pentaho - Pentaho 水壶 | 连接到 HTTPS 存储库（带有 cacerts 文件）

Question

cacerts : 已经在 PENTAHO_JAVA_HOME 的 JVM 中添加了 cacerts

一些调试结果：

带 HTTPS 的 Tomcat（一切正常）

水壶发送请求https://pentaho.foo.com:2000/pentaho/webservices/unifiedRepository?wsdl
响应 XML...<import namespace="http://jaxws.webservices.unified.repository2.platform.pentaho.org/" location="https://pentaho.foo.com:2000/pentaho/webservices/unifiedRepository?wsdl=1"/>...

Kubernetes NGNIX Ingress 做 HTTPS（无法通过 Spoon/Pan/Kitchen 登录）

水壶发送请求https://pentaho.foo.com/pentaho/webservices/unifiedRepository?wsdl
响应 XML...<import namespace="http://jaxws.webservices.unified.repository2.platform.pentaho.org/" location="http://pentaho.foo.com:80/pentaho/webservices/unifiedRepository?wsdl=1"/>...

使用 ingress，XML 的响应显然有问题！:(

基于 Java 的 SSL 测试代码不会报告任何问题，并且可以成功 ping 它。

文件：https ://gist.github.com/MatthewJDavis/50f3f92660af72c812e21b7ff6b56354#file-sslpoke-java

java SSLPoke pentaho.foo.com 443

但是当我尝试将它添加为存储库时，它给了我

Pentaho Kettle 错误 - 关于存储库创建

-Djavax.net.debug=ssl:handshake使用标志调试

Inaccessible trust store: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/jssecacerts
trustStore is: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
trustStore type is: jks
trustStore provider is: 
the last modified time is: Wed Sep 16 13:09:48 IST 2020
adding as trusted cert:
  Subject: OU=admin-12@admin, O=mkcert development certificate
  Issuer:  CN=mkcert admin-12@admin, OU=admin-12@admin, O=mkcert development CA
  Algorithm: RSA; Serial number: 0xfdf525f5e29174d29a6d9fdf272f7e2d
  Valid from Fri Aug 07 10:49:56 IST 2020 until Wed Aug 07 10:49:56 IST 2030

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
%% Initialized:  [Session-1, SSL_NULL_WITH_NULL_NULL]
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
ExecutorUtil thread 1, setSoTimeout(0) called
ExecutorUtil thread 1, the previous server name in SNI (type=host_name (0), value=pentaho.foo.bar.com) was replaced with (type=host_name (0), value=pentaho.foo.bar.com)
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1.1
%% No cached client session
update handshake state: client_hello[1]
upcoming handshake states: server_hello[2]
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1600302344 bytes = { 215, 164, 52, 11, 45, 219, 213, 140, 206, 38, 86, 195, 163, 188, 25, 47, 75, 214, 247, 18, 83, 220, 50, 235, 248, 20, 245, 238 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA224withECDSA, SHA224withRSA, SHA224withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
Extension extended_master_secret
Extension server_name, server_name: [type=host_name (0), value=pentaho.foo.bar.com]
***
ExecutorUtil thread 1, WRITE: TLSv1.2 Handshake, length = 221
ExecutorUtil thread 1, READ: TLSv1.2 Handshake, length = 97
check handshake state: server_hello[2]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: -1958764892 bytes = { 251, 157, 51, 186, 146, 186, 39, 204, 214, 109, 164, 6, 153, 52, 184, 168, 19, 109, 145, 113, 68, 79, 87, 78, 71, 82, 68, 1 }
Session ID:  {63, 232, 218, 169, 79, 146, 70, 114, 232, 155, 205, 92, 151, 83, 178, 104, 254, 229, 196, 71, 252, 111, 175, 233, 30, 53, 27, 33, 39, 72, 223, 100}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
Extension server_name, server_name: 
Extension ec_point_formats, formats: [uncompressed, ansiX962_compressed_prime, ansiX962_compressed_char2]
Extension extended_master_secret
***
%% Initialized:  [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
update handshake state: server_hello[2]
upcoming handshake states: server certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
ExecutorUtil thread 1, READ: TLSv1.2 Handshake, length = 1215
check handshake state: certificate[11]
update handshake state: certificate[11]
upcoming handshake states: server_key_exchange[12](optional)
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: OU=admin-12@admin, O=mkcert development certificate
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 21433685376114041040745149182505815781912270772653018700590535509921207608162439281834039328083757330095887720079096620554512033127749560544040872427760875583555872074175853984049290057163709076989506633476505786478346189458250294243910996518215008113551658258334897018526288183154659914908029049233175707821210659018932337677431019062030437486974619252895676948455697490340218419465583156992195439596400792025124410012859492335497417585289477924559097950437388777715843250628489521370127014728480087180311820071568136451159127678317922017960457227357858973221219276530291511638062411033545859944937761872570002085931
  public exponent: 65537
  Validity: [From: Fri Aug 07 10:49:56 IST 2020,
               To: Wed Aug 07 10:49:56 IST 2030]
  Issuer: CN=mkcert admin-12@admin, OU=admin-12@admin, O=mkcert development CA
  SerialNumber: [    fdf525f5 e29174d2 9a6d9fdf 272f7e2d]

Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 A6 70 55 88 35 30 45   46 FA 23 8A 01 45 15 A4  b.pU.50EF.#..E..
0010: 42 BE AF E6                                        B...
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: foo.bar.com
  DNSName: pentaho.foo.bar.com
  DNSName: carte.foo.bar.com
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 16 CD 43 D2 15 0D 1F A2   3E EA 53 51 D2 C8 BD 2E  ..C.....>.SQ....
...................................................................

]
***
Found trusted certificate:
[
[
  Version: V3
  Subject: OU=admin-12@admin, O=mkcert development certificate
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  params: null
  modulus: 21433685376114041040745149182505815781912270772653018700590535509921207608162439281834039328083757330095887720079096620554512033127749560544040872427760875583555872074175853984049290057163709076989506633476505786478346189458250294243910996518215008113551658258334897018526288183154659914908029049233175707821210659018932337677431019062030437486974619252895676948455697490340218419465583156992195439596400792025124410012859492335497417585289477924559097950437388777715843250628489521370127014728480087180311820071568136451159127678317922017960457227357858973221219276530291511638062411033545859944937761872570002085931
  public exponent: 65537
  Validity: [From: Fri Aug 07 10:49:56 IST 2020,
               To: Wed Aug 07 10:49:56 IST 2030]
  Issuer: CN=mkcert admin-12@admin, OU=admin-12@admin, O=mkcert development CA
  SerialNumber: [    fdf525f5 e29174d2 9a6d9fdf 272f7e2d]

Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 62 A6 70 55 88 35 30 45   46 FA 23 8A 01 45 15 A4  b.pU.50EF.#..E..
0010: 42 BE AF E6                                        B...
]
]

[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
]

[4]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: foo.bar.com
  DNSName: pentaho.foo.bar.com
  DNSName: carte.foo.bar.com
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 16 CD 43 D2 15 0D 1F A2   3E EA 53 51 D2 C8 BD 2E  ..C.....>.SQ....
............................................................................

