Java 上的 SSL 异常:路径不与任何信任锚链接 [英] SSL Exception on Java: Path does not chain with any of the trust anchors

问题描述

我正在尝试使用 MySQL Connector/J 在 Java 中与我的 MySQL database 建立 SSL 连接(版本 5.1.45)和这里 AWS RDS 证书:https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

I am trying to establish a SSL connection with my MySQL database in Java using MySQL Connector/J (version 5.1.45) and this AWS RDS certificate here: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem

但我得到以下Exception:

java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors

我可以将此异常追溯到 line 297 上的 MySQL Connector/J 类 ExportControlled.java:

I could trace this Exception down to the MySQL Connector/J class ExportControlled.java on line 297:

CertPathValidatorResult result = this.validator.validate(certPath, this.validatorParams);

然后我不能再深入下去，因为这涉及到 JRE 安全类，例如 CertPathValidator.

Then I can't go further down since this goes into the JRE security classes, like CertPathValidator.

由于我使用 MySQL Connector/J 来完成整个 SSL 魔术，我的手被绑住了，我不知道发生了什么或如何解决这个问题.该证书在 MySQL Workbench 和 Intelli J IDEA 数据库 上运行良好，所以我不知道为什么它现在被拒绝了.

Since I am using MySQL Connector/J to do the whole SSL magic, my hands are tied and I don't know what's going on or how to fix this. The certificate works fine on MySQL Workbench and on Intelli J IDEA Database, so I have no clue why it's being rejected now.

我该如何解决这个问题?

推荐答案

我在很多麻烦之后解决了这个问题.信任库需要拥有链的所有证书，我使用的是 https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem，理论上拥有所有证书，但是当您将其导入密钥库文件时，keytool 忽略除第一个证书之外的所有证书，因此我的密钥库中只有根证书，而不是我实际需要的根证书和 AWS 区域证书.

I fixed this after A LOT of headaches. The truststore needs to have ALL the certificates of the chain, I was using https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem, which IN THEORY has all the certificates, but when you import it to a keystore file, keytool ignores all but the first certificate, so I only had the root certificate on my keystore and not the root and the AWS Region certificate that I actually needed.

目前，无法导入所有证书，我尝试了多种方法，包括转换为 PKCS7(支持证书链)，但是 keytool 需要为每个证书设置一个别名，因此您需要导入每个证书并给它一个别名，一次一个.

For now, there's no way to bach import all the certificates, I tried several methods, including converting to PKCS7 (which supports certificates chains), but keytool needs one alias for each certificate so you need to import each certificate and give it an alias, one at the time.

您可以编写一个程序来调用 keytool 并一次加载一个证书，或者您可以像我一样更懒惰并使用 密钥库资源管理器.您将需要选择创建一个新的密钥库文件并使用 Examine File 选项打开捆绑的 pem 证书，并为上面的每个证书选择 import，这会将选定的证书导入新的密钥库.最后，您只需为您的密钥库文件定义一个密码并保存即可.

You could make a program to call keytool and load one certificate at a time or you could be a bit more lazy as I was and use KeyStore Explorer. You will need to select to create a new keystore file and open the bundled pem certificate using the Examine File option and for each certificate on it, select import, this will import the selected certificate to the new keystore. At the end you just have to define a password for your keystore file and save it.

这篇关于Java 上的 SSL 异常:路径不与任何信任锚链接的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！