Tag Archives: https

error: \*1035 connect() failed (111: Connection refused) while connecting to upstream, client…..

error:1035 connect() failed (111: Connection refused) while connecting to upstream, client: …217, server: .com, request: “POST /api/userLogin HTTP/1.1”, upstream: “http://.1:8443/userLogin”, host: “*.com”

1. Cause

The deployment of the project is on Tencent cloud server, http upgraded to https, using Tencent ssl certificate, Ali’s domain name, during the nginx.conf configuration process, there is a front-end to back-end send request failure problem. The following error occurs.

The nginx.conf configuration is as follows:

server{
	#SSL The default access port number is 443
    listen 443 ssl;
    server_name domain;
    default_type text/html;
    ssl_certificate certificate file path (.crt/.pem);
    ssl_certificate_key private key file path (.key);
    ssl_session_timeout 5m;
    # Please configure according to the following protocols
    ssl_protocols TLSv1.2 TLSv1.3;
    s#Please configure the encryption suite according to the following suite configuration, written following the openssl standard.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location/{
        root /usr/share/nginx/html/dist/;
        try_files $uri $uri/ /index.html;
        index index.html;
    }

    location /api/ {
        default_type application/json;
        proxy_pass http://localhost:8443/;
    }
}

2. Solutions

Add a clause to the nginx.conf configuration: proxy_set_header Host $http_host;

server{
	#SSL The default access port number is 443
    listen 443 ssl;
    server_name domain;
    default_type text/html;
    ssl_certificate certificate file path (.crt/.pem);
    ssl_certificate_key private key file path (.key);
    ssl_session_timeout 5m;
    # Please configure according to the following protocols
    ssl_protocols TLSv1.2 TLSv1.3;
    s#Please configure the encryption suite according to the following suite configuration, written following the openssl standard.
     ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
    ssl_prefer_server_ciphers on;

    location/{
        root /usr/share/nginx/html/dist/;
        try_files $uri $uri/ /index.html;
        index index.html;
    }

    location /api/ {
    	# nginx reverse proxy rewrites the host field attribute in the request header
        proxy_set_header Host $http_host;
        default_type application/json;
        proxy_pass http://localhost:8443/;
    }
}

[Solved] HttpPost Call https Interface error: PKIX path building failed

When using HttpPost to call the https interface, report an error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to the requested target,

Here is a solution below:

    /**
     * HttpClient error: ”SSLPeerUnverifiedException: peer not authenticated”
     * You don't need to import SSL 
     *
     * @param base
     * @return
     */
    public static HttpClient wrapClient(HttpClient base) {
        try {
            SSLContext ctx = SSLContext.getInstance("TLS");
            X509TrustManager tm = new X509TrustManager() {

                @Override
                public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
                        throws java.security.cert.CertificateException {
                    // TODO Auto-generated method stub

                }

                @Override
                public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
                        throws java.security.cert.CertificateException {
                    // TODO Auto-generated method stub

                }

                @Override
                public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                    // TODO Auto-generated method stub
                    return null;
                }
            };
            ctx.init(null, new TrustManager[]{tm}, null);
            SSLConnectionSocketFactory ssf = new SSLConnectionSocketFactory(ctx, NoopHostnameVerifier.INSTANCE);
            CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(ssf).build();
            return httpclient;
        } catch (Exception ex) {
            ex.printStackTrace();
            return HttpClients.createDefault();
        }
    }

Calling wrapclient method to generate httpclient can avoid problems.

    @Inject(target = "/infoResourcesManageRest/custom/getAllDataNum", type = InjectTypeExt.CUSTOM_URL)
    public synchronized WSResult getAllDataNum(JSONObject json) throws Exception {
        Integer talentNum = 0;
        Integer companyNum = 0;
        Integer organizationNum = 0;
        CloseableHttpClient httpClient = HttpClients.createDefault();
        httpClient = (CloseableHttpClient) wrapClient(httpClient);
        CloseableHttpResponse response = null;
        /**
         * 1. Little data
         * **/
        String[] zx = new String[]{"qyjbxx", "dwjbxx"};
        for (String s : zx) {
            JSONObject jsonObject1 = JSONObject.fromObject("{\n" +
                    "    \"size\": 1,\n" +
                    "    \"page\": 1,\n" +
                    "    \"params\": {\n" +
                    "        \"englishName\": \"" + s + "\"\n" +
                    "    },\n" +
                    "    \"filter\": {}\n" +
                    "}");
            String jsonString = JSON.toJSONString(jsonObject1);
            HttpPost httpPost = new HttpPost("https://www.baidu.com");
            StringEntity entity = new StringEntity(jsonString, "UTF-8");
            httpPost.setEntity(entity);
            httpPost.setHeader("Content-Type", "application/json;charset=utf8");
            response = httpClient.execute(httpPost);
            JSONObject jsonObject = JSONObject.fromObject(EntityUtils.toString(response.getEntity(), "utf-8"));
            JSONObject result = (JSONObject) jsonObject.get("result");
            if (result != null) {
                Integer totalElements = (Integer) result.get("totalElements");
                if (s.equals("qyjbxx")) {
                    companyNum = companyNum + totalElements;
                } else if (s.equals("dwjbxx")) {
                    organizationNum = organizationNum + totalElements;
                }
            }
        }
 }

[Solved] JAVA HttpClient Send Https request certificate error:PKIX path building failed:

Recently, when using httpclient to connect with the third-party SMS interface, a certificate invalidation error was reported during the local test.

1. Post request of Encapsulated HttpClient:

public static Map<String, Object> postReq(String URL, Map<String, Object> paramMap, Map<String, String> headers) throws Exception {
        Map<String, Object> map = new HashMap<String, Object>();

        RequestConfig requestConfig = RequestConfig.custom()
                .setConnectTimeout(2000) // Set the connection timeout, in milliseconds
                .setConnectionRequestTimeout(1000)
                .setSocketTimeout(5000) // timeout for requesting data, in milliseconds
                .build();
        HttpRequestRetryHandler myRetryHandler = new HttpRequestRetryHandler() {
            @Override
            public boolean retryRequest(IOException exception, int executionCount, HttpContext context) {
                return false;
            }
        };

        try (CloseableHttpClient client = HttpClients.custom()
                .setDefaultRequestConfig(requestConfig)
                .setRetryHandler(myRetryHandler)
                .build()) {

            HttpPost httpPost = new HttpPost(URL);
            if (paramMap != null) {
                JSONObject paramJson = new JSONObject(paramMap);
                StringEntity paramEntity = new StringEntity(paramJson.toString(), "UTF-8");
                paramEntity.setContentType("application/json; charset=utf-8");
                httpPost.setEntity(paramEntity);
            }
            httpPost.setConfig(requestConfig);

            if (headers != null && !headers.isEmpty()) {
                for (String key : headers.keySet()) {
                    String value = headers.get(key);
                    httpPost.setHeader(key, value);
                }
            }

            CloseableHttpResponse response = client.execute(httpPost);

            HttpEntity entity = response.getEntity();

            if (entity != null) {
                String responseStr = EntityUtils.toString(entity, "UTF-8");
                if (responseStr.isEmpty()) {
                    responseStr = "{}";
                }

                int statusCode = response.getStatusLine().getStatusCode();
                if (HttpServletResponse.SC_OK == statusCode) {
                    try {
                        JSONObject dataJson = (JSONObject) JSONObject.parse(responseStr);
                        map = new HashMap<>(dataJson);
                    } catch (Exception e) {
                        map.put("reponse", responseStr);
                    }
                } else {
                    return map;
                }
            }
            response.close();
        }
        return map;
    }

However, an error will be reported when accessing some self signed HTTPS requests. This problem is caused by the invalid link certificate, because the self signed certificate will be recognized as an unsafe link.

