我尝试通过 SSL 连接我的独立应用程序和 Tomcat 提供的其他应用程序(在它们之间发送一些数据):
https://tomcat_server:8843/app
不幸的是,我的独立应用程序中出现错误:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source) at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(Unknown Source) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(Unknown Source) at java.io.BufferedOutputStream.flushBuffer(Unknown Source) at java.io.BufferedOutputStream.flush(Unknown Source) at org.apache.commons.httpclient.HttpConnection.flushRequestOutputStream(HttpConnection.java:827) at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.flushRequestOutputStream(MultiThreadedHttpConnectionManager.java:1525) at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1975) at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993) at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397) at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396) at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324) at org.apache.commons.vfs.provider.http.HttpClientFactory.createConnection(HttpClientFactory.java:101) ... 9 more
如果我将 url 定义为 http,它工作正常:
http://tomcat_server:8080/app
我认为这也不是应用程序的问题。我已经在其他 Tomcat 服务器上使用相同的应用程序尝试了相同的操作,它通过 https 运行。这些服务器之间的唯一区别是我没有在该工作的服务器上创建 keystore 文件(pfx)。我当然不能使用相同的 keystore ,因为它的域不同(我也通过浏览器访问这个应用程序)。 服务器上的Tomcat日志中没有任何内容。也许我在创建 keystore 时做错了什么。
以下是我如何使用 openssl 工具以及我的 key 、证书和中间证书生成 keystore 文件:
openssl pkcs12 -export -out certificate.pfx -inkey server.key -in server.crt -certfile intermediate.crt
这是我的连接器配置:
protocol="org.apache.coyote.http11.Http11Protocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/path/to/keystore/certificate.pfx" keystorePass="changeit" ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA"
keystoreType="PKCS12" clientAuth="false" sslProtocol="TLS"/>
两台服务器都有相同的配置,所以我认为它必须是证书。有谁知道如何解决吗?
最佳答案
您需要在JDK安全中导入证书。按照以下 2 个步骤即可完成。
- 第 1 步转到下面的 java 安全目录
/path/to/java/jdk/jre/lib/security
- 第 2 步运行以下命令
keytool -import -keystore cacerts -file /path/to/your/cert.cer
关于Java SSL 握手错误 - Tomcat keystore ,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/33671313/