我正在使用 keytool 通过引导程序将证书添加到集群中
keytool -import -file impl-stable.crt -alias impl-stable.crt -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -storepass changeit -noprompt
我已从密钥存储中转储了相同的证书,并验证它是否包含 Spark 所抱怨的 SAN 名称。请注意它确实具有适当的 SAN 名称。
keytool -list -rfc -keystore /usr/lib/jvm/java/jre/lib/security/cacerts -alias certs/impl-stable.crt
cut the PEM formatted cert out of the output from a.
openssl x509 -in cert.pem -noout -text
X509v3 Subject Alternative Name: critical
DNS:mongodb-0, DNS:mongodb-0.mongodb-svc.core.svc.cluster.local, DNS:mongodb-1, DNS:mongodb-1.mongodb-svc.core.svc.cluster.local, DNS:mongodb-2, DNS:mongodb-2.mongodb-svc.core.svc.cluster.local, DNS:DNS:dev-canary-v4-mongodb0.ams-np-v4.internal.stuff.org, DNS:DNS:test-canary-v4-mongodb0.ams-np-v4.internal.stuff.org, DNS:DNS:impl-stable-v4-mongodb0.ams-np-v4.internal.stuff.org, DNS:DNS:impl-stable-v4-mongodb1.ams-np-v4.internal.stuff.org, DNS:DNS:impl-stable-v4-mongodb2.ams-np-v4.internal.stuff.org
Signature Algorithm: sha256WithRSAEncryption
错误:
"errorMessage": "com.mongodb.MongoTimeoutException: Timed out after 30000 ms while waiting for a server that matches com.mongodb.client.internal.MongoClientDelegate$1@508e2f4c. Client view of cluster state is {type=REPLICA_SET, servers=[{address=impl-stable-v4-mongodb2.ams-np-v4.internal.stuff.org:30019, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching impl-stable-v4-mongodb2.ams-np-v4.internal.stuff.org found.}, caused by {java.security.cert.CertificateException: No subject alternative DNS name matching impl-stable-v4-mongodb2.ams-np-v4.internal.stuff.org found.}}, {address=impl-stable-v4-mongodb0.ams-np-v4.internal.stuff.org:30017, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching impl-stable-v4-mongodb0.ams-np-v4.internal.stuff.org found.}, caused by {java.security.cert.CertificateException: No subject alternative DNS name matching impl-stable-v4-mongodb0.ams-np-v4.internal.stuff.org found.}}, {address=impl-stable-v4-mongodb1.ams-np-v4.internal.stuff.org:30018, type=UNKNOWN, state=CONNECTING, exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching impl-stable-v4-mongodb1.ams-np-v4.internal.stuff.org found.}, caused by {java.security.cert.CertificateException: No subject alternative DNS name matching impl-stable-v4-mongodb1.ams-np-v4.internal.stuff.org found.}}]\n\tat com.mongodb.internal.connection.BaseCluster.createTimeoutException(BaseCluster.java:403)
我们创建了 SAN,名称中包含“DNS:”……这解释了事情。删除它并仅使用 FQDN 似乎已经解决了问题。