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2. Solutions

  1. Set the security certificate of jdk according to the online method -> No work
  2. Set maven to ignore the certificate checksum -> no work
  3. Yml file configuration httpclient ignore SSL checksum, seems to have no effect.
  4. Finally used the method of modifying the code, the principle is also to ignore the certificate checksum, but the code produced the effect, it is estimated that the construction is related to the Httpclient.

 

Modify the original code

// Ignore SSL Security Certification
**SSLConnectionSocketFactory scsf = new SSLConnectionSocketFactory(
        SSLContexts.custom().loadTrustMaterial(null, new TrustSelfSignedStrategy()).build(),
        NoopHostnameVerifier.INSTANCE);**

try (CloseableHttpClient client = **HttpClients.custom().setSSLSocketFactory(scsf)**
        .setDefaultRequestConfig(requestConfig)
        .setRetryHandler(myRetryHandler)
        .build()) {

[Solved] Git Clone Error: error setting certificate verify locations

Description

When using git clone to clone an item on GitHub or gitee, the following error is reported:

error setting certificate verify locations:

CAfile: E:/Git/mingw64/ssl/certs/ca-bundle. crt

CApath: none

analysis

According to the error prompt, there is an error in setting the certificate verification location, that is, the certificate file path is wrong.

When cloning a remote project, the security certificate will be verified first. If the local security certificate file cannot be found, an error will be reported.

This is why this error will not be reported when cloning projects on gitlab, because gitlab is generally built on the intranet and does not need to verify the security certificate.

Path errors often occur because the local Git is installed green, that is, it is directly extracted and used.

In this way, the path of the certificate file is still the path on the original machine. If the path of the new machine is inconsistent, the path error will be caused.

Solution:

For the above analysis, there are two solutions:

  • Modify certificate file path (recommended)
  • Turn off certificate verification

Turning off certificate verification may cause security problems. It is recommended to modify the certificate file path.

Modify certificate file path

There are two ways:

  • Execute the configuration command (recommended)
  • Modify the configuration file

The essence of these two methods is to modify the configuration file. However, some misoperations may occur when modifying the file, and the operation is more cumbersome. It is recommended to execute the configuration command.

Execute configuration command

git config --system http.sslcainfo "Git安装路径/mingw64/ssl/certs/ca-bundle.crt"

Modify profile

Git’s system configuration files are located at: git installation path \etc\gitconfig

Modify the path in the file as shown in the figure to git installation path /mingw64/ssl/certs/ca-bundle.crt save again.

Turn off certificate verification

git config --system http.sslverify false

This method may cause git security problems and is not recommended.

Python: How to Disable InsecureRequestWarning error

Python Disable InsecureRequestWarning error

Send HTTPS requests using Python 3 requests. When SSL authentication is turned off (verify = false):

import requests
response = requests.get(url='http://127.0.0.1:12345/test', verify=False)

Error Messages:

InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.readthedocs.io/en/latest/advanced-usage.html#ssl-warnings

Solution:

#python3
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

#python2
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)

PS: as shown below, disable_warnings() will disable all warning types.

def disable_warnings(category=exceptions.HTTPWarning):
    """
    Helper for quickly disabling all urllib3 warnings.
    """
    warnings.simplefilter("ignore", category)

Python requests Error: ConnectionError: (‘Connection aborted.‘, error(104, ‘Connection reset by peer‘))

Python requests error

ConnectionError: (‘Connection aborted.’, error(104, ‘Connection reset by peer’))

There are two possible causes

1. Requests are too frequent, resulting in requests being rejected

Solution:

Set a sleep time for each request, such as
time sleep(1)

2. The interface has authentication or anti crawling mechanism. It is recognized that it is accessed by Python terminal, and the access is rejected

Solution:

Set user agent in request header to bypass authentication

as

headers = {'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko',"Content-Type": "application/json"}

[Solved] Tomcat configurate HTTPS error: java.net.SocketException: Permission denied

Tomcat configuration HTTPS error Java net. SocketException: Permission denied

1. Error message

Today, when configuring HTTPS certificate for tomcat, an error was reported when starting Tomcat:

25-Jan-2022 22:01:59.398 SEVERE [main] org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-443]]
        org.apache.catalina.LifecycleException: Protocol handler initialization failed
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:1060)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.core.StandardService.initInternal(StandardService.java:552)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:848)
                at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:639)
                at org.apache.catalina.startup.Catalina.load(Catalina.java:662)
                at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
                at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
                at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
                at java.lang.reflect.Method.invoke(Method.java:498)
                at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:303)
                at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:473)
        Caused by: java.net.SocketException: Permission denied
                at sun.nio.ch.Net.bind0(Native Method)
                at sun.nio.ch.Net.bind(Net.java:438)
                at sun.nio.ch.Net.bind(Net.java:430)
                at sun.nio.ch.ServerSocketChannelImpl.bind(ServerSocketChannelImpl.java:225)
                at sun.nio.ch.ServerSocketAdaptor.bind(ServerSocketAdaptor.java:74)
                at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:221)
                at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1118)
                at org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:223)
                at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:587)
                at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
                at org.apache.catalina.connector.Connector.initInternal(Connector.java:1058)
                ... 13 more

The reason for the error is: java.net.Socketexception: permission denied , which is obviously a network permission problem. The reason for this problem is that the Linux operating system does not allow non root users to use ports less than 1024.

2. Solutions

1. Use the root account to start Tomcat
2. Change the port number to a port number greater than 1024, but add the port number to the URL request
3. Change the port number to a port number greater than 1024, and use iptables to forward port 443 to the configured port. The command is as follows:

#Execute the commands under the root
# Mapping port 443 to 8443
iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443

Running the test front-end project, Google browser accesses localhost with err_SSL_PROTOCOL_ERROR

Err appears in Google browser_SSL_PROTOCOL_ERROR

under test http://localhost:8080/ The following error occurred during

This web site cannot provide a secure connection. Localhost sent an invalid response err_SSL_PROTOCOL_ERROR

At this time, you need to open a blank page for input chrome://net-internals/#hsts
Find the delete domain policy
at the bottom of the left navigation bar. It has a delete domain security policies
example picture

then enter localhost in the domain input box and press Delete
and you’re done!

PS: this method is only for learning and use, and the user shall bear any legal disputes and consequences

Local repository upload to remote repository error: failed to push some refs to ‘https://hub.fastgit.org/zhizhangxuezhang/ui-test.git‘

There is an error in pushing from the local warehouse to the remote warehouse (rejected) because the code of the remote warehouse has been modified directly in the remote warehouse. At this time, the code of the local warehouse is different from that of the remote warehouse, so you must update the code of the local warehouse (Pull) first and then submit (push)

Error log in idea for this problem:

error log in Git bash:

at this time, you can only pull to update your local warehouse and then push to the remote warehouse, but you will find that you will also report an error when you pull to the local warehouse


at this time, your pull command should be changed to the following command, That is, just add a parameter to ignore the history (because the two branches are caused by different versions)

git pull origin master --allow-unrelated-histories

Initialization failed for ‘https://start.spring.io‘ Please check URL, network and proxy settings.

Error message:
initialization failed for‘ https://start.spring.io ’
Please check URL, network and proxy settings.

Error message:
Cannot download ‘ https://start.spring.io ’: connect timed out
the following error occurs when creating a new springboot project

1. Open file — settings

2. Search HTTP proxy – & gt; Check automatic proxy configuration URL:
– & gt; input https://start.spring.io –> Click auto detect proxy settings
– & gt; input https://start.spring.io –> Click OK

3. Finally, prompt: successful. It means success. Just recreate it

finally, it will be created successfully when it is newly created