PKIX 路徑構建失敗：SunCertPathBuilderException：無法找到到請求目標的有效認證路徑

Question

我正在使用 WSO2 API 管理器和 keycloak 服務器進行 API 網關和用戶身份驗證。 兩者都在 Openshift 3.11 上運行。 在瀏覽器上，嘗試重定向到 wso2 apim 上的商店頁面時出現以下錯誤。 此外，我正在為兩個服務器使用使用 keytool 生成的自簽名證書，它也分別導入到 JVM cacerts 中。 開放 JDK 版本為 1.8。

ERROR - WebAppManager org.mozilla.javascript.WrappedException: Wrapped javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (/store/jagg/jaggery_oidc_acs.jag#39)

我得到了致命的 Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown in the ssl logs SSL Trace

WSO2 api manager serverlogs 
*** ClientHello, TLSv1.2
RandomCookie:  GMT: -779209738 bytes = { 34, 29, 203, 199, 214, 88, 147, 174, 199, 184, 79, 68, 86, 150, 221, 45, 65, 169, 84, 10, 255, 155, 151, 74, 102, 245, 103, 39 }
Session ID:  {42, 139, 29, 172, 52, 46, 203, 207, 29, 65, 141, 230, 125, 206, 41, 206, 87, 139, 101, 118, 40, 54, 120, 240, 148, 225, 222, 95, 130, 19, 238, 225}
Cipher Suites: [Unknown 0xa:0xa, Unknown 0x13:0x1, Unknown 0x13:0x2, Unknown 0x13:0x3, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, Unknown 0xcc:0xa9, Unknown 0xcc:0xa8, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA]
Compression Methods:  { 0 }
Unsupported extension type_43690, data: 
Extension server_name, server_name: [type=host_name (0), value=wso2carbon-customwso2.10.100.90.136.nip.io]
Unsupported extension type_23, data: 
Extension renegotiation_info, renegotiated_connection: <empty>
Extension elliptic_curves, curve names: {unknown curve 10794, unknown curve 29, secp256r1, secp384r1}
Extension ec_point_formats, formats: [uncompressed]
Unsupported extension type_35, data: 
Unsupported extension type_16, data: 00:0c:02:68:32:08:68:74:74:70:2f:31:2e:31
Unsupported extension status_request, data: 01:00:00:00:00
Extension signature_algorithms, signature_algorithms: SHA256withECDSA, Unknown (hash:0x8, signature:0x4), SHA256withRSA, SHA384withECDSA, Unknown (hash:0x8, signature:0x5), SHA384withRSA, Unknown (hash:0x8, signature:0x6), SHA512withRSA, SHA1withRSA
Unsupported extension type_18, data: 
Unsupported extension type_51, data: 00:29:2a:2a:00:01:00:00:1d:00:20:99:11:79:8f:3e:ca:9d:37:55:00:cf:54:3b:23:10:b1:71:93:92:06:81:ee:0f:b8:53:6e:e2:bf:23:b2:35:4e
Unsupported extension type_45, data: 01:01
Unsupported extension type_43, data: 0a:4a:4a:03:04:03:03:03:02:03:01
Unsupported extension type_27, data: 02:00:02
Unsupported extension type_47802, data: 00
Unsupported extension type_21, data: 00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
***
%% Initialized:  [Session-11, SSL_NULL_WITH_NULL_NULL]
%% Negotiating:  [Session-11, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1558345095 bytes = { 0, 101, 202, 146, 210, 87, 107, 127, 247, 125, 156, 64, 134, 222, 141, 197, 11, 134, 90, 77, 183, 201, 188, 129, 108, 229, 69, 60 }
Session ID:  {93, 226, 118, 135, 111, 45, 217, 124, 93, 2, 72, 71, 38, 116, 139, 207, 16, 91, 42, 171, 119, 141, 227, 122, 189, 253, 147, 133, 229, 78, 153, 32}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=wso2carbon-customwso2.10.100.90.136.nip.io, OU=Support, O=WSO2, L=Colombo, ST=Western, C=LK
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
  Key:  Sun RSA public key, 2048 bits
  modulus: 24093749320119526217646893112163833209990474156688526832095621197039887367241482686643283752190553598539694041780318444455437473717327292475492934518259361370685860893170612648201871219684080088211608067291176086279564665228754086702863628019875085423939062501065434105176143021495735869756161068709421567662413327234744251786230141003775511653021592979156235418584147136970244449197736325946516688826096049982279922898011020940527605742056019219863317365450049812143562126732358220198845931195726312193213776283582315871213628750612092393628809426922961515763709022778700015014889582902887232786822789004520865673971
  public exponent: 65537
  Validity: [From: Fri Nov 29 07:02:23 UTC 2019,
               To: Mon Nov 26 07:02:23 UTC 2029]
  Issuer: CN=wso2carbon-customwso2.10.100.90.136.nip.io, OU=Support, O=WSO2, L=Colombo, ST=Western, C=LK
  SerialNumber: [    24b1e8e1]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: D0 AC 4E 4A 58 57 29 25   C2 C4 0B 1A AD 3E 66 2E  ..NJXW)%.....>f.
0010: C1 8A EC 66                                        ...f
]
]
]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 1D 01 81 69 ED BF F6 10   F6 17 D4 F2 87 63 D5 A2  ...i.........c..
0010: 12 CF 1A 09 ED FA E5 E3   24 18 03 FF E0 3B 0C A5  ........$....;..
0020: 31 0C D8 4B C5 FB 61 10   61 F5 42 71 E3 52 2F 70  1..K..a.a.Bq.R/p
0030: 97 B8 1F 61 96 0C 5F DB   BA B5 A2 DF 42 79 E3 BA  ...a.._.....By..
0040: 3C A8 C0 9C A5 8C 70 F9   51 46 36 39 D6 5A AA D7  <.....p.QF69.Z..
0050: 6E DD F0 35 E0 D0 FC AA   78 C2 57 4D BC E8 B1 FB  n..5....x.WM....
0060: FF 03 C5 39 5B 06 8C FC   6F DA 42 B4 13 7D A9 14  ...9[...o.B.....
0070: 7B D2 5F A0 29 28 52 78   D8 F7 E7 2E 26 78 1C 4F  .._.)(Rx....&x.O
0080: 16 A8 6B 02 3B FA 40 F2   4B AD 03 7D D0 9A F9 94  ..k.;.@.K.......
0090: 7E A9 48 D4 B6 58 A9 61   4E F0 CF 9A B5 77 8C B7  ..H..X.aN....w..
00A0: 74 76 FF 24 F2 B5 98 EE   70 1E 04 48 6F 54 1B EC  tv.$....p..HoT..
00B0: 98 B8 7B B0 58 F3 11 F5   FB 2B 39 5C 3E 78 83 E5  ....X....+9\>x..
00C0: 86 2A 4A 83 D6 4C 8D 08   54 43 C3 57 5F C1 27 9A  .*J..L..TC.W_.'.
00D0: 31 E8 77 A9 0B 2B F3 25   CB 7A 30 CF 45 CA 80 2A  1.w..+.%.z0.E..*
00E0: 4A C2 AC 5C 79 8F 25 70   E8 20 11 FC B5 BC 3E 1D  J..\y.%p. ....>.
00F0: B4 B3 69 5D F9 2E 5C 83   AB 8F C3 1C A7 B1 5F F0  ..i]..\......._.
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA256withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 30783140126565731034039954914815296826962617090801880033831456830219573014758
  public y coord: 112055812426524440654969792257542967866103028528061549518876777480127240144881
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
http-nio-9443-exec-17, WRITE: TLSv1.2 Handshake, length = 1375
http-nio-9443-exec-19, READ: TLSv1.2 Alert, length = 2
http-nio-9443-exec-19, RECV TLSv1.2 ALERT:  fatal, certificate_unknown
http-nio-9443-exec-19, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-19, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
http-nio-9443-exec-19, called closeOutbound()
http-nio-9443-exec-19, closeOutboundInternal()
http-nio-9443-exec-19, SEND TLSv1.2 ALERT:  warning, description = close_notify
http-nio-9443-exec-19, WRITE: TLSv1.2 Alert, length = 2
Using SSLEngineImpl.
Ignoring unavailable cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
Ignoring unavailable cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA

Answer 1

您確定要導入正確的證書嗎？ 似乎是您導入了錯誤的證書，或者您沒有使用您認為的 cacerts。

請檢查兩者