PKIX路径构建在Java应用程序中失败 [英] PKIX path building failed in Java application

问题描述

在将应用程序从Windows 2000移至Windows 2008 R2 Server后，我一直在努力使我的应用程序运行一段时间。

程序：

1. 安装Java JDK 1.7.0_25


2. 设置系统环境变量 JAVA_HOME 到 C：\Progra〜1 \Java\jdk1.7.0_25\


3. 导入证书存入 keytool


4. 确认证书存在于 keytool -list 。

我已尝试重复步骤3 与 InstallCert ，以确保我没有弄乱任何东西。

上述方法没有解决我的问题，所以我试图以编程方式：

  System.setProperty（javax.net.ssl.trustStore，
C：/Progra~1/Java/jdk1.7.0_25/jre/lib/security/cacerts）; 
 System.setProperty（javax.net.ssl.trustStorePassword，changeit）; 
  

仍然没有运气。

堆栈跟踪：

  javax.net.ssl.SSLHandshakeException：sun.security.validator.ValidatorException：PKIX路径构建失败：sun.security.provider.certpath.SunCertPathBuilderException：无法找到有效的请求目标的认证路径
 at sun.security.ssl.Alerts.getSSLException（Alerts.java:192）
 at sun.security.ssl.SSLSocketImpl.fatal（SSLSocketImpl.java:1886）
 at sun.security.ssl.Handshaker .fatalSE（Handshaker.java:276）
 at sun.security.ssl.Handshaker.fatalSE（Handshaker.java:270）
 at sun.security.ssl.ClientHandshaker.serverCertificate（ClientHandshaker.java:1341 ）
 at sun.security.ssl.ClientHandshaker.processMessage（ClientHandshaker.java:153）
 at sun.security.ssl.Handshaker.processLoop（Handshaker.java:868）
 at sun。 security.ssl.Handshaker.process_record（Handshaker.java:804）
 at sun.security.ssl.SSLSocketImpl.readRecord（SSLSocketImpl.java:1016）
 at sun.security.ssl.SSLSocketImpl.performInitialHandshake（ SSLSocketImpl.java:1312）
 at sun.security.ssl.SSLSocketImpl.startHandshake（SSLSocketImpl.java:1339）
 at sun.security.ssl.SSLSocketImpl.startHandshake（SSLSocketImpl.java:1323）
 at sun.net.www.protocol.https.HttpsClient.afterConnect（HttpsClient.java:515）
 at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect（AbstractDelegateHttpsURLConnection.java:185）
 at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect（HttpsURLConnectionImpl.java:153）
在util.SMS.send（SMS.java:93）
在domain.ActivationSMSSenderMain.sendActivationMessagesToCustomers （ActivationSMSSenderMain.java:80）
在domain.ActivationSMSSenderMain。< init>（ActivationSMSSenderMain.java:44）
在domain.ActivationSMSSenderMain.main（ActivationSMSSenderMain.java:341）
 ：sun.security.validator.ValidatorException：PKIX路径构建失败：sun.security.provider.certpath.SunCertPathBuilderException：无法找到有效的证书路径请求目标
在sun.security.validator.PKIXValidator.doBuild（PKIXValidator。 java：385）
 at sun.security.validator.PKIXValidator.engineValidate（PKIXValidator.java:292）
 at sun.security.validator.Validator.validate（Validator.java:260）
在sun.security.ssl.X509TrustManagerImpl.validate（X509TrustManagerImpl.java:326）
在sun.security.ssl.X509TrustManagerImpl.checkTrusted（X509TrustManagerImpl.java:231）
在sun.security.ssl.X509TrustManagerImpl .checkServerTrusted（X509TrustManagerImpl.java:126）
 at sun.security.ssl.ClientHandshaker.serverCertificate（ClientHandshaker.java:1323）
 ... 14更多
引发者：sun.security。 provider.certpath.SunCertPathBuilderException：无法找到有效的请求目标的认证路径
 at sun.security.provider.certpath.SunCertPathBuilder.engineBuild（SunCertPathBuilder.java:196）
 at java.security.cert.CertPathBuilder .build（CertPathBuilder.java:268）
 at sun.security.validator.PKIXValidator.doBuild（PKIXValidator.java:380）
 ...还有20多个
  
 
 
 
  UPDATE： 
 
 
 
 
  System.out.println（System.getProperty（javax.net.ssl.trustStore））;  
和
  System.out .println（System.getProperty（javax.net.ssl.keyStore））;  
 
 
 
返回 null 。
解决方案
我碰到类似的问题，其原因和解决方案都很简单： / p> 
 
 
 主要原因：未使用keytool导入正确的证书
 
 
 
注意：不要导入中间的非证书链根文件，只能导入根CA（或您自己的自签名证书）
 
 
 < cert 
 
 
 
  imap.gmail.com的解决方案示例 
 
 
 
确定根CA证书：
  openssl s_client -showcerts -connect imap.gmail。 com：993 
  
在这种情况下，我们发现根CA是Equifax安全证书颁发机构 
 
 
 
下载根CA证书。
 
 
通过与信息      $ c>：
 
  keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem 
 
 
 
 
运行您的java代码
 
 
 
I have been struggling for almost one week to get my applications up running after moving my applications from Windows 2000 to Windows 2008 R2 Server.


The procedure:

Installed Java JDK 1.7.0_25
Set system environment variable JAVA_HOME to C:\Progra~1\Java\jdk1.7.0_25\
Imported the certificate into cacerts with keytool
Ensured that the certificate exists in keytool with -list.
I have tried to repeat step 3 with InstallCert to ensure that i havent messed anything up.

The above methods did not solve my problem, so i tried to do it programmatically:
System.setProperty("javax.net.ssl.trustStore",
"C:/Progra~1/Java/jdk1.7.0_25/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Still without any luck. I am stuck and not quite sure which direction to go from here.

Stack trace:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at util.SMS.send(SMS.java:93)
    at domain.ActivationSMSSenderMain.sendActivationMessagesToCustomers(ActivationSMSSenderMain.java:80)
    at domain.ActivationSMSSenderMain.<init>(ActivationSMSSenderMain.java:44)
    at domain.ActivationSMSSenderMain.main(ActivationSMSSenderMain.java:341)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 20 more
UPDATE:

Both 
System.out.println(System.getProperty("javax.net.ssl.trustStore")); 
and 
System.out.println(System.getProperty("javax.net.ssl.keyStore")); 

returns null.
解决方案
I ran into similar issues whose cause and solution turned out both to be rather simple:

Main Cause: Did not import the proper cert using keytool 

NOTE: Only import root CA (or your own self-signed) certificates 

NOTE: don't import an intermediate, non certificate chain root cert

Solution Example for imap.gmail.com

Determine the root CA cert: 
openssl s_client -showcerts -connect imap.gmail.com:993
in this case we find the root CA is Equifax Secure Certificate Authority
Download root CA cert.
Verify downloaded cert has proper SHA-1 and/or MD5 fingerprints by comparing with info found here
Import cert for javax.net.ssl.trustStore: 
keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem

Run your java code 


                        
这篇关于PKIX路径构建在Java应用程序中失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！