我收到以下错误:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Unknown Source) at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.Handshaker.fatalSE(Unknown Source) at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source) at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source) at sun.security.ssl.Handshaker.processLoop(Unknown Source) at sun.security.ssl.Handshaker.process_record(Unknown Source) at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source) at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(Unknown Source) at com.towerdata.api.personalization.TowerDataApi.getJsonResponse(TowerDataApi.java:246) at com.towerdata.api.personalization.TowerDataApi.queryByEmail(TowerDataApi.java:101) at EmailActivityMetricsRequestor.requestTowerData(EmailActivityMetricsRequestor.java:57) at EmailActivityMetricsRequestor.Requestor(EmailActivityMetricsRequestor.java:44) at Main.main(Main.java:21) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) at sun.security.validator.Validator.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ... 17 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) at java.security.cert.CertPathBuilder.build(Unknown Source) ... 23 more
我做了以下事情:
- 我更新到 JRE8,认为 CA 可能是旧的
- 将 JRE8 更改为我在 eclipse 中的构建路径。我第一次这样做时,它解决了我的问题,并且在我关闭 eclipse 之前我能够发出 HTTP 请求。之后又遇到同样的错误。
- 通过谷歌浏览器下载了他们的根证书,并尝试通过执行以下命令将其添加到 keystore (使用 Windows,在管理员模式下运行 cmd.exe)
- 我也试过在管理员模式下运行 Eclipse
当我获得有关我向其发出请求的网站安全性的详细信息时,会出现 3 个证书。 rootca,中间体和第三个。我是否需要所有这些证书才能制作有效的 keystore ?如果是这样,我该怎么做。我使用下面的代码为 rootca 创建了一个 keystore ,但这并没有解决我的问题。
.\keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias alex -file C:\Users\Alex.cauthen\Documents\CA1.cer
编辑:此外,我正在调用此服务器的 API,这意味着我调用了一个方法,它为我发出请求。我联系了他们的支持团队,他们说没有人遇到这个问题。我不知道这些信息是否有帮助。
javax.net.debug=不成功时的 ssl 输出:
%% Invalidated: [Session-1, TLS_RSA_WITH_AES_128_CBC_SHA] main, SEND TLSv1 ALERT: fatal, description = certificate_unknown main, WRITE: TLSv1 Alert, length = 2 main, called closeSocket()
随机成功时的输出:
*** Finished verify_data: { 0, 221, 45, 195, 129, 216, 158, 173, 83, 221, 170, 52 }
%% Cached client session: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256] main, WRITE: TLSv1.2 Application Data, length = 264 main, READ: TLSv1.2 Application Data, length = 241
最佳答案
您只需要导入根CA证书,您使用的命令行是正确的。所以一定是您实际上没有将该文件用作信任库。您需要将 javax.net.ssl.trustStore 属性设置为其位置或使用已加载的 TrustManager 初始化 SSLContext进入,并从那里继续。
关于java - PKIX 路径构建错误 : Not sure I'm creating keystore correctly,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/37890057/