PKIX路径不与Windows环境中的任何信任锚错误链接 [英] PKIX Path does not chain with any of the trust anchors error in Windows Environment

问题描述

我对SSL和Webservices如何在细粒度的级别上工作有点白痴.我正在开发一种系统，该系统调用多个Web服务，其中一些具有安全的URL，而其他的则没有什么问题.但是，目前，我正在与Endicia的LabelServer Web API集成.该Web服务用于计算和打印邮费.

I am a bit of an idiot to how SSL and Webservices work at the fine-grained level. I am developing a system that calls several web services, some with secured URLs and others that are not with little problem. Currently, however, I am doing an integration with Endicia's LabelServer Web API. The webservice is used to calculate and print postage.

测试URL和WSDL位于: https://www.envmgr.com/LabelService/EwsLabelService.asmx

The test URL and WSDL is at: https://www.envmgr.com/LabelService/EwsLabelService.asmx

我使用wsimport创建和设置Java客户端以连接到该Web服务，但是当我尝试全部操作时却收到错误消息

I used wsimport to create and setup a Java client for connecting to this webservice but when I try to all it I get the error

PKIX路径验证失败:java.security.cert.CertPathValidatorException:路径未与任何信任锚链接在一起

PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

此错误记录在这里: Java7拒绝信任信任证书商店

其中讨论了Java 7如何使用带有不良"密钥的自签名证书强制执行错误.在这种情况下，不良定义为不包含keyCertSign.该Web服务确实适用于Java6.我可以相信这种情况可能适用于此证书，因为它仅用作测试服务器，但是我不知道如何验证.

in which it's discussed how Java 7 forces an error with self-signed certificates with "bad" keyusage. Bad in this situation is defined as not containing keyCertSign. The webservice does work with Java 6. I can believe this situation might apply to this certificate since it's only being used as a test server, but I don't know how to verify that.

有一个已解决的错误报告( http://bugs. java.com/bugdatabase/view_bug.do?bug_id=7018897 )，但是我不确定这如何解决Windows Tomcat环境中的问题.我将证书导出到我的机器上，但是不确定如何从那里继续.

There's a bug report on it that is solved (http://bugs.java.com/bugdatabase/view_bug.do?bug_id=7018897), but I'm not sure how any of this translates to fixing the problem for a Windows Tomcat environment. I exported the certificate onto my machine, but am uncertain of how to proceed from there.

我尝试使用OpenSSL修改证书并将其添加到我的密钥库中，如在信任存储区中拒绝信任证书"链接中所述，它不起作用.看来这是由证书所有者完成的过程，对吗?我想知道是否可以通过某种方式配置Java 7环境以使该证书通过.

I tried using OpenSSL to modify the certificate and add it to my keystore as described in the "Refusing to trust certificate in trust store" link and it didn't work. It seems like this is a process that is done by the owner of the certificate, right? I wonder if there's some way I can configure my Java 7 environment to let this certificate through.

推荐答案

默认的Java证书检查非常严格，而且显然变得更加严格.一种解决方法是初始化 SSLContext 与自定义 X509TrustManager .我曾经写过用于测试的不执行任何操作(即完全不安全)的信任管理器如下所示:

The default Java certificate checks are pretty strict, and have apparently gotten stricter. One workaround is to initialize an SSLContext with a custom X509TrustManager. A trust manager that does nothing, i.e. is completely insecure, that I once wrote for testing looks like this:

TrustManager[] trustAllCerts = new TrustManager[]{
   new X509TrustManager() {
      public java.security.cert.X509Certificate[] getAcceptedIssuers()
         {
            return null;
         }
      public void checkClientTrusted(
         java.security.cert.X509Certificate[] certs,
         String authType )
         {
         }
      public void checkServerTrusted(
         java.security.cert.X509Certificate[] certs,
         String authType )
         {
         }
   }
};

很显然，您可能希望在实际程序中实际检查证书链.然后，如果您的API没有其他配置SSL的方法，则可以尝试使用它初始化SSLContext并调用SSLContext.setDefault().如果API使用默认的SSL上下文，则应该可以使用.

Obviously you would want to actually check the certificate chain in a real program. You could then try to initialize an SSLContext with it and call SSLContext.setDefault() if your API has no other way of configuring SSL. If the API uses the default SSL context then this should work.

在这种情况下，密钥使用似乎不是问题，因为证书链不是自签名的.测试URL似乎表明叶证书不是自签名的，并且(2)链中的其他两个证书似乎启用了证书签名.另一种可能性是Java 6和Java 7具有单独的信任库，而根证书不在Java 7库中.您可能需要仔细检查.如果您有权访问OpenSSL，则可以使用以下方法从服务器获取证书链:

Key usage does not appear to be the issue in this case as the certificate chain is not self-signed. Testing the URL appears to show that the leaf certificate is not self-signed and (2) the other two certificates in the chain appear to have certificate signing enabled. An alternative possibility is that Java 6 and Java 7 have separate trust stores and the root certificate is not in the Java 7 store. You may want to double-check that. If you have access to OpenSSL, you can get the certificate chain from the server with:

openssl s_client -host www.example.com -port 443 -showcerts

---

显然，更新信任库是密钥(双关语). OP报告:

---

Apparently updating the trust store was the key (pun intended). The OP reports:

我下载了适用于Windows 64的OpenSSL，然后使用以下命令下载了证书链:

I downloaded OpenSSL for Windows 64 and then used this command to download the certificate chain:

openssl s_client -host www.webserviceurl.com -port 443 -showcerts > c:\temp\certchain_output.crt

然后我要像这样(从JDK的主目录/jre/lib/security)将其导入到浏览器的密钥库中:

Then I want to import it into my browser's keystore like so (from the JDK's home directory/jre/lib/security):

keytool -import -alias ca -file certchain_output.crt -keystore cacerts -storepass changeit

我相信使用X509TrustManager也可以提供有效的解决方案.

I believe using X509TrustManager could provide an effective solution as well.

这篇关于PKIX路径不与Windows环境中的任何信任锚错误链接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！