调用https接口时报错:sun.security.validator.ValidatorException

本文介绍了解决HTTPS接口调用时出现的PKIX路径构建失败错误的方法。通过编写并运行一个Java程序,可以获取并导入所需的证书,从而避免安全验证失败。文章详细解释了程序的工作原理及如何执行。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

1、现象

调用https接口报如下错误:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

2、原因

     这是缺少安全证书时出现的异常,解决方案就是将你要访问的 请求地址 的安全认证证书导入到客户端即可。

3、解决方式

(1)写一个程序专门获取安全证书,参考InstallCert.java:

/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

import java.io.*;
import java.net.URL;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

    public static void main(String[] args) throws Exception {
	String host;
	int port;
	char[] passphrase;
	if ((args.length == 1) || (args.length == 2)) {
	    String[] c = args[0].split(":");
	    host = c[0];
	    port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
	    String p = (args.length == 1) ? "changeit" : args[1];
	    passphrase = p.toCharArray();
	} else {
	    System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
	    return;
	}

	File file = new File("jssecacerts");
	if (file.isFile() == false) {
	    char SEP = File.separatorChar;
	    File dir = new File(System.getProperty("java.home") + SEP
		    + "lib" + SEP + "security");
	    file = new File(dir, "jssecacerts");
	    if (file.isFile() == false) {
		file = new File(dir, "cacerts");
	    }
	}
	System.out.println("Loading KeyStore " + file + "...");
	InputStream in = new FileInputStream(file);
	KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
	ks.load(in, passphrase);
	in.close();

	SSLContext context = SSLContext.getInstance("TLS");
	TrustManagerFactory tmf =
	    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
	tmf.init(ks);
	X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
	SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
	context.init(null, new TrustManager[] {tm}, null);
	SSLSocketFactory factory = context.getSocketFactory();

	System.out.println("Opening connection to " + host + ":" + port + "...");
	SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
	socket.setSoTimeout(10000);
	try {
	    System.out.println("Starting SSL handshake...");
	    socket.startHandshake();
	    socket.close();
	    System.out.println();
	    System.out.println("No errors, certificate is already trusted");
	} catch (SSLException e) {
	    System.out.println();
	    e.printStackTrace(System.out);
	}

	X509Certificate[] chain = tm.chain;
	if (chain == null) {
	    System.out.println("Could not obtain server certificate chain");
	    return;
	}

	BufferedReader reader =
		new BufferedReader(new InputStreamReader(System.in));

	System.out.println();
	System.out.println("Server sent " + chain.length + " certificate(s):");
	System.out.println();
	MessageDigest sha1 = MessageDigest.getInstance("SHA1");
	MessageDigest md5 = MessageDigest.getInstance("MD5");
	for (int i = 0; i < chain.length; i++) {
	    X509Certificate cert = chain[i];
	    System.out.println
	    	(" " + (i + 1) + " Subject " + cert.getSubjectDN());
	    System.out.println("   Issuer  " + cert.getIssuerDN());
	    sha1.update(cert.getEncoded());
	    System.out.println("   sha1    " + toHexString(sha1.digest()));
	    md5.update(cert.getEncoded());
	    System.out.println("   md5     " + toHexString(md5.digest()));
	    System.out.println();
	}

	System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
	String line = reader.readLine().trim();
	int k;
	try {
	    k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
	} catch (NumberFormatException e) {
	    System.out.println("KeyStore not changed");
	    return;
	}

	X509Certificate cert = chain[k];
	String alias = host + "-" + (k + 1);
	ks.setCertificateEntry(alias, cert);

	OutputStream out = new FileOutputStream("jssecacerts");
	ks.store(out, passphrase);
	out.close();

	System.out.println();
	System.out.println(cert);
	System.out.println();
	System.out.println
		("Added certificate to keystore 'jssecacerts' using alias '"
		+ alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
	StringBuilder sb = new StringBuilder(bytes.length * 3);
	for (int b : bytes) {
	    b &= 0xff;
	    sb.append(HEXDIGITS[b >> 4]);
	    sb.append(HEXDIGITS[b & 15]);
	    sb.append(' ');
	}
	return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

	private final X509TrustManager tm;
	private X509Certificate[] chain;

	SavingTrustManager(X509TrustManager tm) {
	    this.tm = tm;
	}

	public X509Certificate[] getAcceptedIssuers() {
	    throw new UnsupportedOperationException();
	}

	public void checkClientTrusted(X509Certificate[] chain, String authType)
		throws CertificateException {
	    throw new UnsupportedOperationException();
	}

	public void checkServerTrusted(X509Certificate[] chain, String authType)
		throws CertificateException {
	    this.chain = chain;
	    tm.checkServerTrusted(chain, authType);
	}
    }

}

(2)编译:javac InstallCert.java

(3)执行:java  InstallCert  你的https域名,比如:java  InstallCert  123.com

        输入1,然后直接回车,会在相应的目录下产生一个名为‘jssecacerts’的证书。

(4)将证书copy到$JAVA_HOME/jre/lib/security目录下,或者通过以下方式

         System.setProperty("javax.net.ssl.trustStore", "C:\\Keystore\\jssecacerts");

    注意:要重新启动你的应用服务器,因是静态加载,证书才能被运用上。

 

### 背景分析 `javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target` 是一种常见的 SSL 握手异常,通常发生在客户端无法验证服务器证书的有效性。这种问题可能由以下原因引起: 1. **缺少信任的根证书**:Java 的 `cacerts` 文件中未包含用于签署目标站点证书的信任链中的某个 CA 证书。 2. **自签名证书**:如果目标站点使用的是自签名证书,则 Java 默认不会信任该证书。 3. **网络代理或中间设备干扰**:某些企业防火墙或安全网关可能会拦截 HTTPS 流量并替换原始证书。 --- ### 解决方案 #### 方法一:导入目标站点的证书到 JDK 的 cacerts 中 可以通过手动将目标站点的证书导入到 Java 的默认信任库 (`cacerts`) 来解决问题。以下是具体操作步骤: 1. 使用工具获取目标站点的证书: ```bash openssl s_client -connect example.com:443 -showcerts </dev/null 2>/dev/null | openssl x509 -outform PEM > example_com_cert.pem ``` 2. 将下载的证书文件导入到 JDK 的 `cacerts` 库中: ```bash keytool -import -trustcacerts -keystore "$JAVA_HOME/jre/lib/security/cacerts" -storepass changeit -alias example-com-cert -file example_com_cert.pem ``` > 如果遇到权限问题,请确保以管理员身份运行命令[^1]。 完成以上步骤后重新启动应用程序即可尝试连接。 --- #### 方法二:禁用主机名验证(仅适用于开发环境) 对于测试环境中不需要严格安全性的情况,可以临关闭主机名验证来绕过此问题。注意这种方法不推荐在生产环境中使用! 修改 HttpClient 配置如下: ```java import org.apache.http.conn.ssl.NoopHostnameVerifier; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; CloseableHttpClient client = HttpClients.custom() .setSSLHostnameVerifier(new NoopHostnameVerifier()) // 禁用主机名验证 .build(); ``` 或者通过设置 JVM 参数跳过所有 SSL 验证: ```bash -Djdk.internal.httpclient.disableHostnameVerification=true ``` --- #### 方法三:配置自定义 TrustManager(谨慎使用) 创建一个完全接受任何证书的 `TrustManager` 实现类,并将其应用到 HTTP 请求上下文中。同样需要注意这种方式存在严重的安全隐患,在实际项目中应避免使用。 示例代码片段: ```java import javax.net.ssl.*; import java.security.cert.X509Certificate; // 创建忽略所有证书校验逻辑的 TrustManager 工厂方法 public static void disableSSLCertificateCheck() { try { final SSLContext sc = SSLContext.getInstance("TLS"); sc.init(null, new TrustManager[]{new X509TrustManager() { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) {} @Override public void checkServerTrusted(X509Certificate[] chain, String authType) {} @Override public X509Certificate[] getAcceptedIssuers() {return null;} }}, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); } catch (Exception e) { throw new RuntimeException(e); } } ``` 调用上述函数前需确认当前场景允许此类风险行为发生[^2]。 --- #### 方法四:更新 JRE/JDK 版本 有旧版本的 JDK 可能缺乏最新的受信 CAs 列表支持,建议升级至最新稳定版 OpenJDK 或 Oracle JDK 并同步其配套的基础资源包。 执行以下指令检查现有安装状态以及可用更新选项: ```bash sudo apt-get update && sudo apt-get install openjdk-<version>-jre-headless ``` 同也可以考虑切换成其他第三方实现比如 Adoptium 提供的企业级发行版本[^3]。 --- ### 总结 针对 `PKIX path building failed` 错误的最佳实践通常是优先采取第一种解决方案——即显式添加缺失的目标服务提供商签发机构认证记录进入本地存储区;而对于特殊需求下的快速原型搭建则可以选择第二项或第三条途径作为权宜之计但务必清楚了解伴随而来的潜在威胁因素[^4]。
评论 3
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值