javax.net.ssl​​.SSLHandshakeException：找不到证书路径信任锚：java.security.cert.CertPathValidatorException [英] javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

问题描述

我使用的改造来访问我的REST API。然而，当我把我的身后SSL和访问它的API 的http：//为m​​yhost / myapi 然后，我得到这个错误：

我需要做些额外的事情，现在我的API的背后是SSL？

下面是我如何连接：

 私有最终字符串API =htt​​ps：//开头为myhost / myapi;

私人最终RestAdapter REST_ADAPTER =新RestAdapter.Builder（）
        .setServer（API）的
        .setLogLevel（RestAdapter.LogLevel.FULL）
        。建立（）;

九月1日至10日：49：55.621 2076年至2100年/ com.myapp.mobile D /改造：javax.net.ssl​​.SSLHandshakeException：java.security.cert.CertPathValidatorException：找不到证书路径信任锚。
            在org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake（OpenSSLSocketImpl.java:401）
            在libcore.net.http.HttpConnection.setupSecureSocket（HttpConnection.java:209）
            在libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.makeSslConnection(HttpsURLConnectionImpl.java:478)
            在libcore.net.http.HttpsURLConnectionImpl $ HttpsEngine.connect（HttpsURLConnectionImpl.java:433）
            在libcore.net.http.HttpEngine.sendSocketRequest（HttpEngine.java:290）
            在libcore.net.http.HttpEngine.sendRequest（HttpEngine.java:240）
            在libcore.net.http.HttpURLConnectionImpl.getResponse（HttpURLConnectionImpl.java:282）
            在libcore.net.http.HttpURLConnectionImpl.getResponse code（HttpURLConnectionImpl.java:497）
            在libcore.net.http.HttpsURLConnectionImpl.getResponse code（HttpsURLConnectionImpl.java:134）
            在retrofit.client.UrlConnectionClient.readResponse（UrlConnectionClient.java:90）
            在retrofit.client.UrlConnectionClient.execute（UrlConnectionClient.java:48）
            在retrofit.RestAdapter $ RestHandler.invokeRequest（RestAdapter.java:287）
            在retrofit.RestAdapter $ RestHandler.invoke（RestAdapter.java:222）
            在$ Proxy12.signin（本机方法）
            在com.myapp.loginactivity $ 3.doInBackground（LoginActivity.java:143）
            在com.myapp.loginactivity $ 3.doInBackground（LoginActivity.java:136）
            在android.os.AsyncTask $ 2.call（AsyncTask.java:287）
            在java.util.concurrent.FutureTask.run（FutureTask.java:234）
            在android.os.AsyncTask $ SerialExecutor $ 1.运行（AsyncTask.java:230）
            在java.util.concurrent.ThreadPoolExecutor.runWorker（ThreadPoolExecutor.java:1080）
            在java.util.concurrent.ThreadPoolExecutor中的$ Worker.run（ThreadPoolExecutor.java:573）
            在java.lang.Thread.run（Thread.java:841）
     java.security.cert.CertificateException：产生的原因java.security.cert.CertPathValidatorException：找不到证书路径信任锚。
            在org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkTrusted（TrustManagerImpl.java:282）
            在org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted（TrustManagerImpl.java:202）
            在org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:595)
            在org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake（本机方法）
            在org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake（OpenSSLSocketImpl.java:398）
在libcore.net.http.HttpConnection.setupSecureSocket（HttpConnection.java:209）
            在libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.makeSslConnection(HttpsURLConnectionImpl.java:478)
在libcore.net.http.HttpsURLConnectionImpl $ HttpsEngine.connect（HttpsURLConnectionImpl.java:433）
在libcore.net.http.HttpEngine.sendSocketRequest（HttpEngine.java:290）
在libcore.net.http.HttpEngine.sendRequest（HttpEngine.java:240）
在libcore.net.http.HttpURLConnectionImpl.getResponse（HttpURLConnectionImpl.java:282）
在libcore.net.http.HttpURLConnectionImpl.getResponse code（HttpURLConnectionImpl.java:497）
在libcore.net.http.HttpsURLConnectionImpl.getResponse code（HttpsURLConnectionImpl.java:134）
在retrofit.client.UrlConnectionClient.readResponse（UrlConnectionClient.java:90）
在retrofit.client.UrlConnectionClient.execute（UrlConnectionClient.java:48）
在retrofit.RestAdapter $ RestHandler.invokeRequest（RestAdapter.java:287）
在retrofit.RestAdapter $ RestHandler.invoke（RestAdapter.java:222）
在$ Proxy12.signin（本机方法）
在com.myapp.LoginActivity $ 3.doInBackground（LoginActivity.java:143）
在com.myapp.LoginActivity $ 3.doInBackground（LoginActivity.java:136）
在android.os.AsyncTask $ 2.call（AsyncTask.java:287）
在java.util.concurrent.FutureTask.run（FutureTask.java:234）
在android.os.AsyncTask $ SerialExecutor $ 1.运行（AsyncTask.java:230）
在java.util.concurrent.ThreadPoolExecutor.runWorker（ThreadPoolExecutor.java:1080）
在java.util.concurrent.ThreadPoolExecutor中的$ Worker.run（ThreadPoolExecutor.java:573）
在java.lang.Thread.run（Thread.java:841）
 

