解决javax.net.ssl.SSLHandshakeException：sun.security.validator.ValidatorException：PKIX路径构建失败错误？ [英] Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

问题描述

编辑： - 尝试以更加流畅的方式格式化问题并接受答案 博客

Edit :- Tried to format the question and accepted answer in more presentable way at mine Blog

以下是原始问题： -

Here is the original issue:-

我收到此错误

详细信息sun.security.validator。 ValidatorException：PKIX路径
构建失败：

sun.security.provider.certpath.SunCertPathBuilderException：无法
查找到请求目标的有效证书路径

detailed message sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

导致javax.net.ssl.SSLHandshakeException：
sun.security.validator.ValidatorException：PKIX路径构建
失败：sun.security.provider.certpath.SunCertPathBuilderException：
无法找到所请求目标的有效证书路径

cause javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我使用tomcat 6作为网络服务器。我有两个https webbapplication安装在不同的tomcat上的differte端口，但在同一台机器上。说 App1（端口8443）和
App2（端口443）。 App1 连接到 App2 。当 App1 连接到 App2我获得以上错误。我知道这是非常常见的错误，所以在不同的
论坛和网站上遇到了很多解决方案。我在tomcat的 server.xml 中有以下条目，即

i am using tomcat 6 as webserver. i have two https webbapplication installed on different tomcat on differte port but on same machine. Say App1(port 8443) and App2(port 443). App1 connects to App2 .When App1 connects to App2 i get above error. I know this is very common error so came across many solutions on different forums and sites. I have below entry in server.xml of both tomcat i.e

keystoreFile="c:/.keystore" 
keystorePass="changeit"

每个网站都说同样的原因，app2给出的证书不在app1 jvm的可信存储中。这似乎也是如此，当我厌倦了在IE浏览器中点击相同的
URL时，它可以工作（加热，这个网站的安全证书有问题。这里我说继续这个网站）但是当相同的时候url
被java客户端命中（在我的例子中）。所以我得到了上述错误。所以把它放在trustore我尝试了这些树选项，即

Every site says the same reason that certificate given by app2 is not in the trusted store of app1 jvm. This seems to be true also when i tired to hit the same URL in IE browser, it works(with warming, There is a problem with this web site's security certificate. here i say continue to this website) But when same url is hit by java client(in my case). So i get the above error. So to put it in trustore i tried these tree options i.e

Option1

System.setProperty("javax.net.ssl.trustStore", "C:/.keystore");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

Option2
在环境变量中设置如下

Option2 Setting below in environment variable

CATALINA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value

Option3
在环境变量中设置如下

Option3 Setting below in environment variable

JAVA_OPTS -- param name
-Djavax.net.ssl.trustStore=C:\.keystore -Djavax.net.ssl.trustStorePassword=changeit ---param value

但没有任何效果。

最后的工作正在执行如何使用Apache HttpClient处理无效的SSL证书？由Pascal Thivent处理，即
执行程序InstallCert。

What at last worked is executing the java approach suggested in How to handle invalid SSL certificates with Apache HttpClient? by Pascal Thivent i.e executing the program InstallCert.

但这种方法适用于devbox设置，但我不能在生产环境中使用它。

我想知道
为什么当我在 server.xml 中提到相同的值时，上面提到的三种方法都不起作用app2 服务器和信任库中的相同值通过设置

I am wondering why three approaches mentioned above did not work when i have mentioned same values in server.xml of app2 server and same values in truststore by setting

System.setProperty（javax.net.ssl.trustStore ，C：/。keystore）和System.setProperty（javax.net.ssl.trustStorePassword，changeit）;

在 app1 程序。

有关详细信息，请参阅我的连接方式

For more information this is how i am making the connection

URL url = new URL(urlStr);

URLConnection conn = url.openConnection();

if (conn instanceof HttpsURLConnection) {

  HttpsURLConnection conn1 = (HttpsURLConnection) url.openConnection();

  conn1.setHostnameVerifier(new HostnameVerifier() {
    public boolean verify(String hostname, SSLSession session) {
      return true;
    }
  });

  reply.load(conn1.getInputStream());

推荐答案

您需要为 App2添加证书到位于％JAVA_HOME％\lib\security \ cacerts 的已使用JVM的truststore文件。

You need to add the certificate for App2 to the truststore file of the used JVM located at %JAVA_HOME%\lib\security\cacerts.

首先，您可以通过运行以下命令来检查您的证书是否已经在信任库中：
keytool -list -keystore％JAVA_HOME％/ jre / lib / security / cacerts （您无需提供密码）

First you can check if your certificate is already in the truststore by running the following command: keytool -list -keystore "%JAVA_HOME%/jre/lib/security/cacerts" (you don't need to provide a password)

如果您的证书丢失，您可以通过浏览器下载它来获取它并使用以下命令将其添加到信任库：

If your certificate is missing, you can get it by downloading it with your browser and add it to the truststore with the following command:

keytool -import -noprompt -trustcacerts -alias< AliasName> -file< certificate> -keystore< KeystoreFile> -storepass<密码>

您可以再次运行第一个命令来检查您的证书是否已添加。

Afer import you can run the first command again to check if your certificate was added.

可以在找到Sun / Oracle信息这里。

这篇关于解决javax.net.ssl.SSLHandshakeException：sun.security.validator.ValidatorException：PKIX路径构建失败错误？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！