Java无法验证证书,即使证书在浏览器中有效。

huangapple go评论83阅读模式
英文:

Java not able to validate certificate even if certificate valid in browser

问题

我有一个使用Java调用的GET API,并且我已经使用Feign客户端调用了这个API。

当我调用这个API时,它会显示以下错误:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1323)
    ... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)

当我在浏览器中访问相同的API时,它能够正常工作。浏览器不会显示不受信任的连接提示。

来自Firefox的证书信息:

Java无法验证证书,即使证书在浏览器中有效。

我正在使用Docker镜像openjdk:11-slim中运行我的应用程序。

为什么Java无法验证有效证书,即使证书是有效的?

英文:

I have one GET API to call using java and I have used feign client to call this API.

When I call this API it is giving the error:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1323)
    ... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)

When I hit the same API in the browser, it is working fine. Browser doesn't display like an untrusted connection.

certificate information from firefox:

Java无法验证证书,即使证书在浏览器中有效。

I am running my application in docker image openjdk:11-slim.

Why java is not able to validate the certificate even if the certificate is valid?

答案1

得分: 1

这可能是因为它们未添加到您的 cacerts 中 -

您可以尝试从下面的链接运行 installCerts,用于从中尝试下载证书的站点的 URL,或者由于证书问题而未被允许访问的站点。

java --source 11 InstallCert.java 

https://github.com/escline/InstallCert

如果这是自签名证书,请在您的 DockerFile 中尝试以下内容 -

FROM openjdk:11-jdk-slim
WORKDIR /opt/workdir/

#.crt 文件与您的 Dockerfile 放在同一文件夹中
ARG CERT="certificate.crt"

# 将证书导入到 Java
COPY $CERT /opt/workdir/
RUN keytool -importcert -file $CERT -alias $CERT -cacerts -storepass changeit -noprompt

如果您有 .cer 文件,您可以从浏览器中导出它。将以下内容添加到您的 DockerFile 中,以便在 SSL 握手之前可用所需的证书。 -

ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
英文:

This may be because they are not added to your cacerts -

You can try running installCerts from below link, for the URL of site which you are trying to downlaod certificate from or which is not being allowed to access because of certificate issue.

java --source 11 InstallCert.java 

https://github.com/escline/InstallCert

If it is self signed certificate, try below in your DockerFile -

FROM openjdk:11-jdk-slim
WORKDIR /opt/workdir/

#.crt file in the same folder as your Dockerfile
ARG CERT="certificate.crt"

#import cert into java
COPY $CERT /opt/workdir/
RUN keytool -importcert -file $CERT -alias $CERT -cacerts -storepass changeit -noprompt

If you have the .cer file, which you can otherwise export from browser. Add below to your DockerFile. So the required certs are available before ssl handshake. -

ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates

huangapple
  • 本文由 发表于 2020年10月27日 20:50:34
  • 转载请务必保留本文链接:https://go.coder-hub.com/64554818.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定