Cassandra TLS 憑證驗證失敗

您正在查看 ApigeeApigee Hybrid 說明文件。
查看 Apigee Edge 說明文件。

問題

Cassandra 叢集中的 TLS 憑證驗證程序可能會失敗,並顯示類似以下的錯誤訊息:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:456)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:323)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:315)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:278)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:141)
at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:261)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:698)
...
Suppressed: javax.net.ssl.SSLHandshakeException: error:1000007d:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1309)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1270)
...

可能的原因

原因 說明 適用於以下裝置的疑難排解操作說明:
Apigee CA 憑證在 Apigee 叢集之間不相符 如果 Apigee CA 憑證在叢集之間不相符,則 Cassandra 中的 TLS 憑證驗證可能會失敗。 Apigee Hybrid

必要條件

  • 您必須安裝及設定 kubectl,才能存取 Apigee 叢集。
  • 如要設定 JSON 內容的格式,必須使用 jq
  • 列印 TLS 憑證時,必須使用 keytool
  • 如要使用 Certificate Manager 重新核發憑證,必須使用 cmctl

原因:Apigee CA 憑證在 Apigee 叢集之間不相符

診斷

  1. 使用下列指令讀取 apigee-ca 密鑰,並列印所有叢集的 Apigee CA 憑證:
    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d | keytool -printcert | grep Version -B 10

    輸出內容範例:

    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d | keytool -printcert | grep Version -B 10
Owner: CN=apigee-hybrid, O=apigee + O=cluster.local
Issuer: CN=apigee-hybrid, O=apigee + O=cluster.local
Serial number: afcc2ef957cebfd52b118b0b1622021
Valid from: Wed Oct 30 03:09:23 UTC 2024 until: Sat Oct 28 03:09:23 UTC 2034
Certificate fingerprints:
        SHA1: 32:D9:77:54:B1:FC:CB:6C:9E:28:C1:04:25:49:0D:F5:7C:88:A5:6C
        SHA256: 7C:97:31:3B:56:CD:A3:EF:88:A7:DC:17:AE:D5:F2:A7:6A:48:B3:FC:AA:04:F0:6B:9F:43:C4:5C:6E:15:DE:37
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
  2. 請讀取 apigee-cassandra-default-tls 密鑰,並驗證產生 Cassandra 憑證時是否使用上述 Apigee CA 憑證。apigee-cassandra-default-tls 祕密包含 ca.crt 下的 Apigee CA 憑證:
    kubectl -n apigee get secret apigee-cassandra-default-tls -o json | jq -r '.data["ca.crt"]' | base64 -d | keytool -printcert | grep Version -B 10

    輸出內容範例:

    kubectl -n apigee get secret apigee-cassandra-default-tls -o json | jq -r '.data["ca.crt"]' | base64 -d | keytool -printcert | grep Version -B 10
Owner: CN=apigee-hybrid, O=apigee + O=cluster.local
Issuer: CN=apigee-hybrid, O=apigee + O=cluster.local
Serial number: afcc2ef957cebfd52b118b0b1622021
Valid from: Wed Oct 30 03:09:23 UTC 2024 until: Sat Oct 28 03:09:23 UTC 2034
Certificate fingerprints:
        SHA1: 32:D9:77:54:B1:FC:CB:6C:9E:28:C1:04:25:49:0D:F5:7C:88:A5:6C
        SHA256: 7C:97:31:3B:56:CD:A3:EF:88:A7:DC:17:AE:D5:F2:A7:6A:48:B3:FC:AA:04:F0:6B:9F:43:C4:5C:6E:15:DE:37
Signature algorithm name: SHA256withECDSA
Subject Public Key Algorithm: 256-bit EC (secp256r1) key
Version: 3
  3. 在上述範例中,apigee-ca 祕密中找到的 Apigee CA 憑證序號,與 apigee-cassandra-default-tls 祕密中找到的 Apigee CA 憑證相符:afcc2ef957cebfd52b118b0b1622021。這表示 Cassandra 憑證已由相同的 Apigee CA 憑證簽署。我們可以按照下列步驟進一步驗證。
  4. 擷取 Apigee CA 憑證 PEM 檔案:
    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-ca.crt

