【Java】# 请求https时证书不可信 PKIX SunCertPathBuilderException:unable to find valid certification....

已于 2023-06-08 20:18:59 修改
阅读量1.8k 收藏 3
点赞数
CC 4.0 BY-SA版权
分类专栏: Java 文章标签: https java ssl
于 2022-11-02 17:15:54 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.youkuaiyun.com/qq_38134242/article/details/127655276

背景:当使用 Java 请求 https协议的服务时,报 ’unable to find valid certification path to requested target’ 异常

解决方式1:将请求服务的证书导入到 JDK的 cacerts中

  • 通过浏览器先访问网址,然后将证书进行导出(以 Edge浏览器为例)

    image-20221102155220652

  • 以管理员身份打开cmd,进入到 “%JAVA_HOME%/jre/lib/\security”目录下,执行以下命令

    keytool -import -keystore cacerts -alias server -file 证书的位置
    -file:指定证书文件的位置
    -keystore:安装证书到的位置
    -alias:指定证书的别名

  • 输入密钥库默认口令:changeit,输入 “Y”信任此证书即可

解决方式2:使用Java类生成证书

  • InstallCert.java类会连接到给定的host,开始握手过程。如果出现异常会打印到控制台并且会显示服务端所使用的证书,此时它会问是否要把证书加入到keystore中。
  • 如果不想加,输入”q”,否则输入”1”.
  • 当输入”1”后,InstallCert.java 会显示证书的有关信息,然后把证书导入到一个名为”jssecacerts”的keystore中(生成在当前目录),只需要把这个文件拷贝到 %JAVA_HOME%/jre/lib/security 目录中即可
import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

public class InstallCert {
    public static void main(String[] args) {
        try {
            installCert("110.242.68.4", 443);  // https://www.baidu.com
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    private static final char[] HEX_DIGITS = "0123456789abcdef".toCharArray();

    /**
     * 安装证书
     *
     * @param requestUrl 请求https服务的地址
     * @param port       https默认端口为 443
     * @throws Exception
     */
    public static void installCert(String requestUrl, int port) throws Exception {
        // 密钥库默认口令,一般默认changeit
        String pwd = "changeit";
        char[] passphrase = pwd.toCharArray();

        File file = new File("jssecacerts");
        if (!file.isFile()) {
            char sep = File.separatorChar;
            File dir = new File(System.getProperty("java.home") + sep + "lib" + sep + "security");
            file = new File(dir, "jssecacerts");
            if (!file.isFile()) {
                file = new File(dir, "cacerts");
            }
        }
        System.out.println("Loading KeyStore " + file + "...");
        InputStream in = new FileInputStream(file);
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(in, passphrase);
        in.close();

        SSLContext context = SSLContext.getInstance("TLS");
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
        context.init(null, new TrustManager[]{tm}, null);
        SSLSocketFactory factory = context.getSocketFactory();

        System.out.println("Opening connection to " + requestUrl + ":" + port + "...");
        SSLSocket socket = (SSLSocket) factory.createSocket(requestUrl, port);
        socket.setSoTimeout(10000);
        try {
            System.out.println("Starting SSL handshake...");
            socket.startHandshake();
            socket.close();
            System.out.println("\nNo errors, certificate is already trusted");
        } catch (SSLException e) {
            System.out.println();
            e.printStackTrace(System.out);
        }

        X509Certificate[] chain = tm.chain;
        if (chain == null) {
            System.out.println("Could not obtain server certificate chain");
            return;
        }

        BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));

        System.out.println("\nServer sent " + chain.length + " certificate(s):\n");
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
        MessageDigest md5 = MessageDigest.getInstance("MD5");
        for (int i = 0; i < chain.length; i++) {
            X509Certificate cert = chain[i];
            System.out.println(" " + (i + 1) + " Subject " + cert.getSubjectDN());
            System.out.println("   Issuer  " + cert.getIssuerDN());
            sha1.update(cert.getEncoded());
            System.out.println("   sha1    " + toHexString(sha1.digest()));
            md5.update(cert.getEncoded());
            System.out.println("   md5     " + toHexString(md5.digest()));
            System.out.println();
        }

        System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
        String line = reader.readLine().trim();
        int k;
        try {
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
        } catch (NumberFormatException e) {
            System.out.println("KeyStore not changed");
            return;
        }

        X509Certificate cert = chain[k];
        String alias = requestUrl + "-" + (k + 1);
        ks.setCertificateEntry(alias, cert);

        OutputStream out = new FileOutputStream("jssecacerts");
        ks.store(out, passphrase);
        out.close();

