stackoom
  简体   繁体   中英

Certificate cannot be resolved by PKIXValidator

 原文  2021-09-25 00:00:31       java/ ssl/ connection/ certificate

Question

I am facing an issue where a TLS certificate (wildcard cert) is not resolved to a valid root cert in Java. Browsers (Firefox, Chrome) resolve it to be valid but not Java driven programs. We use a wildcart cert in our case.

certpath: Constraints: ...
...

...

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:349)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:292)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:287)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:182)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1426)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1336)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:436)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:384)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:374)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:393)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:186)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
    at org.llorllale.youtrack.api.DefaultProjects.get(DefaultProjects.java:80)
    at com.company.youtrack.Main.main(Main.java:121)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
    ... 25 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
    ... 31 more

EDIT I am running a YouTrack server inside our company.network, not accessible from the inte.net. I configured the immediate certificate chain including the root certificate. But sadly the root certificate itself is not returned (tested it with openssl s_client).

I also like to mention that the server certificate is a wildcard certificate. I do not really know if that could lead to problems during verification...

EDIT

I know it is not best practice to return the self-signed root. Although I found comments throughout my research by people that state that sometimes it is necessary. I don't really know why it is necesssary to be sure... I analyzed code in PKIXValidator and it seemed to me that the validator is resolving the chain until it receives a cert whereby the issuer is equal to the subject. My problem is (as I analyzed with openssl s_client) that the server only returns the server cert and the 1st intermediate cert. But there's a 2nd intermediate cert and a root in addition. I filed a bug at youtrack. See https://youtrack.jetbrains.com/issue/JT-66316 . There are comments which I did not made publicly available because of internals. When I resolved the issue, I will report the solution here. In the meanwhile I like to leave the issue open here.

1 answers

solution1
 0 ACCPTED  2021-09-26 05:06:01

Browsers use certificate AIA information while Java/Linux do not (by default). Your server in question may be configured to provide the certificate but not the certificates up to a trust anchor recognized by your Java application. openssl (s_client) or https://certcheckerapp.com/ can help you see what the server is actually returning.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Using PKIXValidator with BouncyCastleFipsProvider for server certificate validation? Cannot be resolved / Cannot be resolved to a type ApplicationPropertiesAccess cannot be resolved to a type Crypt cannot be resolved Rest Cannot be resolved to a type Cannot be resolved or it's not a field 'variable' cannot be resolved to a variable “Cannot be resolved to a type” .length cannot be resolved or is not a field Cannot be resolved to a type?
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM