解决 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed 错误? [英] Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

问题描述

我尝试在我的 博客.

这是原来的问题.

我收到此错误:

详细信息 sun.security.validator.ValidatorException: PKIX 路径构建失败:
sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径

detailed message sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

导致 javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径

cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我使用 Tomcat 6 作为网络服务器.我在同一台机器上的不同端口上的不同 Tomcat 上安装了两个 HTTPS Web 应用程序.说 App1(端口 8443)和 App2(端口 443).App1 连接到 App2.当 App1 连接到 App2 时，出现上述错误.我知道这是一个非常常见的错误，因此在不同的论坛和网站上遇到了许多解决方案.我在两个 Tomcat 的 server.xml 中有以下条目:

I am using Tomcat 6 as webserver. I have two HTTPS web applications installed on different Tomcats on different ports but on the same machine. Say App1 (port 8443) and App2 (port 443). App1 connects to App2. When App1 connects to App2 I get the above error. I know this is a very common error so came across many solutions on different forums and sites. I have the below entry in server.xml of both Tomcats:

keystoreFile="c:/.keystore" 
keystorePass="changeit"

每个站点都说同样的原因，app2 提供的证书不在 app1 jvm 的可信存储中.当我尝试在 IE 浏览器中访问相同的 URL 时，这似乎也是正确的，它可以工作(带有预热，此网站的安全证书有问题.我说继续访问此网站).但是，当 Java 客户端(在我的情况下)访问相同的 URL 时，我收到上述错误.因此，为了将其放入信任库，我尝试了以下三个选项:

Every site says the same reason that certificate given by app2 is not in the trusted store of app1 jvm. This seems to be true also when I tried to hit the same URL in IE browser, it works (with warming, There is a problem with this web site's security certificate. Here I say continue to this website). But when same URL is hit by Java client (in my case) I get the above error. So to put it in the truststore I tried these three options:

System.setProperty("javax.net.ssl.trustStore", "C:/.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

选项 2

在环境变量下面设置

Option 2

Setting below in environment variable

CATALINA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value

选项 3

在环境变量下面设置

Option 3

Setting below in environment variable

JAVA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value

结果

但没有任何效果.

Result

But nothing worked.

最后的工作正在执行如何处理无效的 SSL 中建议的 Java 方法Apache HttpClient 的证书?，Pascal Thivent，即执行程序 InstallCert.

What at last worked is executing the Java approach suggested in How to handle invalid SSL certificates with Apache HttpClient? by Pascal Thivent i.e. executing the program InstallCert.

但是这种方法适用于 devbox 设置，但我不能在生产环境中使用它.

我想知道为什么我在 App2 服务器的 server.xml 中提到了相同的值，并且通过设置在 truststore 中提到了相同的值时，上面提到的三种方法不起作用

I am wondering why three approaches mentioned above did not work when I have mentioned the same values in server.xml of App2 server and same values in truststore by setting

System.setProperty("javax.net.ssl.trustStore", "C:/.keystore") 和 System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

在 App1 程序中.

in App1 program.

有关更多信息，这是我建立连接的方式:

For more information this is how I am making the connection:

URL url = new URL(urlStr);

URLConnection conn = url.openConnection();

if (conn instanceof HttpsURLConnection) {

  HttpsURLConnection conn1 = (HttpsURLConnection) url.openConnection();
  
  conn1.setHostnameVerifier(new HostnameVerifier() {
    public boolean verify(String hostname, SSLSession session) {
      return true;
    }
  });

  reply.load(conn1.getInputStream());

推荐答案

您需要将App2的证书添加到位于JVM的信任库文件中代码>$JAVA_HOME\lib\security\cacerts.

You need to add the certificate for App2 to the truststore file of the used JVM located at $JAVA_HOME\lib\security\cacerts.

首先，您可以通过运行以下命令来检查您的证书是否已经在信任库中:keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts"(不需要提供密码)

First you can check if your certificate is already in the truststore by running the following command: keytool -list -keystore "$JAVA_HOME/jre/lib/security/cacerts" (you don't need to provide a password)

如果您的证书丢失，您可以使用浏览器下载它并使用以下命令将其添加到信任库中:

If your certificate is missing, you can get it by downloading it with your browser and add it to the truststore with the following command:

keytool -import -noprompt -trustcacerts -alias <AliasName> -file   <certificate> -keystore <KeystoreFile> -storepass <Password>

示例:

keytool -import -noprompt -trustcacerts -alias myFancyAlias -file /path/to/my/cert/myCert.cer -keystore /path/to/my/jdk/jre/lib/security/cacerts/keystore.jks -storepass changeit

导入后，您可以再次运行第一个命令来检查您的证书是否已添加.

After import you can run the first command again to check if your certificate was added.

可以在此处找到 Sun/Oracle 信息.

Sun/Oracle information can be found here.

这篇关于解决 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed 错误?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！