解决方案

出现这种情况的原因是JVM / Dalvik的有没有不自信的表现在系统或用户证书存储中的CA证书。

要解决此问题与改造，如果你正在使用okhttp，与其他客户端是非常相似的。照片 你做的：

A）。创建一个证书存储包含CA的公钥要做到这一点，你需要启动下一个脚本为* nix中。 你需要的OpenSSL安装在你的机器，并从 https://www.bouncycastle.org/ 罐子bcprov下载-jdk16-1.46.jar。下载此版本不 另外，该版本的1.5倍不与Android 4.0.4兼容。

 ＃！/斌/庆典

如果[-z $ 1];然后
  回声用法：cert2Android＆LT; CA证书PEM文件＆gt;
  1号出口
科幻

CACERT = $ 1
BCJAR = bcprov，jdk16-1.46.jar

信任库= mytruststore.bks
ALIAS =`OpenSSL的X​​509 -inform PEM -subject_hash -noout -in $ CACERT`

如果[-f $信任库]。然后
    RM $信任库|| 1号出口
科幻

回声添加证书$信任库...
密钥工具-import -v -trustcacerts -alias别名$ \
      -file $ CACERT \
      -keystore $信任库-storetype BKS \
      -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider \
      -providerpath $ BCJAR \
      -storepass秘密

回声 
回声添加$ CACERT别名为$别名'到$信任库...
 

B）。复制文件信任库mytruststore.bks在项目的资源/原材料

C）。设置连接的SSL连接：

  .............
okHttpClient =新OkHttpClient（）;
尝试 {
    密钥库ksTrust = KeyStore.getInstance（BKS）;
    InputStream的河道= context.getResources（）openRawResource（R.raw.mytruststore）。
    ksTrust.load（河道内，秘密.toCharArray（））;

    //的TrustManager决定使用哪个证书颁发机构。
    的TrustManagerFactory TMF =的TrustManagerFactory
        .getInstance（TrustManagerFactory.getDefaultAlgorithm（））;
    tmf.init（ksTrust）;
    的SSL连接的SSL连接= SSLContext.getInstance（TLS）;
    sslContext.init（空，tmf.getTrustManagers（），NULL）;

    okHttpClient.setSslSocketFactory（sslContext.getSocketFactory（））;
}赶上（KeyStoreException | IOException异常|抛出：NoSuchAlgorithmException | CertificateException | KeyManagementException E）{
    e.printStackTrace（）;
}
.................
 

I am using Retrofit to access my REST API. However, when I put my API behind ssl and access it by http://myhost/myapi then I get this error:

Do I need to do something extra now that my API is behind SSL?

Here is how I connect:

private final String API = "https://myhost/myapi";

private final RestAdapter REST_ADAPTER = new RestAdapter.Builder()
        .setServer(API)
        .setLogLevel(RestAdapter.LogLevel.FULL)
        .build();

01-10 09:49:55.621    2076-2100/com.myapp.mobile D/Retrofit﹕ javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
            at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:401)
            at libcore.net.http.HttpConnection.setupSecureSocket(HttpConnection.java:209)
            at libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.makeSslConnection(HttpsURLConnectionImpl.java:478)
            at libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.connect(HttpsURLConnectionImpl.java:433)
            at libcore.net.http.HttpEngine.sendSocketRequest(HttpEngine.java:290)
            at libcore.net.http.HttpEngine.sendRequest(HttpEngine.java:240)
            at libcore.net.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:282)
            at libcore.net.http.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:497)
            at libcore.net.http.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:134)
            at retrofit.client.UrlConnectionClient.readResponse(UrlConnectionClient.java:90)
            at retrofit.client.UrlConnectionClient.execute(UrlConnectionClient.java:48)
            at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:287)
            at retrofit.RestAdapter$RestHandler.invoke(RestAdapter.java:222)
            at $Proxy12.signin(Native Method)
            at com.myapp.loginactivity$3.doInBackground(LoginActivity.java:143)
            at com.myapp.loginactivity$3.doInBackground(LoginActivity.java:136)
            at android.os.AsyncTask$2.call(AsyncTask.java:287)
            at java.util.concurrent.FutureTask.run(FutureTask.java:234)
            at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:230)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1080)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:573)
            at java.lang.Thread.run(Thread.java:841)
     Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
            at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:282)
            at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:202)
            at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:595)
            at org.apache.harmony.xnet.provider.jsse.NativeCrypto.SSL_do_handshake(Native Method)
            at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:398)
            at libcore.net.http.HttpConnection.setupSecureSocket(HttpConnection.java:209)
            at libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.makeSslConnection(HttpsURLConnectionImpl.java:478)
            at libcore.net.http.HttpsURLConnectionImpl$HttpsEngine.connect(HttpsURLConnectionImpl.java:433)
            at libcore.net.http.HttpEngine.sendSocketRequest(HttpEngine.java:290)
            at libcore.net.http.HttpEngine.sendRequest(HttpEngine.java:240)
            at libcore.net.http.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:282)
            at libcore.net.http.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:497)
            at libcore.net.http.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:134)
            at retrofit.client.UrlConnectionClient.readResponse(UrlConnectionClient.java:90)
            at retrofit.client.UrlConnectionClient.execute(UrlConnectionClient.java:48)
            at retrofit.RestAdapter$RestHandler.invokeRequest(RestAdapter.java:287)
            at retrofit.RestAdapter$RestHandler.invoke(RestAdapter.java:222)
            at $Proxy12.signin(Native Method)
            at com.myapp.LoginActivity$3.doInBackground(LoginActivity.java:143)
            at com.myapp.LoginActivity$3.doInBackground(LoginActivity.java:136)
            at android.os.AsyncTask$2.call(AsyncTask.java:287)
            at java.util.concurrent.FutureTask.run(FutureTask.java:234)
            at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:230)
            at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1080)
            at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:573)
            at java.lang.Thread.run(Thread.java:841)

解决方案

The reason this occur is the JVM/Dalvik haven't not confidence in the CA certificates in the system or in the user certificate stores.

To fix this with Retrofit, If you are used okhttp, with another client it's very similar.
You've to do:

A). Create a cert store contain public Key of CA. To do this you need to launch next script for *nix. You need openssl install in your machine, and download from https://www.bouncycastle.org/ the jar bcprov-jdk16-1.46.jar. Download this version not other, the version 1.5x is not compatible with android 4.0.4.

#!/bin/bash

if [ -z $1 ]; then
  echo "Usage: cert2Android<CA cert PEM file>"
  exit 1
fi

CACERT=$1
BCJAR=bcprov-jdk16-1.46.jar

TRUSTSTORE=mytruststore.bks
ALIAS=`openssl x509 -inform PEM -subject_hash -noout -in $CACERT`

if [ -f $TRUSTSTORE ]; then
    rm $TRUSTSTORE || exit 1
fi

echo "Adding certificate to $TRUSTSTORE..."
keytool -import -v -trustcacerts -alias $ALIAS \
      -file $CACERT \
      -keystore $TRUSTSTORE -storetype BKS \
      -providerclass org.bouncycastle.jce.provider.BouncyCastleProvider \
      -providerpath $BCJAR \
      -storepass secret

echo "" 
echo "Added '$CACERT' with alias '$ALIAS' to $TRUSTSTORE..."

B). Copy the file truststore mytruststore.bks in res/raw of your project

C). Setting SSLContext of the connection:

.............
okHttpClient = new OkHttpClient();
try {
    KeyStore ksTrust = KeyStore.getInstance("BKS");
    InputStream instream = context.getResources().openRawResource(R.raw.mytruststore);
    ksTrust.load(instream, "secret".toCharArray());

    // TrustManager decides which certificate authorities to use.
    TrustManagerFactory tmf = TrustManagerFactory
        .getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ksTrust);
    SSLContext sslContext = SSLContext.getInstance("TLS");
    sslContext.init(null, tmf.getTrustManagers(), null);

    okHttpClient.setSslSocketFactory(sslContext.getSocketFactory());
} catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | KeyManagementException e) {
    e.printStackTrace();
}
.................

这篇关于javax.net.ssl​​.SSLHandshakeException：找不到证书路径信任锚：java.security.cert.CertPathValidatorException的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！