调用https接口时报错:sun.security.validator.ValidatorException

最新推荐文章于 2025-06-13 14:58:29 发布
最新推荐文章于 2025-06-13 14:58:29 发布
阅读量1.9w 收藏 31
点赞数 7
CC 4.0 BY-SA版权
分类专栏: Java 文章标签: java 证书 https
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/qq_25646191/article/details/87345631
本文介绍了解决HTTPS接口调用时出现的PKIX路径构建失败错误的方法。通过编写并运行一个Java程序,可以获取并导入所需的证书,从而避免安全验证失败。文章详细解释了程序的工作原理及如何执行。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

1、现象

调用https接口报如下错误:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2、原因

     这是缺少安全证书时出现的异常,解决方案就是将你要访问的 请求地址 的安全认证证书导入到客户端即可。

3、解决方式

(1)写一个程序专门获取安全证书,参考InstallCert.java:

/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

import java.io.*;
import java.net.URL;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

    public static void main(String[] args) throws Exception {
	String host;
	int port;
	char[] passphrase;
	if ((args.length == 1) || (args.length == 2)) {
	    String[] c = args[0].split(":");
	    host = c[0];
	    port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
	    String p = (args.length == 1) ? "changeit" : args[1];
	    passphrase = p.toCharArray();
	} else {
	    System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
	    return;
	}

	File file = new File("jssecacerts");
	if (file.isFile() == false) {
	    char SEP = File.separatorChar;
	    File dir = new File(System.getProperty("java.home") + SEP
		    + "lib" + SEP + "security");
	    file = new File(dir, "jssecacerts");
	    if (file.isFile() == false) {
		file = new File(dir, "cacerts");
	    }
	}
	System.out.println("Loading KeyStore " + file + "...");
	InputStream in = new FileInputStream(file);
	KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
	ks.load(in, passphrase);
	in.close();

	SSLContext context = SSLContext.getInstance("TLS");
	TrustManagerFactory tmf =
	    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
	tmf.init(ks);
	X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
	SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
	context.init(null, new TrustManager[] {tm}, null);
	SSLSocketFactory factory = context.getSocketFactory();

	System.out.println("Opening connection to " + host + ":" + port + "...");
	SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
	socket.setSoTimeout(10000);
	try {
	    System.out.println("Starting SSL handshake...");
	    socket.startHandshake();
	    socket.close();
	    System.out.println();
	    System.out.println("No errors, certificate is already trusted");
	} catch (SSLException e) {
	    System.out.println();
	    e.printStackTrace(System.out);
	}

	X509Certificate[] chain = tm.chain;
	if (chain == null) {
	    System.out.println("Could not obtain server certificate chain");
	    return;
	}

	BufferedReader reader =
		new BufferedReader(new InputStreamReader(System.in));

	System.out.println();
	System.out.println("Server sent " + chain.length + " certificate(s):");
	System.out.println();
	MessageDigest sha1 = MessageDigest.getInstance("SHA1");
	MessageDigest md5 = MessageDigest.getInstance("MD5");
	for (int i = 0; i < chain.length; i++) {
	    X509Certificate cert = chain[i];
	    System.out.println
	    	(" " + (i + 1) + " Subject " + cert.getSubjectDN());
	    System.out.println("   Issuer  " + cert.getIssuerDN());
	    sha1.update(cert.getEncoded());
	    System.out.println("   sha1    " + toHexString(sha1.digest()));
	    md5.update(cert.getEncoded());
	    System.out.println("   md5     " + toHexString(md5.digest()));
	    System.out.println();
	}

	System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
	String line = reader.readLine().trim();
	int k;
	try {
	    k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
	} catch (NumberFormatException e) {
	    System.out.println("KeyStore not changed");
	    return;
	}

	X509Certificate cert = chain[k];
	String alias = host + "-" + (k + 1);
	ks.setCertificateEntry(alias, cert);

	OutputStream out = new FileOutputStream("jssecacerts");
	ks.store(out, passphrase);
	out.close();

	System.out.println();
	System.out.println(cert);
	System.out.println();
	System.out.println
		("Added certificate to keystore 'jssecacerts' using alias '"
		+ alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
	StringBuilder sb = new StringBuilder(bytes.length * 3);
	for (int b : bytes) {
	    b &= 0xff;
	    sb.append(HEXDIGITS[b >> 4]);
	    sb.append(HEXDIGITS[b & 15]);
	    sb.append(' ');
	}
	return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

	private final X509TrustManager tm;
	private X509Certificate[] chain;

