解决HTTPS方式连接出现的问题
学习到spring cloud config时,尝试配置config server,根据教程在application.yml中进行了以下配置:
1 | server: |
但是启动时报错,忘记了当初的日志时什么了可能是”reject HostKey: github.com“。不过并不重要,因为新版的cloud config server的SSH配置方式已经被更改了,教程中的这种方式不可用了。
上网搜寻很长时间后,并没有找到解决办法,然后将aplication.yml配置改为了:
1 | server: |
但是启动时一直提示“connection timeout”,怎么更改配置都没有变化,最后spring.cloud.config.server.uri换为gitee的后,能够正常启动。所以还是网络的问题,找到了个网站:https://raw.hellogithub.com提供了全面的本地域名解析,只需要将其提供的添加到本机的host文件中即可,但域名解析偶尔会有变化,所以出现相似问题时可以查看是否有变化,如果有变化,就将本机旧的本地域名解析更新一下。
解决SSH方式连接出现的问题
虽然使用https的方式可以使用了,但是因为此问题折磨了笔者一天,所以决定必须解决这个问题。
在网上搜寻了很长时间,也找到了很多解决方法,但是都不全面。最后仔细阅读了官方文档后结合网上找到的方法最后终于解决了这个问题。
根据官方文档:
Authentication
To use HTTP basic authentication on the remote repository, add the username
and password
properties separately (not in the URL), as shown in the following example:
1 | spring: |
If you do not use HTTPS and user credentials, SSH should also work out of the box when you store keys in the default directories (~/.ssh
) and the URI points to an SSH location, such as git@github.com:configuration/cloud-configuration
. It is important that an entry for the Git server be present in the ~/.ssh/known_hosts
file and that it is in ssh-rsa
format. Other formats (such as ecdsa-sha2-nistp256
) are not supported. To avoid surprises, you should ensure that only one entry is present in the known_hosts
file for the Git server and that it matches the URL you provided to the config server. If you use a hostname in the URL, you want to have exactly that (not the IP) in the known_hosts
file. The repository is accessed by using JGit, so any documentation you find on that should be applicable. HTTPS proxy settings can be set in ~/.git/config
or (in the same way as for any other JVM process) with system properties (-Dhttps.proxyHost
and -Dhttps.proxyPort
).
If you do not know where your ~/.git
directory is, use git config --global
to manipulate the settings (for example, git config --global http.sslVerify false
).
JGit requires RSA keys in PEM format. Below is an example ssh-keygen (from openssh) command that will generate a key in the corect format:
1 | ssh-keygen -m PEM -t rsa -b 4096 -f ~/config_server_deploy_key.rsa |
Warning: When working with SSH keys, the expected ssh private-key must begin with `-----BEGIN RSA PRIVATE KEY-----`
. If the key starts with `-----BEGIN OPENSSH PRIVATE KEY-----`
then the RSA key will not load when spring-cloud-config server is started. The error looks like:
1 | - Error in object 'spring.cloud.config.server.git': codes [PrivateKeyIsValid.spring.cloud.config.server.git,PrivateKeyIsValid]; arguments [org.springframework.context.support.DefaultMessageSourceResolvable: codes [spring.cloud.config.server.git.,]; arguments []; default message []]; default message [Property 'spring.cloud.config.server.git.privateKey' is not a valid private key] |
To correct the above error the RSA key must be converted to PEM format. An example using openssh is provided above for generating a new key in the appropriate format.
Git SSH configuration using properties
By default, the JGit library used by Spring Cloud Config Server uses SSH configuration files such as ~/.ssh/known_hosts
and /etc/ssh/ssh_config
when connecting to Git repositories by using an SSH URI. In cloud environments such as Cloud Foundry, the local filesystem may be ephemeral or not easily accessible. For those cases, SSH configuration can be set by using Java properties. In order to activate property-based SSH configuration, the spring.cloud.config.server.git.ignoreLocalSshSettings
property must be set to true
, as shown in the following example:
1 | spring: |
The following table describes the SSH configuration properties.
| Table 1. SSH Configuration Properties Property Name |
| —- | —- |
| Property Name | Remarks |
| ignoreLocalSshSettings | If true
, use property-based instead of file-based SSH config. Must be set at as spring.cloud.config.server.git.ignoreLocalSshSettings
, not inside a repository definition. |
| privateKey | Valid SSH private key. Must be set if ignoreLocalSshSettings
is true and Git URI is SSH format |
| hostKey | Valid SSH host key. Must be set if hostKeyAlgorithm
is also set. |
| hostKeyAlgorithm | One of ssh-dss, ssh-rsa, ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, or ecdsa-sha2-nistp521
. Must be set if hostKey
is also set. |
| strictHostKeyChecking | true
or false
. If false, ignore errors with host key. |
| knownHostsFile | Location of custom .known_hosts
file. |
| preferredAuthentications | Override server authentication method order. This should allow for evading login prompts if server has keyboard-interactive authentication before the publickey
method. |
可以知道,使用https的时候可以简单的修改yml不是public库的时候需要输入username和password。但是当使用SSH方式的时候就需要进行别的操作
首先需要PEM格式的RSA秘钥,官方文档也给出了获取方法,在git bush中使用命令:
1 | ssh-keygen -m PEM -t rsa -b 4096 -C "*****@**.com" |
根据提示创建新的秘钥,创建成功后打开.ssh文件夹,首先进入github的setting配置SSH秘钥,将id_rsa.pub中的数据添加进SSH秘钥,具体步骤可以网上搜索。然后我的known_hosts文件中有好多条数据,为了重新获取hostkey我全部删了,可以根据自身情况,如果hostkey可以使用则不用删除。
删除之后进入git push ,使用git clone获取文件之后,known_hosts就会重新生成几条信息,其中ssh-rsa后AAAA开头的数据为后面会用到的hostkey。
然后根据官方文档更改application.yml配置:
1 | server: |
其中uri是github中的SSH连接,ignore-local-ssh-settings: true是因为使用cloud会经常访问不到本机的配置,所需需要无视本地配置在yml里进行配置。
而host-key: 后面为上文中提到的known_hosts的ssh-rsa后的数据。host-key-algorithm: ssh-rsa为指定秘钥算法为ssh-rsa。后面private-key输入id_rsa中的数据记住开头结尾必须是“—–BEGIN RSA PRIVATE KEY—– ”和“—–END RSA PRIVATE KEY—– ”,如果不是的话就重新进行上面的步骤获取秘钥,我刚开始的也是“—–BEGIN OPENSSH PRIVATE KEY—–”,从而造成连接错误。而且private-key: 后面还有一个“ | ”符号,千万不要忘记,不然会提示invalid key错误。
然后启动后还是会提示“You‘re using an RSA key withSHA-1”的错误,这是因为依赖不支持RSA(sha2),所以需要更换依赖。
将依赖更新为:
1 | <dependencies> |
移除不支持的依赖,并添加支持的依赖。
最后启动服务后不报错,可以正常访问到远程服务文件。