PKIX 路径不会与 Windows 环境中的任何信任锚错误链接 [英] PKIX Path does not chain with any of the trust anchors error in Windows Environment
问题描述
对于 SSL 和 Web 服务如何在细粒度级别工作,我有点傻.我正在开发一个调用多个 Web 服务的系统,其中一些具有安全的 URL,而另一些则有不少问题.但是,目前我正在与 Endicia 的 LabelServer Web API 进行集成.网络服务用于计算和打印邮资.
I am a bit of an idiot to how SSL and Webservices work at the fine-grained level. I am developing a system that calls several web services, some with secured URLs and others that are not with little problem. Currently, however, I am doing an integration with Endicia's LabelServer Web API. The webservice is used to calculate and print postage.
测试 URL 和 WSDL 位于:https://www.envmgr.com/LabelService/EwsLabelService.asmx
The test URL and WSDL is at: https://www.envmgr.com/LabelService/EwsLabelService.asmx
我使用 wsimport 创建并设置了一个 Java 客户端来连接到这个网络服务,但是当我尝试所有它时,我得到了错误
I used wsimport to create and setup a Java client for connecting to this webservice but when I try to all it I get the error
PKIX 路径验证失败:java.security.cert.CertPathValidatorException:路径未与任何信任锚链接
PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
此处记录了此错误:Java7 拒绝信任信任证书存储
其中讨论了 Java 7 如何强制使用错误"密钥使用的自签名证书出错.坏在这种情况下被定义为不包含 keyCertSign.该网络服务确实适用于 Java 6.我相信这种情况可能适用于该证书,因为它仅用作测试服务器,但我不知道如何验证.
in which it's discussed how Java 7 forces an error with self-signed certificates with "bad" keyusage. Bad in this situation is defined as not containing keyCertSign. The webservice does work with Java 6. I can believe this situation might apply to this certificate since it's only being used as a test server, but I don't know how to verify that.
有一个关于它的错误报告已解决(http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7018897),但我不确定这些如何转化为修复 Windows Tomcat 环境的问题.我将证书导出到我的机器上,但不确定如何从那里进行.
There's a bug report on it that is solved (http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7018897), but I'm not sure how any of this translates to fixing the problem for a Windows Tomcat environment. I exported the certificate onto my machine, but am uncertain of how to proceed from there.
我尝试使用 OpenSSL 修改证书并将其添加到我的密钥库中,如拒绝信任信任库中的证书"链接中所述,但没有奏效.好像这个过程是由证书的所有者完成的吧?我想知道是否有什么方法可以配置我的 Java 7 环境来让这个证书通过.
I tried using OpenSSL to modify the certificate and add it to my keystore as described in the "Refusing to trust certificate in trust store" link and it didn't work. It seems like this is a process that is done by the owner of the certificate, right? I wonder if there's some way I can configure my Java 7 environment to let this certificate through.
推荐答案
默认的 Java 证书检查非常严格,而且显然变得更加严格.一种解决方法是初始化 SSLContext 带有自定义 <代码>X509TrustManager.我曾经为测试编写的一个什么都不做,即完全不安全的信任管理器看起来像这样:
The default Java certificate checks are pretty strict, and have apparently gotten stricter. One workaround is to initialize an SSLContext with a custom X509TrustManager. A trust manager that does nothing, i.e. is completely insecure, that I once wrote for testing looks like this:
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs,
String authType )
{
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs,
String authType )
{
}
}
};
显然,您希望在真实程序中实际检查证书链.然后,如果您的 API 没有其他配置 SSL 的方法,您可以尝试用它初始化 SSLContext 并调用 SSLContext.setDefault().如果 API 使用默认 SSL 上下文,那么这应该可以工作.
Obviously you would want to actually check the certificate chain in a real program. You could then try to initialize an SSLContext with it and call SSLContext.setDefault() if your API has no other way of configuring SSL. If the API uses the default SSL context then this should work.
在这种情况下,密钥使用似乎不是问题,因为证书链不是自签名的.测试 URL 似乎表明叶证书不是自签名的,并且 (2) 链中的其他两个证书似乎启用了证书签名.另一种可能性是 Java 6 和 Java 7 具有单独的信任存储,并且根证书不在 Java 7 存储中.您可能需要仔细检查一下.如果您有权访问 OpenSSL,则可以使用以下命令从服务器获取证书链:
Key usage does not appear to be the issue in this case as the certificate chain is not self-signed. Testing the URL appears to show that the leaf certificate is not self-signed and (2) the other two certificates in the chain appear to have certificate signing enabled. An alternative possibility is that Java 6 and Java 7 have separate trust stores and the root certificate is not in the Java 7 store. You may want to double-check that. If you have access to OpenSSL, you can get the certificate chain from the server with:
openssl s_client -host www.example.com -port 443 -showcerts
<小时>
显然更新信任库是关键(双关语).OP 报告:
Apparently updating the trust store was the key (pun intended). The OP reports:
我下载了适用于 Windows 64 的 OpenSSL,然后使用此命令下载证书链:
I downloaded OpenSSL for Windows 64 and then used this command to download the certificate chain:
openssl s_client -host www.webserviceurl.com -port 443 -showcerts > c: empcertchain_output.crt
然后我想像这样(从 JDK 的主目录/jre/lib/security)将它导入浏览器的密钥库:
Then I want to import it into my browser's keystore like so (from the JDK's home directory/jre/lib/security):
keytool -import -alias ca -file certchain_output.crt -keystore cacerts -storepass changeit
我相信使用 X509TrustManager 也可以提供一个有效的解决方案.
I believe using X509TrustManager could provide an effective solution as well.
这篇关于PKIX 路径不会与 Windows 环境中的任何信任锚错误链接的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