        System.out.println();
        System.out.println(cert);
        System.out.println();
        System.out.println("Added certificate to keystore 'jssecacerts' using alias '" + alias + "'");
    }

    /**
     * 转为16进制
     *
     * @param bytes
     * @return
     */
    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEX_DIGITS[b >> 4]);
            sb.append(HEX_DIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {
        private final X509TrustManager tm;
        private X509Certificate[] chain;

        SavingTrustManager(X509TrustManager tm) {
            this.tm = tm;
        }

        @Override
        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }

        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType) {
            throw new UnsupportedOperationException();
        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            this.chain = chain;
            tm.checkServerTrusted(chain, authType);
        }
    }
}

原因:服务端的证书没有被Java认证,所以导致请求失败

Java程序对受信证书的查找顺序

  • javax.net.ssl.trustStore

    就是 System.setProperty(“javax.net.ssl.trustStore”, “D:\cacert.keystore”);

    或者通过JVM参数指定:-Djavax.net.ssl.trustStore=D:\cacert.keystore

  • %JAVA_HOME%\jre\lib\security\jssecacerts 【推荐】

    默认没有jssecacerts,一般把cacerts复制成jssecacerts,然后再使用keytool来修改它。

    jsse的全称是Java Secure Socket Extension。

  • %JAVA_HOME%\jre\lib\security\cacerts

    通常情况下不建议通过-Djavax.net.ssl.trustStore=D:\cacert.keystore来直接修改keystore文件的位置,因为这样会造成系统中其他模块可能找不到自己对应的证书了。