]
ExecutorUtil thread 1, READ: TLSv1.2 Handshake, length = 333
check handshake state: server_key_exchange[12]
update handshake state: server_key_exchange[12]
upcoming handshake states: certificate_request[13](optional)
upcoming handshake states: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 89408659874387892020065319059265761454344399716957479583524505551682360440691
  public y coord: 107469753139399134434026082789585027826202162136511916890547804290964288764519
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
ExecutorUtil thread 1, READ: TLSv1.2 Handshake, length = 4
check handshake state: server_hello_done[14]
update handshake state: server_hello_done[14]
upcoming handshake states: client certificate[11](optional)
upcoming handshake states: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
*** ServerHelloDone
*** ECDHClientKeyExchange
ECDH Public value:  { 4, 245, 145, 23, 62, 214, 101, 163, 165, 200, 78, 121, 179, 238, 123, 233, 12, 40, 22, 41, 254, 19, 118, 172, 241, 201, 201, 126, 99, 98, 5, 65, 64, 80, 28, 163, 148, 86, 21, 151, 1, 121, 188, 187, 140, 235, 131, 41, 225, 18, 53, 188, 59, 189, 98, 214, 88, 84, 157, 168, 135, 178, 181, 37, 140 }
update handshake state: client_key_exchange[16]
upcoming handshake states: certificate_verify[15](optional)
upcoming handshake states: client change_cipher_spec[-1]
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
ExecutorUtil thread 1, WRITE: TLSv1.2 Handshake, length = 70
SESSION KEYGEN:
PreMaster Secret:
0000: 0C 5D 91 7D C4 6A 59 C8   EC B3 F3 78 1C 0C 9A D7  .]...jY....x....
0010: 51 C9 99 61 5C 51 6F AC   A3 F9 80 F4 D8 F3 74 61  Q..a\Qo.......ta
CONNECTION KEYGEN:
Client Nonce:
0000: 5F 63 AD 08 D7 A4 34 0B   2D DB D5 8C CE 26 56 C3  _c....4.-....&V.
0010: A3 BC 19 2F 4B D6 F7 12   53 DC 32 EB F8 14 F5 EE  .../K...S.2.....
Server Nonce:
0000: 8B 40 9F A4 FB 9D 33 BA   92 BA 27 CC D6 6D A4 06  .@....3...'..m..
0010: 99 34 B8 A8 13 6D 91 71   44 4F 57 4E 47 52 44 01  .4...m.qDOWNGRD.
Master Secret:
0000: 33 B7 23 07 29 52 51 7D   6F 1B 8C CB 0B CD 61 54  3.#.)RQ.o.....aT
0010: 5C 43 4D DD 92 D2 BE 87   36 5E 98 FD C7 D7 CF 02  \CM.....6^......
0020: B4 A9 94 CD CF 47 89 8C   17 EC 06 1E 91 6F 2B BC  .....G.......o+.
... no MAC keys used for this cipher
Client write key:
0000: C6 D1 B1 2D 9F BF A6 F4   F9 EF C8 00 46 FD CC AE  ...-........F...
Server write key:
0000: 34 67 11 85 C7 0A 36 05   6C B6 9D 18 78 17 7D F7  4g....6.l...x...
Client write IV:
0000: 23 FF 9D 3C                                        #..<
Server write IV:
0000: 08 6F 51 BE                                        .oQ.
update handshake state: change_cipher_spec
upcoming handshake states: client finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
ExecutorUtil thread 1, WRITE: TLSv1.2 Change Cipher Spec, length = 1
*** Finished
verify_data:  { 78, 109, 100, 187, 181, 109, 228, 107, 237, 122, 12, 232 }
***
update handshake state: finished[20]
upcoming handshake states: server change_cipher_spec[-1]
upcoming handshake states: server finished[20]
ExecutorUtil thread 1, WRITE: TLSv1.2 Handshake, length = 40
ExecutorUtil thread 1, READ: TLSv1.2 Change Cipher Spec, length = 1
update handshake state: change_cipher_spec
upcoming handshake states: server finished[20]
ExecutorUtil thread 1, READ: TLSv1.2 Handshake, length = 40
check handshake state: finished[20]
update handshake state: finished[20]
*** Finished
verify_data:  { 221, 58, 81, 74, 41, 6, 75, 85, 95, 48, 118, 52 }
***
%% Cached client session: [Session-2, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
ExecutorUtil thread 1, WRITE: TLSv1.2 Application Data, length = 276
ExecutorUtil thread 1, READ: TLSv1.2 Application Data, length = 4120
ExecutorUtil thread 1, called close()
ExecutorUtil thread 1, called closeInternal(true)
ExecutorUtil thread 1, SEND TLSv1.2 ALERT:  warning, description = close_notify
ExecutorUtil thread 1, WRITE: TLSv1.2 Alert, length = 26
ExecutorUtil thread 1, called closeSocket(true)

面临此问题的环境：

码头工人
Kubernetes

Jira 问题：https ://jira.pentaho.com/browse/PDI-18956

pentaho - Pentaho 水壶 | 连接到 HTTPS 存储库（带有 cacerts 文件）

0 回答 0

Related

Reference