	SavingTrustManager(X509TrustManager tm) {
	    this.tm = tm;
	}

	public X509Certificate[] getAcceptedIssuers() {
	    throw new UnsupportedOperationException();
	}

	public void checkClientTrusted(X509Certificate[] chain, String authType)
		throws CertificateException {
	    throw new UnsupportedOperationException();
	}

	public void checkServerTrusted(X509Certificate[] chain, String authType)
		throws CertificateException {
	    this.chain = chain;
	    tm.checkServerTrusted(chain, authType);
	}
    }

}

(2)编译:javac InstallCert.java

(3)执行:java  InstallCert  你的https域名,比如:java  InstallCert  123.com

        输入1,然后直接回车,会在相应的目录下产生一个名为‘jssecacerts’的证书。

(4)将证书copy到$JAVA_HOME/jre/lib/security目录下,或者通过以下方式

         System.setProperty("javax.net.ssl.trustStore", "C:\\Keystore\\jssecacerts");

    注意:要重新启动你的应用服务器,因是静态加载,证书才能被运用上。

 

Caused by:javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: https接口证书异常
频繁输入,积极输出
02-28 2506
通过将目标接口证书导入到 JDK 的信任库中,可以有效解决。
sun.security.validator.ValidatorException
lqzxpp的博客
02-28 671
Java在访问不受信任的https网站,会报错:PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, 这是因为JVM 默认信任证书中不包含目标网站的SSL证书,导致无法建立有效的信任链。执行 keytool 命令后,会提示是否信任此证书,输入“是” ,回车确认。
报错解决】Java 连接https报错javax.net.ssl.SSLHandshakeException」怎么破?看这篇!
最新发布
cuiwin的专栏
06-13 3003
Java 应用程序连接 HTTPS 服务出现如下报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
如何解决HTTPS请求报错sun.security.validator.ValidatorException: PKIX path building failed
qq_43657722的博客
03-26 3万+
Java中进行网络请求出现"sun.security.validator.ValidatorException: PKIX path building failed"错误通常是由于SSL证书验证失败引起的。本文章提供了4中解决方案,有图、有代码、有验证。亲测可用。打包踩坑也有解决方案,非常详细。
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath
振华OPPO的博客世界
11-30 2万+
由于JVM默认信任证书不包含该目标网站的SSL证书,导致无法建立有效的信任链接。所以我们将原先的google()和jcenter()仓库替换为国内的仓库。然后重新Sync项目,成功开始下载依赖。
sun.security.validator.ValidatorException: PKIX path building failed
qq_25983579的博客
09-15 807
sun.security.validator.ValidatorException: PKIX path building failed
java请求接口报错:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provi
zhishidi的博客
01-20 710
一个下载文件的服务在A机器上可以正常下载,但是子啊B机器上下载保存,提示如下:下载处理异常:请求接口异常:sun.security.validator.ValidatorException:通过报错信息,大概报错的含义是,发送请求证书检查失败(过期)等错误,解决办法是,在发送请求前,添加一个信任所有证书的请求对象(SSLContentext)
https服务器证书异常javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX
a10066的博客
11-12 3165
这个错误信息通常是由于 Java 客户端在建立 SSL 连接无法验证服务器的 SSL 证书,导致握手失败。具体来说,它是因为找不到有效的证书链路径。
jsoup爬虫报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException
qq_27346503的博客
03-15 1764
在使用jsoup爬取某个https开头的网站(使用了ssl证书的网站),结果出现以下错误: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBu...
报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException
迪迪调调的博客
04-13 1万+
下载https的图片报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException
sun.security.validator.validatorexception: no trusted certificate found
Eddie-Wang的博客
02-19 6896
在使用websocket进行https连接的候,报了sun.security.validator.validatorexception: no trusted certificate found,提示没有可以信任的证书。 需要把证书import到java证书路径下:keytool-import-file/usr/local/share/ca-certificates/fangcun/l...
[已解决]java-sun.security.validator.ValidatorException: PKIX path building failed
Amelia_Liu的博客
10-09 1378
httpclient-4.5.jar 定发送http包,忽然有一天报错,http证书变更引起的。
sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPath
sft0809的专栏
07-02 1万+
异常背景 一台nginx服务器,一台应用服务器。两台服务器均使用了https安全证书 外部接口是http的。信息部分配了一个https的安全连接。需要经过nginx服务器进行转发 近期https安全证书到期更新了一下https安全证书 异常信息 调用接口异常:sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: tim
https接口调用报错sun.security.validator.ValidatorException: PKIX path building failed
qq_41875147的博客
08-22 645
今天在调用第三方接口报错:sun.security.validator.ValidatorException: PKIX path building failed之前http接口未出现这个问题,发现https报错了,缺少安全证书.参考网上资料解决如下: 运行下面main方法,然后控制台输入1,回车,会在InstallCert.java所在项目的根目录下生成一个名为‘jssecacerts’...
最全解决 PKIX问题方案:sun.security.validator.ValidatorException: PKIX path building failed:
热门推荐
qq_43163943的博客
11-04 6万+
这个问题的根本原因是你安装JDKJava\jar 1.8.0_141\lib\ext\里面缺少了一个安全凭证jssecacerts证书文件,通过运行下面类可以生成证书,将生成的证书放在Java\jar 1.8.0_141\lib\ext\这个目录下,重启编译器就可以解决。 我只能说这个方法应该是解决大部分的问题吧,对于我电脑这种顽强的bug,需要通过两种方法的结合才可以从根本上解决这个问题,废话不多说,看我的解决步骤。 1、先检查你的jdk...
sun.security.validator.ValidatorException: PKIX path building failed:
周源的专栏
10-18 4294
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested... 个人通过网页访问view,证书CA问题,需要导入到java的jre中; 解决办法: ImportImport the SSL certificat
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target报错
05-23
### 背景分析 `javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target` 是一种常见的 SSL 握手异常,通常发生在客户端无法验证服务器证书的有效性。这种问题可能由以下原因引起: 1. **缺少信任的根证书**:Java 的 `cacerts` 文件中未包含用于签署目标站点证书的信任链中的某个 CA 证书。 2. **自签名证书**:如果目标站点使用的是自签名证书,则 Java 默认不会信任该证书。 3. **网络代理或中间设备干扰**:某些企业防火墙或安全网关可能会拦截 HTTPS 流量并替换原始证书。 --- ### 解决方案 #### 方法一:导入目标站点的证书到 JDK 的 cacerts 中 可以通过手动将目标站点的证书导入到 Java 的默认信任库 (`cacerts`) 来解决问题。以下是具体操作步骤: 1. 使用工具获取目标站点的证书: ```bash openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > example_com_cert.pem ``` 2. 将下载的证书文件导入到 JDK 的 `cacerts` 库中: ```bash keytool -import -trustcacerts -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -alias example-com-cert -file example_com_cert.pem ``` > 如果遇到权限问题,请确保以管理员身份运行命令[^1]。 完成以上步骤后重新启动应用程序即可尝试连接。 --- #### 方法二:禁用主机名验证(仅适用于开发环境) 对于测试环境中不需要严格安全性的情况,可以临关闭主机名验证来绕过此问题。注意这种方法不推荐在生产环境中使用! 修改 HttpClient 配置如下: ```java import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; CloseableHttpClient client = HttpClients.custom() .setSSLHostnameVerifier(new NoopHostnameVerifier()) // 禁用主机名验证 .build(); ``` 或者通过设置 JVM 参数跳过所有 SSL 验证: ```bash -Djdk.internal.httpclient.disableHostnameVerification=true ``` --- #### 方法三:配置自定义 TrustManager(谨慎使用) 创建一个完全接受任何证书的 `TrustManager` 实现类,并将其应用到 HTTP 请求上下文中。同样需要注意这种方式存在严重的安全隐患,在实际项目中应避免使用。 示例代码片段: ```java import javax.net.ssl.*; import java.security.cert.X509Certificate; // 创建忽略所有证书校验逻辑的 TrustManager 工厂方法 public static void disableSSLCertificateCheck() { try { final SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, new TrustManager[]{new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) {} @Override public void checkServerTrusted(X509Certificate[] chain, String authType) {} @Override public X509Certificate[] getAcceptedIssuers() {return null;} }}, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (Exception e) { throw new RuntimeException(e); } } ``` 调用上述函数前需确认当前场景允许此类风险行为发生[^2]。 --- #### 方法四:更新 JRE/JDK 版本 有旧版本的 JDK 可能缺乏最新的受信 CAs 列表支持,建议升级至最新稳定版 OpenJDK 或 Oracle JDK 并同步其配套的基础资源包。 执行以下指令检查现有安装状态以及可用更新选项: ```bash sudo apt-get update && sudo apt-get install openjdk-<version>-jre-headless ``` 同也可以考虑切换成其他第三方实现比如 Adoptium 提供的企业级发行版本[^3]。 --- ### 总结 针对 `PKIX path building failed` 错误的最佳实践通常是优先采取第一种解决方案——即显式添加缺失的目标服务提供商签发机构认证记录进入本地存储区;而对于特殊需求下的快速原型搭建则可以选择第二项或第三条途径作为权宜之计但务必清楚了解伴随而来的潜在威胁因素[^4]。
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值