JDK8-> JDK10:PKIX路径构建失败:SunCertPathBuilderException:无法找到到请求目标的有效证书路径
[英]JDK8 -> JDK10: PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target
问题描述
Problem 
问题
- I have a SpringBoot application using an app called
Launchdarkly, which makes use ofokhttp我有一个使用名为Launchdarkly的应用程序的SpringBoot应用程序,该应用程序使用okhttp - I'm migrating from JRE 8 to JRE 10, calls to other resources work, but fails in calls made using
okhttp我正在从JRE 8迁移到JRE 10,可以调用其他资源,但是使用okhttp进行的调用失败
EDIT : This could happen with any app that has a certificate chain similar to the one used by our app. 编辑 :任何具有类似于我们应用程序使用的证书链的应用程序都可能发生这种情况。
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Exception 例外
The error occurs in thie thread... 错误发生在线程中...
config-server_1 | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource-[] ["okhttp-eventsource-stream-[]-0" {}] Connection problem.
config-server_1 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
Setup 设定
- Using
jlinkand selecting modules to build a small JRE使用jlink和选择模块来构建一个小的JRE- Installed using Docker at https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c 使用Docker安装在https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c
- Current app runs on JRE8 in Docker (same base image) 当前应用程序在Docker中的JRE8上运行(相同的基本映像)
- Installed using Docker at https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c
- I only have
JAVA_HOMEset... Not sure if we need anything else我只JAVA_HOME...不知道我们是否还需要其他任何东西
Java 10 version details Java 10版本详细信息
Installed using the method above 使用上面的方法安装
root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)
Keystore is set 密钥库已设置
The java 10 keystore can see it Java 10密钥库可以看到它
root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
This is as described at https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates 如https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates所述
Attempts 尝试
- I'd like to learn if there's anything you can help 我想知道是否有什么可以帮助您的
- Tried to call cacerts from java 8 to java 10 尝试从Java 8到Java 10调用cacerts
-
Tried to symlink or copy cacerts from JRE dir to
/etc/ssl/certs/java/cacertsWORKS!试图符号链接或将cacerts从JRE目录复制到/etc/ssl/certs/java/cacerts! ALONG WITH COPYING FROM JDK 8从JDK 8复制 - Tried setting
-Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts尝试设置-Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts
EDIT: See my answer 编辑:看到我的答案
1 个解决方案
解决方案1
2 已采纳 2018-11-11 07:59:19
Solution when migrating from JDK 8 to JDK 10 从JDK 8迁移到JDK 10时的解决方案
- The certificates are really different 证书真的不同
- JDK 10 has 80, while JDK 8 has 151 JDK 10有80个,而JDK 8有151个
- JDK 10 has 80, while JDK 8 has 151
- JDK 10 has been recently added the
certsJDK 10最近已添加certs
JDK 10 JDK 10
root@c339504909345:/opt/jdk-minimal/jre/lib/security # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
JDK 8 JDK 8
root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts # keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 151 entries
Steps to fix 解决步骤
I haven't checked which certificate chain is not being trusted, but the server's URL certs are valid... The cacerts from JDK 10 has a chain that's broken as of Today. 我尚未检查哪个证书链不受信任,但是服务器的URL证书有效...从JDK 10开始, cacerts的链从今天开始就已断开。 I can assert that because the download from https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz is being installed in a brand new Docker Image. 我可以断言,因为从https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz进行的下载已安装在全新的Docker映像中。
- I deleted the JDK 10 cert and replaced it with the JDK 8 我删除了JDK 10证书,并将其替换为JDK 8
- Since I'm building Docker Images, I could quickly do that using Multi-stage builds 由于我正在构建Docker映像,因此可以使用多阶段构建来快速完成此操作
- I'm building a minimal JRE using
jlinkas/opt/jdk/bin/jlink \\ --module-path /opt/jdk/jmods...我正在使用jlink作为/opt/jdk/bin/jlink \\ --module-path /opt/jdk/jmods...建立一个最小的JRE/opt/jdk/bin/jlink \\ --module-path /opt/jdk/jmods...
- I'm building a minimal JRE using
So, here's the different paths and the sequence of the commands... 所以,这是命令的不同路径和顺序...
# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts
# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
javax.mail.MessagingException:PKIX 路径构建失败:SunCertPathBuilderException:无法找到请求目标的有效证书路径; - javax.mail.MessagingException: PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target;
PKIX 路径构建失败:SunCertPathBuilderException:无法找到到请求目标的有效认证路径 - PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested target
SSLHandshakeException:PKIX 路径构建失败 SunCertPathBuilderException:无法找到请求目标的有效证书路径 - SSLHandshakeException: PKIX path building failed SunCertPathBuilderException: unable to find valid certification path to requested target
PKIX 构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径 - PKIX building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
CXF:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径 - CXF:PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径? - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target?
PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到到请求目标的有效认证路径 - PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
无法找到到请求的目标PKIX路径构建的有效证书路径失败:sun.security.provider.certpath.SunCertPathBuilderException - unable to find valid certification path to requested target PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException
PKIX 路径构建失败:SunCertPathBuilderException:无法找到请求的有效证书路径 - PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested
PKIX路径构建失败:无法找到请求的目标的有效证书路径-导入的CERT - PKIX path building failed: unable to find valid certification path to requested target - imported CERT
相关标签