    輸出內容範例:

    kubectl -n cert-manager get secret apigee-ca -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-ca.crt
cat apigee-ca.crt
-----BEGIN CERTIFICATE-----
MIIBvjCCAWSgAwIBAgIQCvzC75V86/1SsRiwsWIgITAKBggqhkjOPQQDAjA/MSUw
DQYDVQQKEwZhcGlnZWUwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMRYwFAYDVQQDEw1h
cGlnZWUtaHlicmlkMB4XDTI0MTAzMDAzMDkyM1oXDTM0MTAyODAzMDkyM1owPzEl
MA0GA1UEChMGYXBpZ2VlMBQGA1UEChMNY2x1c3Rlci5sb2NhbDEWMBQGA1UEAxMN
YXBpZ2VlLWh5YnJpZDBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABNSow7pxNvjj
R/jV66nY/w/tn22tu7oXyZS8tAFBnP7D2fFfIdk4tJub3gw/CsoyNa1cKXwAt7Tw
SLp1iGJ3CY+jQjBAMA4GA1UdDwEB/wQEAwICpDAPBgNVHRMBAf8EBTADAQH/MB0G
A1UdDgQWBBRSjN/cNNbg2kvmddskzdurglxuwTAKBggqhkjOPQQDAgNIADBFAiBp
pCgNNC8TVEgF8jR5RK9dXZJRcNY39nFY4DqbH6bUJwIhAPdzx5gee3BIWYwlQAYX
CgtCf4blLNq3KlBWTO993XoY
-----END CERTIFICATE-----
  5. 擷取 Cassandra 憑證 PEM 檔案:
    kubectl -n apigee get secrets apigee-cassandra-default-tls -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-cassandra-default-tls.crt

    輸出內容範例:

    kubectl -n apigee get secrets apigee-cassandra-default-tls -o json | jq -r '.data["tls.crt"]' | base64 -d > apigee-cassandra-default-tls.crt
cat apigee-cassandra-default-tls.crt
-----BEGIN CERTIFICATE-----
MIIDSDCCAu6gAwIBAgIQZcYk/VOfGUQEzpLbAvyyNjAKBggqhkjOPQQDAjA/MSUw
DQYDVQQKEwZhcGlnZWUwFAYDVQQKEw1jbHVzdGVyLmxvY2FsMRYwFAYDVQQDEw1h
cGlnZWUtaHlicmlkMB4XDTI0MTAzMDAzMTAyMFoXDTM0MTAyODAzMTAyMFowPDE6
MDgGA1UEAxMxYXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZS5zdmMuY2x1
c3Rlci5sb2NhbDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6k8YyB
m/AV9cgexU8fZ4OFw8M72oxWEF44sFezZB7NpCqIFBxAM/7iL0tF2qU4S4gpcabD
bn30fKKID8651Kytc7KHGT13Nlj9vQRjd0HJD8Qa8YtRcmGKtp+1fbQOcMPxvuNA
CzaQyuPwieYKc6D9DpDDkPPCmjVwfaxHmNpdswrt0NQbSecg/xZPXbpzOZ6bUFha
2vTvSTomiDKIPGhWrMnEMJDjFyjpdYND74HnYgw1XGnC4SQNts/kvXligbVmW+Rz
oyV7n99eN6cE5J/FHDgiHrBRZUw8ujP2l/p7Y96NcMBnXCsQu6RsCDltXqX1f1pG
sIjUAFAZZvM0pDECAwEAAaOCAQIwgf8wDgYDVR0PAQH/BAQDAgWgMB0GA1UdJQQW
MBQGCCsGAQUFBwMCBggrBgEFBQcDATAMBgNVHRMBAf8EAjAAMB8GA1UdIwQYMBaA
FFKM39w01uDaS+Z12yTN26uCXG7BMIGeBgNVHREEgZYwgZOCGGFwaWdlZS1jYXNz
YW5kcmEtZGVmYXVsdIIfYXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZYIj
YXBpZ2VlLWNhc3NhbmRyYS1kZWZhdWx0LmFwaWdlZS5zdmOCMWFwaWdlZS1jYXNz
YW5kcmEtZGVmYXVsdC5hcGlnZWUuc3ZjLmNsdXN0ZXIubG9jYWwwCgYIKoZIzj0E
AwIDSAAwRQIhANt7WYfSbS4a14Fvf3IXcG+/p3iEGg61suK8jOxtgJMyAiBG3z7Y
kgR7SWNzSoom4Oznq9NSub7v75kfQJFKEtP0Mg==
-----END CERTIFICATE-----
  6. 使用 Apigee CA 憑證驗證 Cassandra 憑證:
    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt

    成功輸出內容範例:

    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt
apigee-cassandra-default-tls.crt: OK

    輸出內容失敗示例:

    openssl verify -CAfile apigee-ca.crt apigee-cassandra-default-tls.crt
CN = apigee-cassandra-default.apigee.svc.cluster.local
error 20 at 0 depth lookup: unable to get local issuer certificate
error apigee-cassandra-default-tls.crt: verification failed

解決方法

  1. 選取具有正確 Apigee CA 憑證的 Apigee 叢集。
  2. 從該叢集將 Apigee CA 憑證機密資料匯出至檔案:
    kubectl -n cert-manager get secret apigee-ca -o yaml > apigee-ca.yaml
  3. 將上述 Apigee CA 憑證密鑰套用至所有其他叢集,方法是一次選取一個叢集,然後在所有叢集中執行所有剩餘步驟:
    kubectl -n cert-manager apply -f apigee-ca.yaml
  4. apigee 命名空間中所有現有的憑證匯出至備份檔案:
    kubectl -n apigee get certificates --all -o yaml > all-certificates.yaml
  5. 執行下列 cmctl 指令,重新發布 apigee 命名空間中找到的所有憑證:
    cmctl renew --namespace=apigee --all

    輸出內容範例:

    cmctl renew --namespace=apigee --all

  Manually triggered issuance of Certificate apigee/apigee-cassandra-default
  Manually triggered issuance of Certificate apigee/apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-connect-agent-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-datastore-guardrails-tls
  Manually triggered issuance of Certificate apigee/apigee-istiod
  Manually triggered issuance of Certificate apigee/apigee-mart-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-metrics-adapter-apigee-telemetry
  Manually triggered issuance of Certificate apigee/apigee-redis-default
  Manually triggered issuance of Certificate apigee/apigee-redis-envoy-default
  Manually triggered issuance of Certificate apigee/apigee-runtime-demo-hybrid-de-dev-b276d3f
  Manually triggered issuance of Certificate apigee/apigee-serving-cert
  Manually triggered issuance of Certificate apigee/apigee-synchronizer-demo-hybrid-de-dev-b276d3f
  Manually triggered issuance of Certificate apigee/apigee-udca-demo-hybrid-de-5fdc6d2
  Manually triggered issuance of Certificate apigee/apigee-watcher-demo-hybrid-de-5fdc6d2

    這個步驟應使用新匯入的 Apigee CA 憑證重新發出所有 Apigee 執行階段憑證,並且應能解決這個問題。

  6. 請根據世界標準時間查看所有憑證的核發日期,並確認是否已重新核發:
    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notBefore)"'
date -u

    輸出內容範例:

    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notBefore)"'

  apigee-cassandra-default: 2024-12-16T04:19:58Z
  apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:58Z
  apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:58Z
  apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2: 2024-12-16T04:19:59Z
  apigee-connect-agent-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:00Z
  apigee-datastore-guardrails-tls: 2024-12-16T04:20:01Z
  apigee-istiod: 2024-12-16T04:20:02Z
  apigee-mart-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:02Z
  apigee-metrics-adapter-apigee-telemetry: 2024-12-16T04:20:03Z
  apigee-redis-default: 2024-12-16T04:20:04Z
  apigee-redis-envoy-default: 2024-12-16T04:20:04Z
  apigee-runtime-demo-hybrid-de-dev-b276d3f: 2024-12-16T04:20:04Z
  apigee-serving-cert: 2024-12-16T04:20:04Z
  apigee-synchronizer-demo-hybrid-de-dev-b276d3f: 2024-12-16T04:20:05Z
  apigee-udca-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:06Z
  apigee-watcher-demo-hybrid-de-5fdc6d2: 2024-12-16T04:20:07Z

  date -u
  Mon Dec 16 04:23:45 AM UTC 2024
  7. 檢查所有憑證的到期日,並確認已相應延長:
    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notAfter)"'

    輸出內容範例:

    kubectl get certificates -n apigee -o json | jq -r '.items[] | "\(.metadata.name): \(.status.notAfter)"'

  apigee-cassandra-default: 2034-12-14T04:19:58Z
  apigee-cassandra-schema-setup-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:58Z
  apigee-cassandra-schema-val-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:58Z
  apigee-cassandra-user-setup-demo-hybrid-de-5fdc6d2: 2034-12-14T04:19:59Z
  apigee-connect-agent-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:00Z
  apigee-datastore-guardrails-tls: 2024-12-16T05:20:01Z
  apigee-istiod: 2024-12-18T04:20:02Z
  apigee-mart-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:02Z
  apigee-metrics-adapter-apigee-telemetry: 2034-12-14T04:20:03Z
  apigee-redis-default: 2034-12-14T04:20:04Z
  apigee-redis-envoy-default: 2034-12-14T04:20:04Z
  apigee-runtime-demo-hybrid-de-dev-b276d3f: 2034-12-14T04:20:04Z
  apigee-serving-cert: 2025-03-16T04:20:04Z
  apigee-synchronizer-demo-hybrid-de-dev-b276d3f: 2034-12-14T04:20:05Z
  apigee-udca-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:06Z
  apigee-watcher-demo-hybrid-de-5fdc6d2: 2034-12-14T04:20:07Z

必須收集診斷資訊

如果問題在按照上述操作說明後仍未解決,請收集下列診斷資訊,然後與 Google Cloud Customer Care 團隊聯絡:

  1. Google Cloud 專案 ID。
  2. Apigee Hybrid 機構。
  3. 來自來源和新區域的 overrides.yaml 檔案,會遮蓋任何機密資訊。
  4. Apigee hybrid 必須收集指令的輸出內容。
  5. Apigee hybrid Cassandra 必須收集指令的輸出內容。