PKIX路径构建失败,但证书是cacerts [英] PKIX path building failed, but the certificate is in cacerts
本文介绍了PKIX路径构建失败,但证书是cacerts的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
我遇到的问题也在描述这里。
问题是我创建了一个证书并将其添加到tomcat的密钥库中,然后我将其复制到 cacerts truststore。但是,不知何故,我仍然会收到此错误。
我做了什么:
1)keytool -genkey -alias cas -keyalg RSA -keystore cas.keystore
-storepass changeit
2)keytool - exportcert -alias cas -file cas.crt -keystore cas.keystore
步骤2)因为我想把证书放在我的tomcat中密钥库和 cacerts
3)keytool -import -alias cas -file cas。 crt -keystoreC:\Program
Files \ Java @\\\\\ > 4)keytool -import -alias cas -fileC:\Program
Files\Java\jdk1.8.0_7\jre\bin\cas.crt-keystore
D:\ portal \apache-tomcat-8.0.3\conf\portal.keystore
所以现在步骤3和4我在我的tomcat密钥库和trus中添加了证书tstore cacerts 。
现在我可以列出我的信任和密钥库
使用此命令..
keytool -list -v -keystoreC:\Program
Files\Java\jdk1.8.0_77\jre\lib \\ security\cacerts-alias cas
...我明白了:
Keystore-Kennwort eingeben:
别名:cas
Erstellungsdatum:09.09.2016
Eintragstyp:trustedCertEntry
$ b $bEigentümer :CN = xxx,OU = xxx,O = xxx,L = xxx,ST = xxx,C = xxx
Aussteller:CN = xxx,OU = xxx,O = xxx,L = xxx,ST = xxx, C = xxx
Seriennummer:xxx $ b $bGültigvon:Fri Sep 09 10:40:55 CEST 2016 bis:Thu Dec 08 09:40:55 CET 2016
Zertifikat-Fingerprints:
MD5:....
SHA1:....
SHA256:....
Signaturalgorithmusname:SHA256withRSA
版本:3
Erweiterungen :
#1:ObjectId:2.5.29.14 Criticality = false
SubjectKeyIdentifier [
KeyIdentifier [...
]
]
用此:
keytool -list -v -keystore
D:\ portal \ apache-tomcat-8.0.30\conf \ portal.keystore-alias cas
我明白了:
Keystore-Kennwort eingeben:
Keystore-Typ:JKS
Keystore-Provider:SUN
Keystoreenthält1Eintrag
别名:cas
Erstellungsdatum:09.09.2016
Eintragstyp:trustedCertEntry
$ b $bEigentümer:CN = xxx,OU = xxx,O = xxx,L = xxx,ST = xxx,C = xxx
Aussteller:CN = xxx,OU = xxx,O = xxx,L = xxx,ST = xxx,C = xxx
Seriennummer:...
Gültigvon:Fri Sep 09 10:40:55 CEST 2016 bis:Thu Dec 08 09:40:55 CET 2016
Zertifikat-Fingerprints:
MD5:...
SHA1 :. ..
SHA256:...
Signaturalgorithmusname:SHA256withRSA
版本:3
Erweiterungen:
#1: ObjectId:2.5.29.14 Criticality = false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
如果不清楚:证书(cas)是相同的。
所以我的印象是证书现在位于tomcat服务器的密钥库和信任库 cacerts 中。但不知何故,当我在CAS服务器上输入我的凭证并重定向时,我仍然会遇到此异常(完全堆栈跟踪):
HTTP状态500 - javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径
这些是我的tomcats中的连接器 server.xml :
< Connector port =8743protocol =org.apache.coyote.http11.Http11ProtocolSSLEnabled =true
maxThreads =150scheme =httpskeystoreFile =$ {catalina.base} /conf/portal.keystorekeystorePass =changeit
secure =trueconnectionTimeout =240000
clientAuth =falsesslProtocol =TLSallowUnsafeLegacyRenegotiation =true/>
<! - 在端口8009上定义AJP 1.3连接器 - >
< Connector port =8309protocol =AJP / 1.3redirectPort =8743/>
问题的可能原因是什么?所有其他线程(如开头提到的那些线程)指出OP没有将证书导入cacerts文件,但我做到了。
完整的堆栈跟踪:
2016年9月9日12: 05:30.146 SEVERE [http-bio-8743-exec-4] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service()for servlet [default] in context with path [/ cas-sample]抛出异常
java.lang.RuntimeException:javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标$ b的有效证书路径$ b at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(Ab stractTicketValidationFilter.java:204)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java: 206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org .apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina .core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:5 21)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
at org.apache.coyote.AbstractProtocol $ AbstractConnectionHandler.process(AbstractProtocol.java:674)
at org.apache.tomcat.util.net.JIoEndpoint $ SocketProcessor.run(JIoEndpoint.java:279)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor $ Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread $ WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
引起:javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath .SunCertPathBuilderException:无法在sun.security.ssl.Alerts.getSSLException(Alerts.java:192)sun.security.ssl.SSLSocketImpl.fatal(S)的
找到请求目标
的有效证书路径SLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl .Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java :1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net。 www.protocol.https.AbstractDelegateHttpsURLConnection.connect(分区:Abst ractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream( HttpURLConnection.java:1441)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer( CommonUtils.java:429)
... 20更多
引起:sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到有效的认证sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)请求目标
的路径sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java :324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 33 more
引起:sun.security.provider.certpath.SunCertPathBuilderException:无法找到要求的有效证书路径目标
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
在java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 39更多
解决方案
我的问题非常意外。我有一个Tomcat,它有一个修改过的 setenv.bat ,它有一些指向密钥库另一个位置的选项。我对Tomcat和应用程序服务器的了解并不多,所以我不能早点解决。
I have the problem that is also described here.
The thing is that I created a certificate and added it to the keystore of tomcat, and then I copied it to the cacerts truststore. However, somehow I still get this error.
What I have done:
1) keytool -genkey -alias cas -keyalg RSA -keystore cas.keystore -storepass changeit
2) keytool -exportcert -alias cas -file cas.crt -keystore cas.keystore
Step 2) because I wanted to put the certificate in my tomcat keystore and cacerts
3) keytool -import -alias cas -file cas.crt -keystore "C:\Program Files\Java\jdk1.8.0_77\jre\lib\security\cacerts"
4) keytool -import -alias cas -file "C:\Program Files\Java\jdk1.8.0_7\jre\bin\cas.crt" -keystore "D:\portal\apache-tomcat-8.0.3\conf\portal.keystore"
So now with step 3 and 4 I added the certificate in my tomcat keystore and the truststore cacerts.
Now I can list my trust- and keystore
With this command..
keytool -list -v -keystore "C:\Program Files\Java\jdk1.8.0_77\jre\lib\security\cacerts" -alias cas
... I get this:
Keystore-Kennwort eingeben:
Aliasname: cas
Erstellungsdatum: 09.09.2016
Eintragstyp: trustedCertEntry
Eigentümer: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Aussteller: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Seriennummer: xxx
Gültig von: Fri Sep 09 10:40:55 CEST 2016 bis: Thu Dec 08 09:40:55 CET 2016
Zertifikat-Fingerprints:
MD5: ....
SHA1: ....
SHA256: ....
Signaturalgorithmusname: SHA256withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [...
]
]
And with this:
keytool -list -v -keystore "D:\portal\apache-tomcat-8.0.30\conf\portal.keystore" -alias cas
I get this:
Keystore-Kennwort eingeben:
Keystore-Typ: JKS
Keystore-Provider: SUN
Keystore enthält 1 Eintrag
Aliasname: cas
Erstellungsdatum: 09.09.2016
Eintragstyp: trustedCertEntry
Eigentümer: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Aussteller: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Seriennummer: ...
Gültig von: Fri Sep 09 10:40:55 CEST 2016 bis: Thu Dec 08 09:40:55 CET 2016
Zertifikat-Fingerprints:
MD5: ...
SHA1: ...
SHA256: ...
Signaturalgorithmusname: SHA256withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
If it is not clear: the certificates (cas) are the same.
So my impression was that the certificate is now in the keystore of the tomcat server and the truststore cacerts. But somehow I still get this exception when I entered my credentials on the CAS server and get redirected (full stacktrace bellow):
HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
These are my connectors in my tomcats server.xml:
<Connector port="8743" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" keystoreFile="${catalina.base}/conf/portal.keystore" keystorePass="changeit"
secure="true" connectionTimeout="240000"
clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8309" protocol="AJP/1.3" redirectPort="8743" />
What is the possible cause of my problem? All the other threads like the one mentioned in the beginning point out that the OP did not import the certificate to the cacerts file, but I did.
The full stacktrace:
09-Sep-2016 12:05:30.146 SEVERE [http-bio-8743-exec-4] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [/cas-sample] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:279)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
... 20 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 33 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 39 more
解决方案
My problem was quite unexpected. I had a Tomcat that had an modified setenv.bat that had options that pointed on another location of a keystore. I didn't know much about Tomcat and application servers in general so I couldn't figure that out earlier.
这篇关于PKIX路径构建失败,但证书是cacerts的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文
