SSLHandshakeException:PKIX 路径构建失败
[英]SSLHandshakeException: PKIX path building failed
问题描述
I've been trying to debug this error with no luck.
我一直在尝试调试这个错误,但没有运气。
Essentially I'm contacting an external app throught my app.本质上,我正在通过我的应用程序联系外部应用程序。 The connection is established fine, the app contacts back my app through a callback URL, then I need to send a final validation to the external app.连接建立良好,应用程序通过回调 URL 联系我的应用程序,然后我需要向外部应用程序发送最终验证。 This last step is failing because of an SSLHandShajeException.由于 SSLHandShajeException,这最后一步失败了。
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I've had a look at the possible causes, and created a truststore with the external app cert in it following these steps:我查看了可能的原因,并按照以下步骤创建了一个包含外部应用程序证书的信任库:
- download the cert chain from the browser从浏览器下载证书链
- creating the truststore with创建信任库
keytool -import -v -trustcacerts -alias mycert -file x_my_cert_location_x -keystore truststore
- adding the above trustore in my setenv file在我的 setenv 文件中添加上述信任
- restart my tomcat instance.重新启动我的 tomcat 实例。
This has not resolved the problem.这并没有解决问题。
I also added to cert to the cacert file, and the same to the connector in the server.xml file as follows:我还在cacert文件中添加了cert,server.xml文件中的connector也是一样的,如下:
<Connector port="${catalina.port.https}" server="Apache" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS" clientAuth="false" connectionTimeout="20000" compression="on" compressionMinSize="200" compressableMimeType="text/html,text/xml,text/plain,text/css,text/javascript,application/javascript,application/json,application/xml" enableLookups="false" URIEncoding="UTF-8" keystoreFile="my_store_location" keystorePass="myPwd"/>
Debugging in the SSL, I can see:在 SSL 中调试,我可以看到:
> %% Invalidated: [Session-15, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
> http-nio-8080-exec-9, SEND TLSv1.2 ALERT: fatal, description =
> certificate_unknown http-nio-8080-exec-9, WRITE: TLSv1.2 Alert, length
> = 2 [Raw write]: length = 7 0000: 15 03 03 00 02 02 2E ....... http-nio-8080-exec-9, called closeSocket() http-nio-8080-exec-9,
> handling exception: javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
Which makes no real sense to me.这对我来说没有任何意义。 My app is on java 1.8.242.我的应用程序在 java 1.8.242 上。 Any advice on this please?请问对此有什么建议吗?
1 个解决方案
解决方案1
0 2021-02-04 15:38:07
The error suggests that you are missing the certificate of the site you are trying to reach.该错误表明您缺少尝试访问的站点的证书。 So..所以..
Start your java/tomcat with
-Djavax.net.debug=ALL.使用-Djavax.net.debug=ALL启动您的 java/tomcat。 In the logs you should see lines like these (I stripped out the timestamp etc.):在日志中,您应该看到这样的行(我去掉了时间戳等):trustStore is: {your-cacerts-file} trustStore type is: pkcs12 trustStore provider is: the last modified time is: Tue Feb 02 18:29:33 GMT 2021 Reload the trust store Reload trust Reloaded {x} trust certs adding as trusted certificates ( {then you get a big dump of all {x} certs.}That way you know for sure if your cacerts is really being read or not.
这样你就可以确定你的 cacerts 是否真的被阅读了。If your file is really being read by Tomcat then write your own small Java program that uses your cacerts file (use -Djavax.net.ssl.trustStore={path-to-my-file}) and the same debug parameter used above.
如果您的文件确实被 Tomcat 读取,那么编写您自己的小型 Java 程序,该程序使用您的 cacerts 文件(使用 -Djavax.net.ssl.trustStore={path-to-my-file})和上面使用的相同调试参数。 You should see it read in the certificate you added.您应该会在您添加的证书中看到它。 Then debug from there and maybe repost this smaller case.然后从那里调试,也许重新发布这个较小的案例。 That isn't the total answer but at least you will have isolated the problem to some degree.这不是完整的答案,但至少您会在某种程度上隔离问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.