问题描述
在应用中获取存储在Azure Key Vault的机密信息,全部失败。
报错日志内容如下:
[reactor-http-epoll-4] [reactor.netty.http.client.HttpClientConnect]
[WARN] - [c7a7d27e, L:/xxx.xxx.xxx.60:58756 ! R:xxxxxxxxxxxx.vault.azure.cn/xxx.xxx.xxx.xxx:443] The connection observed an error
java.nio.channels.ClosedChannelException
at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1067)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:305)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:281)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:274)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1405)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:301)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:281)
at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:901)
at io.netty.channel.AbstractChannel$AbstractUnsafe$7.run(AbstractChannel.java:813)
at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:403)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:748)
Suppressed: io.netty.handler.ssl.StacklessSSLHandshakeException: Connection closed while SSL/TLS handshake was in progress
at io.netty.handler.ssl.SslHandler.channelInactive(Unknown Source)
问题排查
第一:进入Azure Key Vault门户页面,查看Key Vault的Secret信息是否能正常显示,以及从门户上是否可以正常获取到信息
image.png
第二:使用nslookup 或者 curl来测试Key Vault是否能正常在客户端解析
测试DNS解析,以及测试TCP连接:
curl -v https://xxxxxxxxxxxx.vault.azure.cn
image.png
第三:抓取客户端的网络包,从网络包中检查是否是 TLS Version的问题引起。
tcpdump -i any host <key vault ip address> and tcp port 443 -n -v -s 0 -w /tmp/keyvaultnetworktrace.pcap
在网络包中,可以查看出是否是否正确的TLS Version,但Azure Key Vault 要求使用TLS 1.2 . (Preparing for TLS 1.2 in Microsoft Azure : https://azure.microsoft.com/en-us/updates/azuretls12/)
image.png
第四:查看客户端环境中是否有防火墙限制,可以查看是否有 Denied or Threat 记录
image.png
根据以上四步,基本可以定位出 Connection closed while SSL/TLS handshake was in progress 问题。
当在复杂的环境中面临问题,格物之道需:浊而静之徐清,安以动之徐生。 云中,恰是如此!
