFAYDVQQDEw1h
cGlnZWUtaHlicmlkMB4XDTI0MTAzMDAzMDkyM1oXDTM0MTAyODAzMDkyM1owPzEl
MA0GA1UEChMGYXBpZ2VlMBQGA1UEChMNY2x1c3Rlci5sb2NhbDEWMBQGA1UEAxMN
YXBpZ2VlLWh5YnJpZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNSow7pxNvjj
R/jV66nY/w/tn22tu7oXyZS8tAFBnP7D2fFfIdk4tJub3gw/CsoyNa1cKXwAt7Tw
SLp1iGJ3CY+jQjBAMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRSjN/cNNbg2kvmddskzdurglxuwTAKBggqhkjOPQQDAgNIADBFAiBp
pCgNNC8TVEgF8jR5RK9dXZJRcNY39nFY4DqbH6bUJwIhAPdzx5gee3BIWYwlQAYX
CgtCf4blLNq3KlBWTO993XoY
-----END CERTIFICATE-----
  5. 解压缩 Cassandra 证书 pem 文件: 
    kubectl -n apigee get secrets apigee-cassandra-default-tls -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-cassandra-default-tls.crt

    输出示例:

    kubectl -n apigee get secrets apigee-cassandra-default-tls -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-cassandra-default-tls.crt
cat apigee-cassandra-default-tls.crt
-----BEGIN CERTIFICATE-----
MIIDSDCCAu6gAwIBAgIQZcYk/VOfGUQEzpLbAvyyNjAKBggqhkjOPQQDAjA/MSUw
DQYDVQQKEwZhcGlnZWUwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMRYwFAYDVQQDEw1h
cGlnZWUtaHlicmlkMB4XDTI0MTAzMDAzMTAyMFoXDTM0MTAyODAzMTAyMFowPDE6
MDgGA1UEAxMxYXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZS5zdmMuY2x1
c3Rlci5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6k8YyB
m/AV9cgexU8fZ4OFw8M72oxWEF44sFezZB7NpCqIFBxAM/7iL0tF2qU4S4gpcabD
bn30fKKID8651Kytc7KHGT13Nlj9vQRjd0HJD8Qa8YtRcmGKtp+1fbQOcMPxvuNA
CzaQyuPwieYKc6D9DpDDkPPCmjVwfaxHmNpdswrt0NQbSecg/xZPXbpzOZ6bUFha
2vTvSTomiDKIPGhWrMnEMJDjFyjpdYND74HnYgw1XGnC4SQNts/kvXligbVmW+Rz
oyV7n99eN6cE5J/FHDgiHrBRZUw8ujP2l/p7Y96NcMBnXCsQu6RsCDltXqX1f1pG
sIjUAFAZZvM0pDECAwEAAaOCAQIwgf8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
FFKM39w01uDaS+Z12yTN26uCXG7BMIGeBgNVHREEgZYwgZOCGGFwaWdlZS1jYXNz
YW5kcmEtZGVmYXVsdIIfYXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZYIj
YXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZS5zdmOCMWFwaWdlZS1jYXNz
YW5kcmEtZGVmYXVsdC5hcGlnZWUuc3ZjLmNsdXN0ZXIubG9jYWwwCgYIKoZIzj0E
AwIDSAAwRQIhANt7WYfSbS4a14Fvf3IXcG+/p3iEGg61suK8jOxtgJMyAiBG3z7Y
kgR7SWNzSoom4Oznq9NSub7v75kfQJFKEtP0Mg==
-----END CERTIFICATE-----
  6. 使用 Apigee CA 证书验证 Cassandra 证书: 
    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt

    成功示例输出:

    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt
apigee-cassandra-default-tls.crt: OK

    失败示例输出:

    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt
CN = apigee-cassandra-default.apigee.svc.cluster.local
error 20 at 0 depth lookup: unable to get local issuer certificate
error apigee-cassandra-default-tls.crt: verification failed

解决方法

  1. 选择具有正确 Apigee CA 证书的 Apigee 集群。
  2. 将 Apigee CA 证书密钥从该集群导出到文件: 
    kubectl -n cert-manager get secret apigee-ca -o yaml > apigee-ca.yaml
  3. 将上述 Apigee CA 证书 Secret 应用于所有其他集群,具体方法是一次选择一个集群,在所有集群中执行所有剩余步骤: 
    kubectl -n cert-manager apply -f apigee-ca.yaml
  4. apigee 命名空间中可用的所有现有证书导出到备份文件: 
    kubectl -n apigee get certificates --all -o yaml > all-certificates.yaml
  5. 执行以下 cmctl 命令,重新颁发 apigee 命名空间中找到的所有证书: 
    cmctl renew --namespace=apigee --all

