sun.security.validator.ValidatorException:SunCertPathBuilderException-导入证书时 [英] sun.security.validator.ValidatorException: SunCertPathBuilderException -while importing certificate

问题描述

我正在接受例外

sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我已在该位置设置了SSL证书

I have set the SSL certificate in the location

C:\ Program Files \ AdoptOpenJDK \ jdk-11.0.9.11-hotspot \ lib \ security

C:\Program Files\AdoptOpenJDK\jdk-11.0.9.11-hotspot\lib\security

keytool -import -keystore cacerts -file C:\Users\test\Desktop\Certificate\oCertificate.cer

但是我碰到服务器时遇到了以上异常.

But i am getting the above exception while i am hitting the server.

我看到的结果我已将证书添加到Jdk cacerts文件中，但是它工作了两天，而不是再次出现相同的错误.我无法使它正常运行，我能够成功ping服务器，而不是再次显示异常.

Results i saw I have added the certificate to the Jdk cacerts file but then it worked for two days than again i was getting the same error. I am unable to get it was working i am able to succesfully ping the server than again it is showing the exception.

推荐答案

您描述的问题是，运行keytool导入证书会导致此错误吗?请提供选项 -trustcacerts 并查看有关此文档:

Is the problem you describe that running keytool to import the certificat gives you this error? Please provide the option -trustcacerts and see the documentation about this:

导入新的受信任证书

Import a New Trusted Certificate

在将证书添加到密钥库之前，请使用keytool命令通过尝试从中构建信任链来验证它证书到自签名证书(属于根CA)，使用密钥库中已经可用的受信任证书.

Before you add the certificate to the keystore, the keytool command verifies it by attempting to construct a chain of trust from that certificate to a self-signed certificate (belonging to a root CA), using trusted certificates that are already available in the keystore.

如果指定了-trustcacerts选项，则附加证书被视为信任链，即证书保存在名为cacerts的文件中.

If the -trustcacerts option was specified, then additional certificates are considered for the chain of trust, namely the certificates in a file named cacerts.

如果keytool命令无法从要导入的证书最多为自签名证书(可以是从密钥库或cacerts文件中)，然后是证书信息被打印，并提示用户通过以下方式进行验证比较显示的证书指纹和指纹从其他(受信任的)信息源获得，这可能成为证书所有者.要非常小心，以确保证书是在将其作为受信任证书导入之前有效.用户然后有停止导入操作的选项.如果-noprompt选项指定，那么就不会与用户进行交互.

If the keytool command fails to establish a trust path from the certificate to be imported up to a self-signed certificate (either from the keystore or the cacerts file), then the certificate information is printed, and the user is prompted to verify it by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the certificate owner. Be very careful to ensure the certificate is valid before importing it as a trusted certificate. The user then has the option of stopping the import operation. If the -noprompt option is specified, then there is no interaction with the user.

来源: https://docs.oracle.com/en/java/javase/11/tools/keytool.html

或者，您可能会发现keytool并不是非常用户友好，并且您可能会喜欢其他软件，例如: https://keystore-explorer.org/downloads.html 更多.

Alternatively you may find that keytool is not very user-friendly and you may enjoy other software like: https://keystore-explorer.org/downloads.html more.

或者如果问题是您的(TLS客户端，甚至TLS服务器)软件存在某些证书问题，则可能是jccampanero已经建议服务器可能已切换到其他证书，或者就我所知服务器实际上可能是负载均衡器后面的几台不同的服务器，这些负载均衡器可能并非都具有相同的证书.(或者也许您安装了一些Java更新来替换了默认的cacerts文件?)

Or if the problem is that your (TLS-client, or even TLS-server) software has some certificate issue it might be as jccampanero already suggested that the server might have switched to a different certificate, or for all I know the server may actually be several different servers behind a load-balancer which may not all have the same certificates. (Or maybe you installed some Java update that replaced the default cacerts file?)

在出现问题的情况下，我强烈建议阅读JSSE文档并使用Java选项 -Djavax.net.debug = all 启用调试日志记录，或者可能要少于 all >类似于握手，请参见以下Java 11文档:

In case of problems I highly recommend reading the JSSE-documentation and enabling debug logging with java option -Djavax.net.debug=all or maybe a little less than all like handshake see the Java 11 docs at:

这显示了您的应用程序使用的确切TrustStore，握手期间服务器提供的证书以及TLS握手中的许多其他协商内容.

This shows the exact TrustStore your application uses, the certificate(s) that the server offers during the handshake and a lot of other negotiation stuff that is part of the TLS handshake.

如果您希望完全控制可信任的人来颁发证书，则可以配置自己的信任库，而不是可以使用以下选项在Java安装之外使用的默认信任库:

If you prefer full control of who you trust to issue certificates you can configure your own truststore instead of the default that can live outside your Java installation with options like:

java -Djavax.net.ssl.trustStore=samplecacerts \
     -Djavax.net.ssl.trustStorePassword=changeit \
     Application

我相信研究调试日志应该使解决问题变得简单，如果不能的话，请向我们提供一些相关的日志.

I trust that studying this debug logging should make it straightforward to resolve the issue, if it doesn't please provide us with some of the relevant logging.

这篇关于sun.security.validator.ValidatorException:SunCertPathBuilderException-导入证书时的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！