我使用SSL连接将Web客户端连接到服务器.它长时间没有任何问题.但从昨天起,它给出了以下错误,任何人都可以告诉我原因.
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.checkEOF(SSLSocketImpl.java:1172)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(AppInputStream.java:65)
at net.schubart.fixme.internal.MessageInput.readExactly(MessageInput.java:166)
at net.schubart.fixme.internal.MessageInput.readMessage(MessageInput.java:78)
at cc.aot.itsWeb.ClientWriterThread.run(ClientWriterThread.java:241)
at java.lang.Thread.run(Thread.java:619)
clientWriter.ready
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:136)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1586)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:865)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1029)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:621)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.OutputStream.write(OutputStream.java:58)
at net.schubart.fixme.internal.Message.write(Message.java:267)
at net.schubart.fixme.internal.MessageOutput.writeMessage(MessageOutput.java:53)
小智 9
我在这个问题上花了12个多小时.创建自签名证书后,需要将该证书导出到该cacert文件.就我而言,它位于/usr/lib/java/jre/lib/security/cacert.您可以使用keytool(您可能必须具有root访问权限)导出证书:
$ sudo keytool -exportcert -alias keyStoreAlias -keystore \
keyStoreKeys.keys -file /usr/local/java/jre/lib/security/cacerts
你遇到的问题是证书.以下列出了在使用安全SSL程序之前可能需要熟悉的事项.必须有信任库,密钥库,并且必须添加证书.要将密钥添加到cacerts文件(如步骤6),计算机可能会要求您输入您不知道的密码.最有可能是"改变"
1)使用相应的公钥/私钥创建新的密钥库和自签名证书:
keytool -genkeypair -alias "username" -keyalg RSA -validity 7 -keystore keystore
2)检查密钥库:
keytool -list -v -keystore keystore
3)导出并检查自签名证书:
keytool -export -alias "username" -keystore keystore -rfc -file "username".cer
4)将证书导入新的信任库:
keytool -import -alias "username" -file "username".cer -keystore truststore
5)检查信任库:
keytool -list -v -keystore truststore
6)添加到密钥库(这是你要找的):
sudo keytool -import -file "username".cer -alias "username" -keystore "path-to-keystore"
在某些系统上可以找到它
/usr/lib/jvm/<java version folder>/jre/lib/security/cacerts
在其他系统上它就像是
/etc/ssl/certs/java/cacerts
如果您需要更多说明,请查看Git-Hub上的这个项目:https: //github.com/rabbitfighter81/JSSLInfoCollectionServer 这是一个帮助密钥的shell脚本. https://github.com/rabbitfighter81/SSLKeytool
小智 8
这个“certificate_unknown”是一个非常具有误导性的错误消息。这与证书过期时抛出的错误消息相同,即使它位于信任库中也是如此。我建议您在浪费时间做其他事情之前检查证书的到期日期。
| 归档时间: |
|
| 查看次数: |
71698 次 |
| 最近记录: |