PKIX路径构建失败,但证书是cacerts
[英]PKIX path building failed, but the certificate is in cacerts
问题描述
I have the problem that is also described here . 
我有这个问题也在这里描述。 The thing is that I created a certificate and added it to the keystore of tomcat, and then I copied it to the cacerts truststore. 问题是我创建了一个证书并将其添加到tomcat的密钥库中,然后我将其复制到cacerts信任库。 However, somehow I still get this error. 但是,不知怎的,我仍然得到这个错误。
What I have done: 我做了什么:
1) keytool -genkey -alias cas -keyalg RSA -keystore cas.keystore -storepass changeit
2) keytool -exportcert -alias cas -file cas.crt -keystore cas.keystore
Step 2) because I wanted to put the certificate in my tomcat keystore and cacerts 步骤2)因为我想把证书放在我的tomcat密钥库和cacerts
3) keytool -import -alias cas -file cas.crt -keystore "C:\\Program Files\\Java\\jdk1.8.0_77\\jre\\lib\\security\\cacerts"
4) keytool -import -alias cas -file "C:\\Program Files\\Java\\jdk1.8.0_7\\jre\\bin\\cas.crt" -keystore "D:\\portal\\apache-tomcat-8.0.3\\conf\\portal.keystore"
So now with step 3 and 4 I added the certificate in my tomcat keystore and the truststore cacerts . 所以现在使用第3步和第4步,我在tomcat密钥库和truststore cacerts添加了证书。
Now I can list my trust- and keystore 现在我可以列出我的信任和密钥库
With this command.. 使用此命令..
keytool -list -v -keystore "C:\\Program Files\\Java\\jdk1.8.0_77\\jre\\lib\\security\\cacerts" -alias cas
... I get this: ......我明白了:
Keystore-Kennwort eingeben:
Aliasname: cas
Erstellungsdatum: 09.09.2016
Eintragstyp: trustedCertEntry
Eigentümer: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Aussteller: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Seriennummer: xxx
Gültig von: Fri Sep 09 10:40:55 CEST 2016 bis: Thu Dec 08 09:40:55 CET 2016
Zertifikat-Fingerprints:
MD5: ....
SHA1: ....
SHA256: ....
Signaturalgorithmusname: SHA256withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [...
]
]
And with this: 有了这个:
keytool -list -v -keystore "D:\\portal\\apache-tomcat-8.0.30\\conf\\portal.keystore" -alias cas
I get this: 我明白了:
Keystore-Kennwort eingeben:
Keystore-Typ: JKS
Keystore-Provider: SUN
Keystore enthält 1 Eintrag
Aliasname: cas
Erstellungsdatum: 09.09.2016
Eintragstyp: trustedCertEntry
Eigentümer: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Aussteller: CN=xxx, OU=xxx, O=xxx, L=xxx, ST=xxx, C=xxx
Seriennummer: ...
Gültig von: Fri Sep 09 10:40:55 CEST 2016 bis: Thu Dec 08 09:40:55 CET 2016
Zertifikat-Fingerprints:
MD5: ...
SHA1: ...
SHA256: ...
Signaturalgorithmusname: SHA256withRSA
Version: 3
Erweiterungen:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
]
]
If it is not clear: the certificates (cas) are the same. 如果不清楚:证书(cas)是相同的。
So my impression was that the certificate is now in the keystore of the tomcat server and the truststore cacerts . 所以我的印象是证书现在位于tomcat服务器和truststore cacerts的密钥库中。 But somehow I still get this exception when I entered my credentials on the CAS server and get redirected (full stacktrace bellow): 但不知何故,当我在CAS服务器上输入我的凭据并重定向时,我仍然会遇到此异常(完整的堆栈跟踪):
HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
These are my connectors in my tomcats server.xml : 这些是我的tomcats server.xml连接器:
<Connector port="8743" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" keystoreFile="${catalina.base}/conf/portal.keystore" keystorePass="changeit"
secure="true" connectionTimeout="240000"
clientAuth="false" sslProtocol="TLS" allowUnsafeLegacyRenegotiation="true" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8309" protocol="AJP/1.3" redirectPort="8743" />
What is the possible cause of my problem? 我的问题的可能原因是什么? All the other threads like the one mentioned in the beginning point out that the OP did not import the certificate to the cacerts file, but I did. 所有其他线程(如开头提到的那些线程)指出OP没有将证书导入cacerts文件,但我做到了。
The full stacktrace: 完整的堆栈跟踪:
09-Sep-2016 12:05:30.146 SEVERE [http-bio-8743-exec-4] org.apache.catalina.core.StandardWrapperValve.invoke Servlet.service() for servlet [default] in context with path [/cas-sample] threw exception
java.lang.RuntimeException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:443)
at org.jasig.cas.client.validation.AbstractCasProtocolUrlBasedTicketValidator.retrieveResponseFromServer(AbstractCasProtocolUrlBasedTicketValidator.java:41)
at org.jasig.cas.client.validation.AbstractUrlBasedTicketValidator.validate(AbstractUrlBasedTicketValidator.java:193)
at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:204)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:616)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:279)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1513)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1441)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
at org.jasig.cas.client.util.CommonUtils.getResponseFromServer(CommonUtils.java:429)
... 20 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 33 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 39 more
3 个解决方案
解决方案1
3 已采纳 2016-09-15 07:16:57
My problem was quite unexpected. 我的问题非常出乎意料。 I had a Tomcat that had an modified setenv.bat that had options that pointed on another location of a keystore. 我有一个Tomcat,它有一个修改过的setenv.bat ,它有一些指向密钥库另一个位置的选项。 I didn't know much about Tomcat and application servers in general so I couldn't figure that out earlier. 我对Tomcat和应用程序服务器的了解并不多,所以我不能早点解决这个问题。
解决方案2
2 2016-09-14 09:49:43
Your Connector element defines a keystore. 您的Connector元素定义了一个密钥库。 That's a place where private keys and their certificates will be looked for. 这是一个寻找私钥及其证书的地方。
Your exception concerns a truststore , which is a place where trusted CA certs are or are not found. 您的例外涉及信任库 ,该信任库是可以找到或找不到可信CA证书的地方。
You need to define the truststore used by Tomcat somehow, either via configuration or via the javax.net.ssl.trustStore system property. 您需要通过配置或通过javax.net.ssl.trustStore系统属性以某种方式定义Tomcat使用的信任库。
解决方案3
2 2016-09-20 14:48:16
You can navigate to the tomcat/bin directory. 您可以导航到tomcat / bin目录。 Modify catalina.sh (or catalina.bat depending on your os). 修改catalina.sh(或catalina.bat,具体取决于你的操作系统)。
Add the below properties to JAVA_OPTS. 将以下属性添加到JAVA_OPTS。
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$CATALINA_HOME/certificates/truststore.ks -Djavax.net.ssl.trustStorePassword=truststorePassword -server"
I just recently had to fight through some truststore/keystore issues myself. 我最近不得不自己解决一些truststore / keystore问题。 A tool I found very helpful for easily viewing/modifying trust/keystores is keystore explorer . 我发现非常有助于轻松查看/修改信任/密钥库的工具是密钥库资源管理器 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.