PKIX路径构建在Java应用程序中失败 [英] PKIX path building failed in Java application
本文介绍了PKIX路径构建在Java应用程序中失败的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我将应用程序从Windows 2000移动到Windows 2008 R2服务器后,一直在努力将近一个星期让我的应用程序运行。
过程: p>
- 安装的Java JDK 1.7.0_25
- 设置系统环境变量
JAVA_HOME到C:\Progra〜1\Java\jdk1.7.0_25\ - 导入证书成为cacerts与
keytool - 确保证书存在于
keytool中-list。
我已经尝试重复步骤3 与 InstallCert ,以确保我没有弄乱任何东西。
上述方法没有解决我的问题,所以我试图以编程方式执行:
System.setProperty(javax.net.ssl.trustStore,
C:/Progra~1/Java/jdk1.7.0_25/jre/lib/security/cacerts);
System.setProperty(javax.net.ssl.trustStorePassword,changeit);
仍然没有任何运气。我被卡住了,不太确定从这里走哪个方向。
堆栈跟踪:
javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker .fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341 )
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun。 security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl .readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339 )
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
在util.SMS.send(SMS.java:93)
在domain.ActivationSMSSenderMain.sendActivationMessagesToCustomers(ActivationSMSSenderMain.java:80)
在domain.ActivationSMSSenderMain。< init>(ActivationSMSSenderMain.java:44 )
在domain.ActivationSMSSenderMain.main(ActivationSMSSenderMain.java:341)
导致:sun.security.validator.ValidatorException:PKIX路径建筑失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到有效的认证路径到请求的目标
在sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
在太阳。 security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate( X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 14更多
导致:sun.security.provider.certpath.SunCertPathBuilderException:无法找到有效的认证路径请求目标
在sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBu ilder.java:196)
在java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 20更多
更新:
System.out.println(System.getProperty(javax.net.ssl.trustStore));
和
System.out.println(System.getProperty(javax.net.ssl.keyStore));
返回 null 。
解决方案
我遇到类似的问题,其原因和解决办法都是相当简单的:
主要原因:没有使用keytool导入正确的证书
注意:只导入根CA(或您自己的自签名)证书
<注意:不要导入中间的非证书链根证书
imap.gmail.com的解决方案示例< /强>
-
确定根CA证书:
code> openssl s_client -showcerts -connect imap.gmail.com:993
在这种情况下我们发现根CA是Equifax安全证书颁发机构
- 下载根CA证书。
- 通过与信息比较验证下载的证书具有正确的SHA-1和/或MD5指纹 在这里找到
-
导入证书
javax.net.ssl.trustStore:
keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem
- 运行您的java代码
I have been struggling for almost one week to get my applications up running after moving my applications from Windows 2000 to Windows 2008 R2 Server.
The procedure:
- Installed Java JDK 1.7.0_25
- Set system environment variable
JAVA_HOMEtoC:\Progra~1\Java\jdk1.7.0_25\ - Imported the certificate into cacerts with
keytool - Ensured that the certificate exists in
keytoolwith-list.
I have tried to repeat step 3 with InstallCert to ensure that i havent messed anything up.
The above methods did not solve my problem, so i tried to do it programmatically:
System.setProperty("javax.net.ssl.trustStore",
"C:/Progra~1/Java/jdk1.7.0_25/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
Still without any luck. I am stuck and not quite sure which direction to go from here.
Stack trace:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
at util.SMS.send(SMS.java:93)
at domain.ActivationSMSSenderMain.sendActivationMessagesToCustomers(ActivationSMSSenderMain.java:80)
at domain.ActivationSMSSenderMain.<init>(ActivationSMSSenderMain.java:44)
at domain.ActivationSMSSenderMain.main(ActivationSMSSenderMain.java:341)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 20 more
UPDATE:
Both
System.out.println(System.getProperty("javax.net.ssl.trustStore"));
and
System.out.println(System.getProperty("javax.net.ssl.keyStore"));
returns null.
解决方案
I ran into similar issues whose cause and solution turned out both to be rather simple:
Main Cause: Did not import the proper cert using keytool
NOTE: Only import root CA (or your own self-signed) certificates
NOTE: don't import an intermediate, non certificate chain root cert
Solution Example for imap.gmail.com
Determine the root CA cert:
openssl s_client -showcerts -connect imap.gmail.com:993in this case we find the root CA is Equifax Secure Certificate Authority
- Download root CA cert.
- Verify downloaded cert has proper SHA-1 and/or MD5 fingerprints by comparing with info found here
Import cert for
javax.net.ssl.trustStore:keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem- Run your java code
这篇关于PKIX路径构建在Java应用程序中失败的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