【异常】报错SunCertPathBuilderException: unable to find valid certification path to requested target
本本本添哥
12-05 432
当我使用java代码访问某个URL(此处是阿里的百炼平台),报了这个错误,
certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
123
04-22 587
Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable...
SunCertPathBuilderException: unable to find valid certification path to requested target
q358543781的专栏
12-08 5171
今天在用htmlutil访问网站,出现这样一个问题,折腾了一下午,终于解决了,记录下来... sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target Caused by: sun.security.
爬虫跳过证书
WS3220243774的博客
02-26 329
public class SSLHelper { public static String USER_AGENT = “Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 5.0)”; static public void init() { try { SSLContext context = SSLContext.getInstance(“TLSv1.2”); context.init(null, new X509TrustManager[]{new X509Tru
Dbeaver下载PostgreSql驱动报错
qq_40686989的博客
05-21 414
把“使用Windows信任存储”勾选去掉后重启,尝试下载驱动;没有意外的话会再次失败,再把该选项勾选上;解决方法:窗口->首选项->连接。重启后,下载驱动成功。
SunCertPathBuilderException: unable to find valid certification path
司马懿的西山居
10-11 8530
Project build error: Non-resolvable parent POM for com.example:test:0.0.1-SNAPSHOT: Failure to transfer org.springframework.boot:spring- boot-starter-parent:pom:2.1.9.RELEASE from https://repo.maven....
【编程问题】SunCertPathBuilderException: unable to find valid certification path to requested target
李晋江的博客
03-13 1530
SSL安全证书校验导致的异常问题解决 SunCertPathBuilderException: unable to find valid certification path to requested target
java请求接口报错:unable to find valid certification path to requested target
xiexinxx0225的博客
04-26 1622
发现报错unable to find valid certification path to requested target , 使用postman调用接口,设置忽略ssl证书接口有影响数据。项目中需要设置忽略ssl证书验证。
验证证书unable to find valid certification path to requested target
05-07
具体错误信息sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target指出Java虚拟机(JVM)无法找到一个可信的路径来验证服务器提供的SSL/TLS...
HTTPSPKIX SunCertPathBuilderException: unable to find valid certification path to requested target
GuanHao的博客
06-29 1万+
在配置测试环境的候报告unable to find valid certification path to requested target错误。 Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPat...
unable to find valid certification path to requested target 的问题
08-05
NULL 博文链接:https://hyl198611.iteye.com/blog/1988113
SunCertPathBuilderException: Unable To Find Valid Certification Path To Requested Target
adermxl的专栏
03-27 1677
Problem Configured Tomcat to support SSL and deployed this web service on a development Tomcat server. While connect to the deployed web service over SSL connection via this URL :https://localh
SunCertPathBuilderException: unable to find valid certification path to requested target问题处理
山巅
02-04 1764
RestTemplate ssl跳过证书验证。
Https请求报错:unable to find valid certification path to requested target
qq_37084673的博客
09-15 3万+
SSL认证失败: 报错信息如下: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 问题发现环境: Java中使用
https请求报错unable to find valid certification path to requested target解决
热门推荐
m0_38051458的博客
08-10 4万+
Java项目中请求HTTPS,可能会遇到 "unable to find valid certification path to requested target" 错误。这个错误通常是由于SSL证书问题引起的。要解决此问题,可以尝试以下方法。
彻底解决:SunCertPathBuilderException: unable to find valid certification path to requested target错误的方法
wh445306
12-10 4421
导致原因:由于12306安全系统升级再支持TLS 1.0,所以。以前jsoup直接可以请求的。注意添加这个:.sslSocketFactory(socketFactory())3:旧版本的Jsoup有一个参数:据说加上就行了。我现在用的版本没有,估计是取消了。2:也是绕过绕过HTTPS验证,跟第一种其实差多。请求12306系统查票。调用:在请求代码前执行即可。调用:在请求代码中执行即可。
(转)解决 『SunCertPathBuilderExceptionunable to find valid certification path to requested target』 问题
jackyrongvip的专栏
02-12 2152
https://blog.csdn.net/u013553529/article/details/82895226   在 maven 编译的候,出现证书校验错误,部分log如下: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:...
ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
最新发布
06-14
### 问题分析与解决方案 #### 1. 错误原因 `javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target` 这类错误通常发生在Java应用程序尝试通过HTTPS连接到远程服务器,由于无法验证服务器证书的有效性而导致握手失败。具体来说,这可能是由于以下原因之一引起的[^1]: - 服务器的SSL证书未被Java的信任库(cacerts)识别。 - 本地JDK或JRE的信任库中缺少服务器的根证书或中间证书。 - 配置文件中指定了错误的证书路径或证书完整。 #### 2. 解决方案 ##### 方法一:将服务器的证书导入到JDK的信任库中 可以通过以下步骤将服务器的证书导入到JDK的信任库中: 1. 使用浏览器访问目标服务器并导出其SSL证书。 2. 将导出的证书保存为 `.cer` 文件。 3. 使用 `keytool` 命令将证书导入到JDK的信任库中。例如: ```bash keytool -import -trustcacerts -keystore "$JAVA_HOME/lib/security/cacerts" -storepass changeit -alias myAlias -file /path/to/your_certificate.cer ``` 注意:默认密码为 `changeit`,如果修改过,请使用实际密码[^2]。 ##### 方法二:在Maven配置中指定信任库 如果问题是出现在Maven项目中,可以尝试通过配置Maven的 `settings.xml` 文件来指定信任库。例如,在 `~/.m2/settings.xml` 中添加以下内容: ```xml <profiles> <profile> <id>secure-repository</id> <activation> <activeByDefault>true</activeByDefault> </activation> <repositories> <repository> <id>remote-repo</id> <url>https://example.com/maven2</url> </repository> </repositories> </profile> </profiles> <servers> <server> <id>remote-repo</id> <configuration> <sslConfiguration> <trustManagers> <trustManager> <implementation>sunx509</implementation> </trustManager> </trustManagers> </sslConfiguration> </configuration> </server> </servers> ``` 确保目标仓库的URL正确,并且信任库已包含相应的证书[^2]。 ##### 方法三:禁用SSL验证(仅用于测试环境) 在开发或测试环境中,可以临禁用SSL验证以绕过此问题。但这种方法推荐用于生产环境,因为它会降低安全性。可以通过设置系统属性来实现: ```java System.setProperty("jsse.enableSNIExtension", "false"); ``` 或者在运行Java程序添加以下参数: ```bash -Djsse.enableSNIExtension=false ``` ##### 方法四:检查服务器证书配置 如果问题是由服务器端配置引起,需要确保服务器的SSL证书链完整,并且包含所有必要的中间证书和根证书。可以通过工具如 `openssl` 检查证书链: ```bash openssl s_client -connect example.com:443 -showcerts ``` 如果发现证书完整,联系服务器管理员更新证书配置[^3]。 #### 3. 示例代码 以下是一个简单的Java程序,演示如何通过设置自定义信任库来解决PKIX路径构建失败的问题: ```java import javax.net.ssl.*; import java.io.InputStream; import java.security.KeyStore; public class SSLContextExample { public static void main(String[] args) throws Exception { // 加载自定义信任库 KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); try (InputStream in = SSLContextExample.class.getResourceAsStream("/path/to/truststore.jks")) { trustStore.load(in, "password".toCharArray()); } // 初始化TrustManagerFactory TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(trustStore); // 创建SSLContext SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, tmf.getTrustManagers(), null); // 设置全局SSLContext HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory()); System.out.println("SSL Context configured successfully."); } } ``` ###
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

LRcoding

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值