问题描述
在应用中获取存储在Azure Key Vault的机密信息,全部失败。
报错日志内容如下:
[reactor-http-epoll-4] [reactor.netty.http.client.HttpClientConnect]
[WARN] - [c7a7d27e, L:/xxx.xxx.xxx.60:58756 ! R:xxxxxxxxxxxx.vault.azure.cn/xxx.xxx.xxx.xxx:443] The connection observed an error java.nio.channels.ClosedChannelException at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1067) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:305) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:281) at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:274) at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1405) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:301) at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:281) at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:901) at io.netty.channel.AbstractChannel$AbstractUnsafe$7.run(AbstractChannel.java:813) at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174) at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167) at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470) at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:403) at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) at java.lang.Thread.run(Thread.java:748) Suppressed: io.netty.handler.ssl.StacklessSSLHandshakeException: Connection closed while SSL/TLS handshake was in progress at io.netty.handler.ssl.SslHandler.channelInactive(Unknown Source)
问题排查
第一:进入Azure Key Vault门户页面,查看Key Vault的Secret信息是否能正常显示,以及从门户上是否可以正常获取到信息
第二:使用nslookup 或者 curl来测试Key Vault是否能正常在客户端解析
测试DNS解析,以及测试TCP连接:
curl -v https://xxxxxxxxxxxx.vault.azure.cn
第三:抓取客户端的网络包,从网络包中检查是否是 TLS Version的问题引起。
tcpdump -i any host <key vault ip address> and tcp port 443 -n -v -s 0 -w /tmp/keyvaultnetworktrace.pcap
如在下图的网络包中,使用TLS 1.0,但Azure Key Vault 要求使用TLS 1.2. (Preparing for TLS 1.2 in Microsoft Azure : https://azure.microsoft.com/en-us/updates/azuretls12/)
第四:查看客户端环境中是否有防火墙限制,可以查看是否有 Denied or Threat 记录
根据以上四步,基本可以定位出 Connection closed while SSL/TLS handshake was in progress 问题。
标签:机密信息,netty,java,Key,AbstractChannelHandlerContext,io,Vault,channel From: https://www.cnblogs.com/lulight/p/17878110.html