产品适配IPV6,一个请求过来,死活发不过去,先来看报错:
solr服务端没有明显的报错,收到了请求,IPv6的地址是加上中括号的,但是服务端在SSL验证时直接不再retry。
2020-07-02 11:50:28,416 | DEBUG | main | doRequestByHttpClient | org.apache.solr.util.SolrURLTool.doRequestByHttpClient(SolrURLTool.java:153) 2020-07-02 11:50:28,694 | DEBUG | main | Creating new http client, config: | org.apache.solr.client.solrj.impl.HttpClientUtil.createClient(HttpClientUtil.java:308) 2020-07-02 11:50:28,792 | DEBUG | main | Setting up SPNego auth with config: /home/huawei/Bigdata/FusionInsight_HD_8.0.0/1_21_SolrServerAdmin/etc/jaas.conf | org.apache.solr.client.solrj.impl.Krb5HttpClientBuilder.getBuilder(Krb5HttpClientBuilder.java:183) 2020-07-02 11:50:28,944 | DEBUG | main | Request using command:https://[fec0::d910:8:5:158:5]:21101/solr//admin/collections?action=LIST&wt=xml. | org.apache.solr.util.SolrURLTool.getXML(SolrURLTool.java:285) 2020-07-02 11:50:29,227 | DEBUG | main | Retry http request 1 out of 3 | org.apache.solr.client.solrj.impl.SolrHttpRequestRetryHandler.retryRequest(SolrHttpRequestRetryHandler.java:106) 2020-07-02 11:50:29,228 | DEBUG | main | Do not retry, non retriable class javax.net.ssl.SSLPeerUnverifiedException | org.apache.solr.client.solrj.impl.SolrHttpRequestRetryHandler.retryRequest(SolrHttpRequestRetryHandler.java:117)我们的solr服务部署在Tomcat中,查看Tomcat日志:
证书不匹配,也就是说客户端带过来的证书中的common name和服务端证书的common name是不匹配的。
2020-07-02 11:50:29,214 | DEBUG | main | Certificate for <[fec0::d910:8:5:158:5]> doesn't match common name of the certificate subject: fec0::d910:8:5:158:5 | org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:103) javax.net.ssl.SSLPeerUnverifiedException: Certificate for <[fec0::d910:8:5:158:5]> doesn't match common name of the certificate subject: fec0::d910:8:5:158:5 at org.apache.http.conn.ssl.DefaultHostnameVerifier.matchCN(DefaultHostnameVerifier.java:186) ~[httpclient-4.5.6.jar:4.5.6] at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:133) ~[httpclient-4.5.6.jar:4.5.6] at org.apache.http.conn.ssl.DefaultHostnameVerifier.verify(DefaultHostnameVerifier.java:99) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:463) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:397) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:373) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:394) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:72) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:221) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165) [httpclient-4.5.6.jar:4.5.6] at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140) [httpclient-4.5.6.jar:4.5.6] at org.apache.solr.util.SolrURLTool.getXML(SolrURLTool.java:287) [solr-core-8.4.0-hw-ei-SNAPSHOT.jar:8.4.0-hw-ei-SNAPSHOT 2020-06-23 07:29:39] at org.apache.solr.util.SolrURLTool.getResult(SolrURLTool.java:273) [solr-core-8.4.0-hw-ei-SNAPSHOT.jar:8.4.0-hw-ei-SNAPSHOT 2020-06-23 07:29:39] at org.apache.solr.util.SolrURLTool.doRequestByHttpClient(SolrURLTool.java:167) [solr-core-8.4.0-hw-ei-SNAPSHOT.jar:8.4.0-hw-ei-SNAPSHOT 2020-06-23 07:29:39] at org.apache.solr.util.SolrURLTool.runImpl(SolrURLTool.java:133) [solr-core-8.4.0-hw-ei-SNAPSHOT.jar:8.4.0-hw-ei-SNAPSHOT 2020-06-23 07:29:39] at org.apache.solr.util.SolrCLI$ToolBase.runTool(SolrCLI.java:197) [solr-core-8.4.0-hw-ei-SNAPSHOT.jar:8.4.0-hw-ei-SNAPSHOT 2020-06-23 07:29:39] at org.apache.solr.util.SolrURLTool.main(SolrURLTool.java:512) [solr-core-8.4.0-hw-ei-SNAPSHOT.jar:8.4.0-hw-ei-SNAPSHOT 2020-06-23 07:29:39] 2020-07-02 11:50:29,226 | DEBUG | main | http-outgoing-0: Shutdown connection | org.apache.http.impl.conn.LoggingManagedHttpClientConnection.shutdown(LoggingManagedHttpClientConnection.java:96)因此,修改服务端证书生成逻辑,当识别是IPv6时,生成证书的CN是[IP],重新生成,验证服务端证书的CN字段OK。
openssl x509 -noout -text -in child.crt再次发送请求,一切正常。
