java - 太阳.security.validator.ValidatorException : SunCertPathBuilderException -while importing certificate

Question

我低于异常

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

我已经在该位置设置了SSL证书

C:\Program Files\AdoptOpenJDK\jdk-11.0.9.11-hotspot\lib\security

keytool -import -keystore cacerts -file C:\Users\test\Desktop\Certificate\oCertificate.cer

但是我在访问服务器时遇到了上述异常。

我看到的结果 我已将证书添加到 Jdk cacerts 文件中，但它工作了两天后又出现了同样的错误。我无法让它正常工作我能够成功地 ping 服务器而不是它再次显示异常。

Answer 1

您描述的问题是运行 keytool 导入证书给您这个错误吗？请提供选项 -trustcacerts 并查看相关文档:

Import a New Trusted Certificate

Before you add the certificate to the keystore, the keytool command verifies it by attempting to construct a chain of trust from that certificate to a self-signed certificate (belonging to a root CA), using trusted certificates that are already available in the keystore.

If the -trustcacerts option was specified, then additional certificates are considered for the chain of trust, namely the certificates in a file named cacerts.

If the keytool command fails to establish a trust path from the certificate to be imported up to a self-signed certificate (either from the keystore or the cacerts file), then the certificate information is printed, and the user is prompted to verify it by comparing the displayed certificate fingerprints with the fingerprints obtained from some other (trusted) source of information, which might be the certificate owner. Be very careful to ensure the certificate is valid before importing it as a trusted certificate. The user then has the option of stopping the import operation. If the -noprompt option is specified, then there is no interaction with the user.

来源:https://docs.oracle.com/en/java/javase/11/tools/keytool.html

或者，您可能会发现 keytool 不是非常用户友好，您可能会喜欢其他软件，例如:https://keystore-explorer.org/downloads.html更多。

或者如果问题是您的(TLS 客户端，甚至是 TLS 服务器)软件有一些证书问题，它可能是因为 jccampanero 已经建议服务器可能已切换到不同的证书，或者据我所知服务器实际上可能是负载均衡器后面的几个不同的服务器，这些服务器可能并不都具有相同的证书。 (或者您可能安装了一些替换默认 cacerts 文件的 Java 更新？)

如果出现问题，我强烈建议阅读 JSSE 文档并使用 java 选项启用调试日志记录 -Djavax.net.debug=all 或者可能比 all 喜欢 handshake 请参阅 Java 11 文档:

https://docs.oracle.com/en/java/javase/11/security/java-secure-socket-extension-jsse-reference-guide.html#GUID-31B7E142-B874-46E9-8DD0-4E18EC0EB2CF

这显示了您的应用程序使用的确切 TrustStore、服务器在握手期间提供的证书以及作为 TLS 握手一部分的许多其他协商内容。

如果您希望完全控制您信任的人来颁发证书，您可以配置自己的信任库，而不是可以使用 Java 安装之外的默认信任库，选项如下:

java -Djavax.net.ssl.trustStore=samplecacerts \
     -Djavax.net.ssl.trustStorePassword=changeit \
     Application

我相信研究此调试日志记录应该可以直接解决问题，如果不能，请向我们提供一些相关的日志记录。