Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

megaease-cloud easeagent Certificate chain is not valid #315

Open
yinyuncan opened this issue May 17, 2023 · 5 comments
Open

megaease-cloud easeagent Certificate chain is not valid #315

yinyuncan opened this issue May 17, 2023 · 5 comments

Comments

@yinyuncan
Copy link

Describe the bug

2023-05-17 16:28:55,729 [      main]  INFO  Bootstrap - [/] start agent http server on port:9900
2023-05-17 16:28:55,774 [      main]  WARN tProcessor - [/] get env EASEMESH_TAGS result: `null` to map fail. argument "content" is null
Exception in thread "main" java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndStartAgent(InstrumentationImpl.java:491)
        at java.instrument/sun.instrument.InstrumentationImpl.loadClassAndCallPremain(InstrumentationImpl.java:503)
Caused by: java.lang.reflect.InvocationTargetException
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77)
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.base/java.lang.reflect.Method.invoke(Method.java:568)
        at com.megaease.easeagent.Main.lambda$premain$1(Main.java:81)
        at com.megaease.easeagent.Main.switchLoggingProperty(Main.java:134)
        at com.megaease.easeagent.Main.premain(Main.java:77)
        ... 6 more
Caused by: java.security.KeyStoreException: Certificate chain is not valid
        at java.base/sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:646)
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:589)
        at java.base/sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:112)
        at java.base/java.security.KeyStore.setKeyEntry(KeyStore.java:1167)
        at easeagent.okhttp3.tls.internal.TlsUtil.newKeyManager(TlsUtil.kt:95)
        at easeagent.okhttp3.tls.HandshakeCertificates$Builder.build(HandshakeCertificates.kt:175)
        at com.megaease.easeagent.report.sender.okhttp.HttpSender.appendTLS(HttpSender.java:315)
        at com.megaease.easeagent.report.sender.okhttp.HttpSender.newClient(HttpSender.java:275)
        at com.megaease.easeagent.report.sender.okhttp.HttpSender.initClient(HttpSender.java:323)
        at com.megaease.easeagent.report.sender.okhttp.HttpSender.init(HttpSender.java:123)
        at com.megaease.easeagent.report.sender.SenderConfigDecorator.init(SenderConfigDecorator.java:71)
        at com.megaease.easeagent.report.plugin.ReporterRegistry.getSender(ReporterRegistry.java:82)
        at com.megaease.easeagent.report.trace.TraceReport.initSpanRefreshableReporter(TraceReport.java:48)
        at com.megaease.easeagent.report.trace.TraceReport.<init>(TraceReport.java:43)
        at com.megaease.easeagent.report.DefaultAgentReport.<init>(DefaultAgentReport.java:52)
        at com.megaease.easeagent.report.DefaultAgentReport.create(DefaultAgentReport.java:61)
        at com.megaease.easeagent.core.Bootstrap.start(Bootstrap.java:120)
        at com.megaease.easeagent.StartBootstrap.premain(StartBootstrap.java:28)
        ... 13 more
*** java.lang.instrument ASSERTION FAILED ***: "result" with message agent load/premain call failed at src/java.instrument/share/native/libinstrument/JPLISAgent.c line: 422
FATAL ERROR in native method: processing of -javaagent failed, processJavaStart failed

To Reproduce
Steps to reproduce the behavior:

  1. Generating agent: https://cloud.megaease.com/megacloud/app/main/ease-middleware/apm/document
  2. java -Xms1024m -Xmx1024m -agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:9005 -Dloader.path="/app/lib" -javaagent:ease-agent/easeagent.jar -jar xxx.jar
@observeralone
Copy link
Contributor

@yinyuncan
What is your Java version? I have no issues with version 1.8.0_261.

@yinyuncan
Copy link
Author

@yinyuncan 你的 Java 版本是多少?我对版本 1.8.0_261 没有任何问题。
您好,我用的是17, GraalVM CE 22.1.0

openjdk version "17.0.3" 2022-04-19
OpenJDK Runtime Environment GraalVM CE 22.1.0 (build 17.0.3+7-jvmci-22.1-b06)
OpenJDK 64-Bit Server VM GraalVM CE 22.1.0 (build 17.0.3+7-jvmci-22.1-b06, mixed mode, sharing)

@yinyuncan
Copy link
Author

导致这个问题根本原因是jdk11中升级了证书验证机制,为了提高证书验证的安全性和可靠性,要求证书中 IssuerDN 中的 CN 字段必须与 SubjectDN 中的第一个 CN 字段匹配。这样可以防止恶意证书的攻击
image

我将继续寻找解决“证书颁发机构和证书主题的拥有者不同的问题”

@oewang
Copy link
Contributor

oewang commented May 19, 2023

导致这个问题根本原因是jdk11中升级了证书验证机制,为了提高证书验证的安全性和可靠性,要求证书中 IssuerDN 中的 CN 字段必须与 SubjectDN 中的第一个 CN 字段匹配。这样可以防止恶意证书的攻击 image

我将继续寻找解决“证书颁发机构和证书主题的拥有者不同的问题”

I checked the certificate chain validation code of jdk8 and jdk19, and it has not been modified, so I can exclude the problem caused by the jdk version.

@yinyuncan
Copy link
Author

导致这个问题根本原因是jdk11中升级了证书验证机制,为了提高证书验证的安全性和可靠性,要求证书中 IssuerDN 中的 CN 字段必须与 SubjectDN 中的第一个 CN 字段匹配。这样可以防止恶意证书的攻击 image
我将继续寻找解决“证书颁发机构和证书主题的拥有者不同的问题”

I checked the certificate chain validation code of jdk8 and jdk19, and it has not been modified, so I can exclude the problem caused by the jdk version.

嗯,不错,的确,在jdk8中并没有进入这个断点,不知道为啥在jdk17中进入进入这个setKeyEntry方法

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants