Java:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径
nez*_*reh 222 java ssl https ssl-certificate
我有一个类将从https服务器下载文件.当我运行它时,它会返回很多错误.我的证书似乎有问题.是否可以忽略客户端 - 服务器身份验证?如果是这样,怎么样?
package com.da;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.CharBuffer;
import java.util.concurrent.Future;
import org.apache.http.HttpResponse;
import org.apache.http.client.utils.URIUtils;
import org.apache.http.impl.nio.client.DefaultHttpAsyncClient;
import org.apache.http.nio.IOControl;
import org.apache.http.nio.client.HttpAsyncClient;
import org.apache.http.nio.client.methods.AsyncCharConsumer;
import org.apache.http.nio.client.methods.HttpAsyncGet;
import org.apache.http.nio.client.methods.HttpAsyncPost;
public class RSDDownloadFile {
static FileOutputStream fos;
public void DownloadFile(String URI, String Request) throws Exception
{
java.net.URI uri = URIUtils.createURI("https", "176.66.3.69:6443", -1, "download.aspx",
"Lang=EN&AuthToken=package", null);
System.out.println("URI Query: " + uri.toString());
HttpAsyncClient httpclient = new DefaultHttpAsyncClient();
httpclient.start();
try {
Future<Boolean> future = httpclient.execute(
new HttpAsyncGet(uri),
new ResponseCallback(), null);
Boolean result = future.get();
if (result != null && result.booleanValue()) {
System.out.println("\nRequest successfully executed");
} else {
System.out.println("Request failed");
}
}
catch(Exception e){
System.out.println("[DownloadFile] Exception: " + e.getMessage());
}
finally {
System.out.println("Shutting down");
httpclient.shutdown();
}
System.out.println("Done");
}
static class ResponseCallback extends AsyncCharConsumer<Boolean> {
@Override
protected void onResponseReceived(final HttpResponse response) {
System.out.println("Response: " + response.getStatusLine());
System.out.println("Header: " + response.toString());
try {
//if(response.getStatusLine().getStatusCode()==200)
fos = new FileOutputStream( "Response.html" );
}catch(Exception e){
System.out.println("[onResponseReceived] Exception: " + e.getMessage());
}
}
@Override
protected void onCharReceived(final CharBuffer buf, final IOControl ioctrl) throws IOException {
try
{
while (buf.hasRemaining())
{
//System.out.print(buf.get());
fos.write(buf.get());
}
}catch(Exception e)
{
System.out.println("[onCharReceived] Exception: " + e.getMessage());
}
}
@Override
protected void onCleanup() {
try
{
if(fos!=null)
fos.close();
}catch(Exception e){
System.out.println("[onCleanup] Exception: " + e.getMessage());
}
System.out.println("onCleanup()");
}
@Override
protected Boolean buildResult() {
return Boolean.TRUE;
}
}
}
错误:
URI Query: https://176.66.3.69:6443/download.aspx?Lang=EN&AuthToken=package
Aug 2, 2011 3:47:57 PM org.apache.http.impl.nio.client.NHttpClientProtocolHandler exception
SEVERE: I/O error: General SSLEngine problem
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Handshaker.checkThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.checkTaskThrown(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.writeAppRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.wrap(Unknown Source)
at javax.net.ssl.SSLEngine.wrap(Unknown Source)
at org.apache.http.impl.nio.reactor.SSLIOSession.doHandshake(SSLIOSession.java:154)
at org.apache.http.impl.nio.reactor.SSLIOSession.isAppInputReady(SSLIOSession.java:276)
at org.apache.http.impl.nio.client.InternalClientEventDispatch.inputReady(InternalClientEventDispatch.java:79)
at org.apache.http.impl.nio.reactor.BaseIOReactor.readable(BaseIOReactor.java:161)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvent(AbstractIOReactor.java:335)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.processEvents(AbstractIOReactor.java:315)
at org.apache.http.impl.nio.reactor.AbstractIOReactor.execute(AbstractIOReactor.java:275)
at org.apache.http.impl.nio.reactor.BaseIOReactor.execute(BaseIOReactor.java:104)
at org.apache.http.impl.nio.reactor.AbstractMultiworkerIOReactor$Worker.run(AbstractMultiworkerIOReactor.java:542)
at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLEngineImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker$1.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.net.ssl.internal.ssl.Handshaker$DelegatedTask.run(Unknown Source)
at org.apache.http.impl.nio.reactor.SSLIOSession.doHandshake(SSLIOSession.java:180)
... 9 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(Unknown Source)
... 16 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 21 more
onCleanup()
[DownloadFile] Exception: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
Shutting down
Done
Max*_*zin 200
当您的服务器具有自签名证书时,会出现此问题.要解决此问题,您可以将此证书添加到JVM的受信任证书列表中.
在本文中,作者介绍了如何从浏览器中获取证书并将其添加到JVM的cacerts文件中.您可以编辑JAVA_HOME/jre/lib/security/cacerts文件或使用-Djavax.net.ssl.trustStore参数运行应用程序.验证您正在使用哪个JDK/JRE,因为这通常会引起混淆.
另请参阅:如何解析SSL证书服务器名称/我可以使用keytool添加备用名称吗?如果你遇到java.security.cert.CertificateException: No name matching localhost found异常.
- 伟大的!有用!只是不要忘记,您可以同时拥有 jre 和 jdk,并且它们的“cacerts”都必须更新 (3认同)
- 这对我没有用.我安装了root和chain证书,但Tomcat-7仍会报告由"无法找到有效的证书路径到请求的目标"引起的validatorException以任何方式进行调试吗? (2认同)
Gab*_*esy 136
这是我在macOS上可靠的工作原理.确保将example.com和443替换为您尝试连接的实际主机名和端口,并提供自定义别名.第一个命令从远程服务器下载提供的证书,并以x509格式在本地保存.第二个命令将保存的证书加载到Java的SSL信任库中.
openssl x509 -in <(openssl s_client -connect example.com:443 -prexit 2>/dev/null) -out ~/example.crt
sudo keytool -importcert -file ~/example.crt -alias example -keystore $(/usr/libexec/java_home)/jre/lib/security/cacerts -storepass changeit
- 对我有用为什么?你需要提供一个解释. (3认同)
- .crt和.pem是相同文件格式的常用文件扩展名.如果您已有该文件,只需运行第二个命令并将其传递给-file参数. (3认同)
- 这不适用于 SNI 端点。对于这种情况,您需要在获取证书时添加:-servername example.com (2认同)
小智 40
来自赛门铁克的有效签名通配符证书存在同样的问题.
首先尝试使用-Djavax.net.debug = SSL运行您的Java应用程序,以查看实际情况.
我最终导入了导致证书链中断的中间证书.
我从symantec下载了缺少的中间证书(您可以在ssl握手日志中看到缺少证书的下载链接:在我的案例中为http://svrintl-g3-aia.verisign.com/SVRIntlG3.cer).
我在java密钥库中导入了cert.导入中间证书后,我的通配符ssl证书终于开始工作了:
keytool -import -keystore ../jre/lib/security/cacerts -trustcacerts -alias "VeriSign Class 3 International Server CA - G3" -file /pathto/SVRIntlG3.cer
- 为避免混淆,请使用调试参数运行 java(或 jcurl)以查看日志中的远程“证书链”,然后 grep 显式传递的信任库中的“CN”(而不是默认值)如下,如果不存在,则需要添加。https://www.ssllabs.com/ssltest/analyze.html 会显示服务器端证书是否链不完整,包括需要添加的中间认证路径证书。`-Djavax.net.debug=ssl,handshake -Djavax.net.ssl.keyStoreType=PKCS12 -Djavax.net.ssl.keyStore=our-client-certs -Djavax.net.ssl.trustStoreType=jks -Djavax.net。 ssl.trustStore=他们的服务器证书` (3认同)
Rob*_*bin 36
- 使用Firefox导出SSL证书.您可以通过在浏览器中点击URL来导出它,然后选择导出证书的选项.我们假设证书文件名是your.ssl.server.name.crt
- 去你的
JRE_HOME/bin或JDK/JRE/bin - 输入命令
keytool -keystore ..\lib\security\cacerts -import -alias your.ssl.server.name -file .\relative-path-to-cert-file\your.ssl.server.name.crt- 重新启动Java进程
- 如果要求输入密码,请使用默认的cacerts密钥库密码`changeit`(http://stackoverflow.com/a/22782035/1304830).另外一定要以管理员身份运行cmd. (11认同)
bhd*_*drk 20
@Gabe Martin-Dempesy的答案对我有帮助.我写了一个与之相关的小脚本.用法很简单.
从主机安装证书:
> sudo ./java-cert-importer.sh example.com
删除已安装的证书.
> sudo ./java-cert-importer.sh example.com --delete
java-cert-importer.sh
#!/usr/bin/env bash
# Exit on error
set -e
# Ensure script is running as root
if [ "$EUID" -ne 0 ]
then echo "WARN: Please run as root (sudo)"
exit 1
fi
# Check required commands
command -v openssl >/dev/null 2>&1 || { echo "Required command 'openssl' not installed. Aborting." >&2; exit 1; }
command -v keytool >/dev/null 2>&1 || { echo "Required command 'keytool' not installed. Aborting." >&2; exit 1; }
# Get command line args
host=$1; port=${2:-443}; deleteCmd=${3:-${2}}
# Check host argument
if [ ! ${host} ]; then
cat << EOF
Please enter required parameter(s)
usage: ./java-cert-importer.sh <host> [ <port> | default=443 ] [ -d | --delete ]
EOF
exit 1
fi;
if [ "$JAVA_HOME" ]; then
javahome=${JAVA_HOME}
elif [[ "$OSTYPE" == "linux-gnu" ]]; then # Linux
javahome=$(readlink -f $(which java) | sed "s:bin/java::")
elif [[ "$OSTYPE" == "darwin"* ]]; then # Mac OS X
javahome="$(/usr/libexec/java_home)/jre"
fi
if [ ! "$javahome" ]; then
echo "WARN: Java home cannot be found."
exit 1
elif [ ! -d "$javahome" ]; then
echo "WARN: Detected Java home does not exists: $javahome"
exit 1
fi
echo "Detected Java Home: $javahome"
# Set cacerts file path
cacertspath=${javahome}/lib/security/cacerts
cacertsbackup="${cacertspath}.$$.backup"
if ( [ "$deleteCmd" == "-d" ] || [ "$deleteCmd" == "--delete" ] ); then
sudo keytool -delete -alias ${host} -keystore ${cacertspath} -storepass changeit
echo "Certificate is deleted for ${host}"
exit 0
fi
# Get host info from user
#read -p "Enter server host (E.g. example.com) : " host
#read -p "Enter server port (Default 443) : " port
# create temp file
tmpfile="/tmp/${host}.$$.crt"
# Create java cacerts backup file
cp ${cacertspath} ${cacertsbackup}
echo "Java CaCerts Backup: ${cacertsbackup}"
# Get certificate from speficied host
openssl x509 -in <(openssl s_client -connect ${host}:${port} -prexit 2>/dev/null) -out ${tmpfile}
# Import certificate into java cacerts file
sudo keytool -importcert -file ${tmpfile} -alias ${host} -keystore ${cacertspath} -storepass changeit
# Remove temp certificate file
rm ${tmpfile}
# Check certificate alias name (same with host) that imported successfully
result=$(keytool -list -v -keystore ${cacertspath} -storepass changeit | grep "Alias name: ${host}")
# Show results to user
if [ "$result" ]; then
echo "Success: Certificate is imported to java cacerts for ${host}";
else
echo "Error: Something went wrong";
fi;
- Oracle 应该首先提供类似的东西,否则就永远不会创建自己可怕的 SSL 解决方案。SSL 证书处理应该是操作系统的工作。 (2认同)
Nis*_*ant 17
尝试使用JSSE打开与主机的SSL连接时.这通常意味着服务器正在使用测试证书(可能使用keytool生成)而不是来自知名商业证书颁发机构(如Verisign或GoDaddy)的证书.在这种情况下,Web浏览器会显示警告对话框,但由于JSSE无法假定交互式用户存在,因此默认情况下会抛出异常.
证书验证是SSL安全性的一个非常重要的部分,但我不是在编写此条目来解释详细信息.如果您有兴趣,可以先阅读Wikipedia blurb.我正在编写此条目,以显示一种与测试证书对话的简单方法,如果您真的想要.
基本上,您希望使用受信任的证书将服务器的证书添加到KeyStore
试试那里提供的代码.它可能有所帮助.
- 关于"证书验证是SSL安全性非常重要的一部分"的部分并不一定如此.SSL为您提供两个保证:(1)您的通信是私密的,(2)您正在与NSA已知的服务器通信.(:-)有时您只关心对话的隐私,然后是自签名认证很好.见http://social-biz.org/2011/10/16/the-anti-ssl-conspiracy/ (5认同)
- @AgilePro SSL 为您提供“四个”保证:身份验证、隐私、完整性和授权的可能性。它*不*向您保证您正在与 NSA 已知的服务器进行通信。只关心隐私而不进行身份验证是一个矛盾。 (2认同)
Vic*_*cXj 12
我遵循的简单步骤。
问题:我试图使用一个简单的java类(主要方法)连接到端点(https://%s.blob.core.windows.net)。
所以我在问题中遇到了上面提到的认证问题。
解决方案:
使用浏览器(chrome)获取证书。为此,请将您的端点 URL 粘贴到浏览器中并输入。现在您将看到一个锁图标,单击该图标-->证书-->详细信息-->复制到文件-->下载。
以管理员身份打开 cmd(我使用的是 Windows),然后导航到下载 .cer 文件的目录。
3.(可选)如果您在同一台计算机中使用多个 JDK,则将 JDK 版本更改为与应用程序中使用的版本相同。
- 现在使用以下命令
keytool -import -alias mycertificate -keystore "C:\Program Files\Java\jdk-11.0.5\lib\security\cacerts" -file myurlcrt.cer
给出默认密码:changeit
信任此证书:是
你就完成了。
谢谢!
这解决了我的问题,
我们需要将证书导入本地java。如果没有,我们会得到以下异常。
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径
在 sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
在 sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
在 sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
SSLPOKE是一种工具,您可以在其中测试本地计算机的 https 连接。
测试连通性的命令:
"%JAVA_HOME%/bin/java" SSLPoke <hostname> 443
sun.security.validator.ValidatorException:PKIX 路径构建失败:
sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径
在 sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
在 sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
在 sun.security.validator.Validator.validate(Validator.java:260)
在 sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
在 sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
在 sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
在 sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
在 sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
在 sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
在 sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
在 sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
在 sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
在 sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
在 sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
在 sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
在 SSLPoke.main(SSLPoke.java:31)
引起:sun.security.provider.certpath.SunCertPathBuilderException:无法找到有效的认证路径
请求的目标
在 sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
在 sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
在 java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
在 sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
……还有 15 个
keytool -import -alias <anyname> -keystore "%JAVA_HOME%/jre/lib/security/cacerts" -file <cert path>
这将首先提示“输入密钥库密码:”changeit是默认密码。最后提示“信任此证书?[否]:”,提供“是”以将证书添加到密钥库。
验证:
C:\tools>"%JAVA_HOME%/bin/java" SSLPoke <hostname> 443
Successfully connected
仅适用于 Windows,请执行以下步骤:
- 在 Chrome 中转到设置。
- 在设置中单击显示高级设置。
- 在 HTTPS/SSL 下单击管理证书。
- 导出您的证书。
- 在 Windows 搜索中(在键盘上按 windows 键)输入 java.lang.
- 选择(配置 Java)选项将打开 Java 控制面板
- 在 Java 控制面板中选择安全选项卡
- 选择管理证书
- 单击导入
- 在(用户)选项卡下选择和证书类型为(可信证书)
- 单击导入按钮并浏览到下载的证书并将其导入。
我能够让它只使用代码,即不需要使用keytool:
import com.netflix.config.DynamicBooleanProperty;
import com.netflix.config.DynamicIntProperty;
import com.netflix.config.DynamicPropertyFactory;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.ssl.SSLContexts;
import org.apache.http.conn.ssl.TrustStrategy;
import org.apache.http.conn.ssl.X509HostnameVerifier;
import org.apache.http.impl.nio.client.CloseableHttpAsyncClient;
import org.apache.http.impl.nio.client.HttpAsyncClients;
import org.apache.http.impl.nio.conn.PoolingNHttpClientConnectionManager;
import org.apache.http.impl.nio.reactor.DefaultConnectingIOReactor;
import org.apache.http.impl.nio.reactor.IOReactorConfig;
import org.apache.http.nio.conn.NoopIOSessionStrategy;
import org.apache.http.nio.conn.SchemeIOSessionStrategy;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import java.io.IOException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
public class Test
{
private static final DynamicIntProperty MAX_TOTAL_CONNECTIONS = DynamicPropertyFactory.getInstance().getIntProperty("X.total.connections", 40);
private static final DynamicIntProperty ROUTE_CONNECTIONS = DynamicPropertyFactory.getInstance().getIntProperty("X.total.connections", 40);
private static final DynamicIntProperty CONNECT_TIMEOUT = DynamicPropertyFactory.getInstance().getIntProperty("X.connect.timeout", 60000);
private static final DynamicIntProperty SOCKET_TIMEOUT = DynamicPropertyFactory.getInstance().getIntProperty("X.socket.timeout", -1);
private static final DynamicIntProperty CONNECTION_REQUEST_TIMEOUT = DynamicPropertyFactory.getInstance().getIntProperty("X.connectionrequest.timeout", 60000);
private static final DynamicBooleanProperty STALE_CONNECTION_CHECK = DynamicPropertyFactory.getInstance().getBooleanProperty("X.checkconnection", true);
public static void main(String[] args) throws Exception
{
SSLContext sslcontext = SSLContexts.custom()
.useTLS()
.loadTrustMaterial(null, new TrustStrategy()
{
@Override
public boolean isTrusted(X509Certificate[] chain, String authType) throws CertificateException
{
return true;
}
})
.build();
SSLIOSessionStrategy sslSessionStrategy = new SSLIOSessionStrategy(sslcontext, new AllowAll());
Registry<SchemeIOSessionStrategy> sessionStrategyRegistry = RegistryBuilder.<SchemeIOSessionStrategy>create()
.register("http", NoopIOSessionStrategy.INSTANCE)
.register("https", sslSessionStrategy)
.build();
DefaultConnectingIOReactor ioReactor = new DefaultConnectingIOReactor(IOReactorConfig.DEFAULT);
PoolingNHttpClientConnectionManager connectionManager = new PoolingNHttpClientConnectionManager(ioReactor, sessionStrategyRegistry);
connectionManager.setMaxTotal(MAX_TOTAL_CONNECTIONS.get());
connectionManager.setDefaultMaxPerRoute(ROUTE_CONNECTIONS.get());
RequestConfig requestConfig = RequestConfig.custom()
.setSocketTimeout(SOCKET_TIMEOUT.get())
.setConnectTimeout(CONNECT_TIMEOUT.get())
.setConnectionRequestTimeout(CONNECTION_REQUEST_TIMEOUT.get())
.setStaleConnectionCheckEnabled(STALE_CONNECTION_CHECK.get())
.build();
CloseableHttpAsyncClient httpClient = HttpAsyncClients.custom()
.setSSLStrategy(sslSessionStrategy)
.setConnectionManager(connectionManager)
.setDefaultRequestConfig(requestConfig)
.build();
httpClient.start();
// use httpClient...
}
private static class AllowAll implements X509HostnameVerifier
{
@Override
public void verify(String s, SSLSocket sslSocket) throws IOException
{}
@Override
public void verify(String s, X509Certificate x509Certificate) throws SSLException {}
@Override
public void verify(String s, String[] strings, String[] strings2) throws SSLException
{}
@Override
public boolean verify(String s, SSLSession sslSession)
{
return true;
}
}
}
- 请注意,此解决方案不安全. (8认同)
我的Apache 2.4实例(使用Comodo通配符证书)上此错误的来源是SHA-1签名的根证书的不完整路径。颁发的证书中有多个链,导致SHA-1根证书的链缺少中间证书。现代浏览器知道如何处理,但是Java 7默认情况下不处理(尽管有一些复杂的方法可以在代码中完成)。结果是错误消息看起来与自签名证书相同:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 22 more
在这种情况下,由于缺少中间证书,将生成“无法找到到所请求目标的有效证书路径”消息。您可以使用针对服务器的SSL Labs测试来检查缺少的证书。找到适当的证书后,将其下载并(如果服务器在您的控制之下)将其添加到证书捆绑包中。或者,您可以在本地导入丢失的证书。在服务器上解决此问题是解决该问题的更一般的方法。
有很多方法可以解决这个问题...
一种方法是在 keystore 文件中设置 TrustStore 证书并将其放在应用程序的路径中,并在 main 方法中设置这些系统属性:
public static void main(String[] args) {
System.setProperty("javax.net.ssl.trustStore", "trust-store.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "TrustStore");
...
}
另一种方法是将密钥库作为资源文件放在项目 jar 文件中并加载它:
public static SSLContext createSSLContext(String resourcePath, String pass) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, UnrecoverableKeyException, KeyManagementException {
// initialise the keystore
final char[] password = pass.toCharArray();
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(ThisClass.class.getResourceAsStream(resourcePath
), password);
// Setup the key manager factory.
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, password);
// Setup the trust manager factory.
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);
SSLContext sslc = SSLContext.getInstance("TLS");
sslc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return sslc;
}
public static void main(String[] args) {
SSLContext.setDefault(
createSSLContext("/trust-store.jks", "TrustStore"));
...
}
在 Windows 中,您也可以尝试此解决方案:https : //stackoverflow.com/a/59056537/980442
我.crt以这种方式从证书颁发机构 CA文件创建了密钥库文件:
keytool -import -alias ca -keystore trust-store.jks -storepass TrustStore -trustcacerts -file ca.crt
仅供参考:https : //docs.oracle.com/javadb/10.8.3.0/adminguide/cadminsslclient.html
遇到了像这样的图片的问题。
尝试了一些解决方案。但发现即使是同一个项目,在别人的工作场所也完全没问题。无需额外设置。所以我们猜测这是一个环境问题。我们尝试更改 JDK 版本、IDE 但没有成功。调查花了大约4个小时,直到我们尝试了评分最高的答案。我没有找到该答案中提到的错误,但我通过浏览器发现有关 HTTP URL(锁定)的内容是 Charles 的认证。然后我意识到我的查尔斯一直在线。只要我把它关掉,它就一切正常。
所以我留下了我的经验,可能对你的案子有帮助。
| 归档时间: |
|
| 查看次数: |
561322 次 |
| 最近记录: |