PKIX路径构建在Java应用程序中失败 [英] PKIX path building failed in Java application
问题描述
在将应用程序从Windows 2000移至Windows 2008 R2 Server后,我一直在努力使我的应用程序运行一段时间。
程序:
- 安装Java JDK 1.7.0_25
- 设置系统环境变量
JAVA_HOME
到
C:\Progra〜1 \Java\jdk1.7.0_25\
- 导入证书存入
keytool
- 确认证书存在于
keytool
-list
。
我已尝试重复步骤3 与 InstallCert
,以确保我没有弄乱任何东西。
上述方法没有解决我的问题,所以我试图以编程方式:
System.setProperty(javax.net.ssl.trustStore,
C:/Progra~1/Java/jdk1.7.0_25/jre/lib/security/cacerts);
System.setProperty(javax.net.ssl.trustStorePassword,changeit);
仍然没有运气。
堆栈跟踪:
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到有效的请求目标的认证路径
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker .fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341 )
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun。 security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake( SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
在util.SMS.send(SMS.java:93)
在domain.ActivationSMSSenderMain.sendActivationMessagesToCustomers (ActivationSMSSenderMain.java:80)
在domain.ActivationSMSSenderMain。< init>(ActivationSMSSenderMain.java:44)
在domain.ActivationSMSSenderMain.main(ActivationSMSSenderMain.java:341)
:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到有效的证书路径请求目标
在sun.security.validator.PKIXValidator.doBuild(PKIXValidator。 java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
在sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
在sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
在sun.security.ssl.X509TrustManagerImpl .checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 14更多
引发者:sun.security。 provider.certpath.SunCertPathBuilderException:无法找到有效的请求目标的认证路径
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder .build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
...还有20多个
UPDATE:
System.out.println(System.getProperty(javax.net.ssl.trustStore));
和
System.out .println(System.getProperty(javax.net.ssl.keyStore));
返回
null
。解决方案我碰到类似的问题,其原因和解决方案都很简单: / p>
主要原因:未使用keytool导入正确的证书
注意:不要导入中间的非证书链根文件,只能导入根CA(或您自己的自签名证书)
< cert
imap.gmail.com的解决方案示例
确定根CA证书:
openssl s_client -showcerts -connect imap.gmail。 com:993
在这种情况下,我们发现根CA是Equifax安全证书颁发机构
- 下载根CA证书。
- 通过与信息 $ c>:
keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem
- 运行您的java代码
I have been struggling for almost one week to get my applications up running after moving my applications from Windows 2000 to Windows 2008 R2 Server.
The procedure:
- Installed Java JDK 1.7.0_25
- Set system environment variable
JAVA_HOME
toC:\Progra~1\Java\jdk1.7.0_25\
- Imported the certificate into cacerts with
keytool
- Ensured that the certificate exists in
keytool
with-list
.I have tried to repeat step 3 with
InstallCert
to ensure that i havent messed anything up.The above methods did not solve my problem, so i tried to do it programmatically:
System.setProperty("javax.net.ssl.trustStore", "C:/Progra~1/Java/jdk1.7.0_25/jre/lib/security/cacerts"); System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Still without any luck. I am stuck and not quite sure which direction to go from here.
Stack trace:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868) at sun.security.ssl.Handshaker.process_record(Handshaker.java:804) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153) at util.SMS.send(SMS.java:93) at domain.ActivationSMSSenderMain.sendActivationMessagesToCustomers(ActivationSMSSenderMain.java:80) at domain.ActivationSMSSenderMain.<init>(ActivationSMSSenderMain.java:44) at domain.ActivationSMSSenderMain.main(ActivationSMSSenderMain.java:341) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323) ... 14 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 20 more
UPDATE:
Both
System.out.println(System.getProperty("javax.net.ssl.trustStore"));
andSystem.out.println(System.getProperty("javax.net.ssl.keyStore"));
returns
null
.解决方案I ran into similar issues whose cause and solution turned out both to be rather simple:
Main Cause: Did not import the proper cert using keytool
NOTE: Only import root CA (or your own self-signed) certificates
NOTE: don't import an intermediate, non certificate chain root cert
Solution Example for imap.gmail.com
Determine the root CA cert:
openssl s_client -showcerts -connect imap.gmail.com:993
in this case we find the root CA is Equifax Secure Certificate Authority
- Download root CA cert.
- Verify downloaded cert has proper SHA-1 and/or MD5 fingerprints by comparing with info found here
Import cert for
javax.net.ssl.trustStore
:keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem
- Run your java code
这篇关于PKIX路径构建在Java应用程序中失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!