    输出示例:

    cmctl renew --namespace=apigee --all

  Manually triggered issuance of Certificate apigee/apigee-cassandra-default
  Manually triggered issuance of Certificate apigee/apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-connect-agent-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-datastore-guardrails-tls
  Manually triggered issuance of Certificate apigee/apigee-istiod
  Manually triggered issuance of Certificate apigee/apigee-mart-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-metrics-adapter-apigee-telemetry
  Manually triggered issuance of Certificate apigee/apigee-redis-default
  Manually triggered issuance of Certificate apigee/apigee-redis-envoy-default
  Manually triggered issuance of Certificate apigee/apigee-runtime-demo-hybrid-de-dev-b276d3f
  Manually triggered issuance of Certificate apigee/apigee-serving-cert
  Manually triggered issuance of Certificate apigee/apigee-synchronizer-demo-hybrid-de-dev-b276d3f
  Manually triggered issuance of Certificate apigee/apigee-udca-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-watcher-demo-hybrid-de-5fdc6d2

    此步骤应使用新导入的 Apigee CA 证书重新颁发所有 Apigee 运行时证书,这应该可以解决此问题。

  6. 根据世界协调时间 (UTC) 检查所有证书的签发日期,并验证证书是否已重新签发: 
    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notBefore)"'
date -u

    输出示例:

    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notBefore)"'

  apigee-cassandra-default: 2024-12-16T04:19:58Z
  apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:58Z
  apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:58Z
  apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:59Z
  apigee-connect-agent-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:00Z
  apigee-datastore-guardrails-tls: 2024-12-16T04:20:01Z
  apigee-istiod: 2024-12-16T04:20:02Z
  apigee-mart-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:02Z
  apigee-metrics-adapter-apigee-telemetry: 2024-12-16T04:20:03Z
  apigee-redis-default: 2024-12-16T04:20:04Z
  apigee-redis-envoy-default: 2024-12-16T04:20:04Z
  apigee-runtime-demo-hybrid-de-dev-b276d3f: 2024-12-16T04:20:04Z
  apigee-serving-cert: 2024-12-16T04:20:04Z
  apigee-synchronizer-demo-hybrid-de-dev-b276d3f: 2024-12-16T04:20:05Z
  apigee-udca-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:06Z
  apigee-watcher-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:07Z

  date -u
  Mon Dec 16 04:23:45 AM UTC 2024
  7. 检查所有证书的到期日期,并确认已相应延长: 
    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notAfter)"'

    输出示例:

    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notAfter)"'

  apigee-cassandra-default: 2034-12-14T04:19:58Z
  apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:58Z
  apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:58Z
  apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:59Z
  apigee-connect-agent-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:00Z
  apigee-datastore-guardrails-tls: 2024-12-16T05:20:01Z
  apigee-istiod: 2024-12-18T04:20:02Z
  apigee-mart-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:02Z
  apigee-metrics-adapter-apigee-telemetry: 2034-12-14T04:20:03Z
  apigee-redis-default: 2034-12-14T04:20:04Z
  apigee-redis-envoy-default: 2034-12-14T04:20:04Z
  apigee-runtime-demo-hybrid-de-dev-b276d3f: 2034-12-14T04:20:04Z
  apigee-serving-cert: 2025-03-16T04:20:04Z
  apigee-synchronizer-demo-hybrid-de-dev-b276d3f: 2034-12-14T04:20:05Z
  apigee-udca-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:06Z
  apigee-watcher-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:07Z

必须收集的诊断信息

如果按照上述说明操作后问题仍然存在,请收集以下诊断信息,然后与 Google Cloud Customer Care 联系:

  1. Google Cloud 项目 ID。
  2. Apigee Hybrid 组织。
  3. 来自来源和新区域的 overrides.yaml 文件,遮盖了任何敏感信息。
  4. Apigee Hybrid 必需收集中的命令的输出。
  5. Apigee Hybrid Cassandra 必须收集中的命令的输出。