![Payara / Glassfish 5 - [NCLS-SECURITY-05054] SSL 证书已过期 - cert_81_trustis_fps_root_ca81](https://linux22.com/image/792582/Payara%20%2F%20Glassfish%205%20-%20%5BNCLS-SECURITY-05054%5D%20SSL%20%E8%AF%81%E4%B9%A6%E5%B7%B2%E8%BF%87%E6%9C%9F%20-%20cert_81_trustis_fps_root_ca81.png)
今天注意到我的 Payara5 服务器日志下方的错误消息,由于 Glassfish 现在非常流行,所以我花了一些时间来找出该怎么做。
[2024-01-31T16:44:11.325+0000] [Payara 5.2022.5] [WARNING] [NCLS-SECURITY-05054] [javax.enterprise.system.security.ssl] [tid: _ThreadID=18107 _ThreadName=admin-thread-pool::admin-listener(25)] [timeMillis: 1706719451325] [levelValue: 900] [[
The SSL certificate has expired: [
[
Version: V3
Subject: OU=Trustis FPS Root CA, O=Trustis Limited, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
params: null
modulus: 24908633667180321967674873268814531635547921938344065146546904438489502673823487510936146573960061486273718694334781317348708908262947651303078579882700224692570831312368945979170373153648052597761950956395913615810736512525962630740585310636521594672085066580175665043758918430925599500808969653476864564698808991702431004110644739915567322643581281788777374680963817281333282843028696667329131753328247995199072853681672136148214770992098772732734082912115629981882473191620546572069699037050136366328673247895507219755706167110912566425482228784709797122932080366498493920541761658523188072646247208026589367964269
public exponent: 65537
Validity: [From: Tue Dec 23 12:14:06 UTC 2003,
To: Sun Jan 21 11:36:54 UTC 2024]
Issuer: OU=Trustis FPS Root CA, O=Trustis Limited, C=GB
SerialNumber: [ 1b1fadb6 20f924d3 366bf7c7 f18ca059]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BA FA 71 25 79 8B 57 41 25 21 86 0B 71 EB B2 64 ..q%y.WA%!..q..d
0010: 0E 8B 21 67 ..!g
]
]
[2]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BA FA 71 25 79 8B 57 41 25 21 86 0B 71 EB B2 64 ..q%y.WA%!..q..d
0010: 0E 8B 21 67 ..!g
]
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 7E 58 FF FD 35 19 7D 9C 18 4F 9E B0 2B BC 8E 8C .X..5....O..+...
0010: 14 FF 2C A0 DA 47 5B C3 EF 81 2D AF 05 EA 74 48 ..,..G[...-...tH
0020: 5B F3 3E 4E 07 C7 6D C5 B3 93 CF 22 35 5C B6 3F [.>N..m...."5\.?
0030: 75 27 5F 09 96 CD A0 FE BE 40 0C 5C 12 55 F8 93 u'_......@.\.U..
0040: 82 CA 29 E9 5E 3F 56 57 8B 38 36 F7 45 1A 4C 28 ..).^?VW.86.E.L(
0050: CD 9E 41 B8 ED 56 4C 84 A4 40 C8 B8 B0 A5 2B 69 ..A..VL..@....+i
0060: 70 04 6A C3 F8 D4 12 32 F9 0E C3 B1 DC 32 84 44 p.j....2.....2.D
0070: 2C 6F CB 46 0F EA 66 41 0F 4F F1 58 A5 A6 0D 0D ,o.F..fA.O.X....
0080: 0F 61 DE A5 9E 5D 7D 65 A1 3C 17 E7 A8 55 4E EF .a...].e.<...UN.
0090: A0 C7 ED C6 44 7F 54 F5 A3 E0 8F F0 7C 55 22 8F ....D.T......U".
00A0: 29 B6 81 A3 E1 6D 4E 2C 1B 80 67 EC AD 20 9F 0C )....mN,..g.. ..
00B0: 62 61 D5 97 FF 43 ED 2D C1 DA 5D 29 2A 85 3F AC ba...C.-..])*.?.
00C0: 65 EE 86 0F 05 8D 90 5F DF EE 9F F4 BF EE 1D FB e......_........
00D0: 98 E4 7F 90 2B 84 78 10 0E 6C 49 53 EF 15 5B 65 ....+.x..lIS..[e
00E0: 46 4A 5D AF BA FB 3A 72 1D CD F6 25 88 1E 97 CC FJ]...:r...%....
00F0: 21 9C 29 01 0D 65 EB 57 D9 F3 57 96 BB 48 CD 81 !.)..e.W..W..H..
]]]
答案1
免责声明:我写这篇文章是为了帮助那些面临同样问题的人,希望他们能避免花费数小时研究如何解决这个问题。尤其是如果他们是第一次遇到这个问题。
要修复此问题,您需要从cacerts.jksPayara/Glassfish 域配置文件夹中删除过期的证书。在下面的示例中,Payara 位于/opt/payara5文件夹中,因此域配置文件夹为/opt/payara5/glassfish/domains/domain1/config/。
- 记下错误消息中的到期日期:
Sun Jan 21 11:36:54 UTC 2024 - 备份你的
cacerts.jks
cp cacerts.jks cacerts.jks_backup_20240131
- 检查证书
cacerts.jks(默认密码始终为changeit:),并尝试查找证书Sun Jan 21 11:36:54 UTC 2024到期日期,记下别名
keytool -list -v -keystore cacerts.jks
*******************************************
Alias name: cert_81_trustis_fps_root_ca81
Creation date: Jan 23, 2018
Entry type: trustedCertEntry
Owner: OU=Trustis FPS Root CA, O=Trustis Limited, C=GB
Issuer: OU=Trustis FPS Root CA, O=Trustis Limited, C=GB
Serial number: 1b1fadb620f924d3366bf7c7f18ca059
Valid from: Tue Dec 23 12:14:06 UTC 2003 until: Sun Jan 21 11:36:54 UTC 2024
Certificate fingerprints:
SHA1: 3B:C0:38:0B:33:C3:F6:A6:0C:86:15:22:93:D9:DF:F5:4B:81:C0:04
SHA256: C1:B4:82:99:AB:A5:20:8F:E9:63:0A:CE:55:CA:68:A0:3E:DA:5A:51:9C:88:02:A0:D3:A6:73:BE:8F:8E:55:7D
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
*******************************************
- 现在删除过期的证书:
keytool -delete -keystore cacerts.jks -alias cert_81_trustis_fps_root_ca81 -v
Enter keystore password:
[Storing cacerts.jks]
- 检查结果:
keytool -list -keystore cacerts.jks -alias cert_81_trustis_fps_root_ca81 -v
Enter keystore password:
keytool error: java.lang.Exception: Alias <cert_81_trustis_fps_root_ca81> does not exist
java.lang.Exception: Alias <cert_81_trustis_fps_root_ca81> does not exist
at sun.security.tools.keytool.Main.doPrintEntry(Main.java:1895)
at sun.security.tools.keytool.Main.doCommands(Main.java:1143)
at sun.security.tools.keytool.Main.run(Main.java:378)
at sun.security.tools.keytool.Main.main(Main.java:371)
- 重新启动您的域:
cd /opt/payara5/glassfish/bin
./asadmin restart-domain domain1
参考: