请求https报错证书校验失败(javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX

已于 2023-08-31 15:19:33 修改
阅读量1.6k 收藏 1
点赞数 1
分类专栏: https 客户端 服务端 文章标签: java 网络协议 信息与通信
于 2023-08-31 15:18:46 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/HU_AZAI/article/details/132603529
版权
https 同时被 3 个专栏收录
1 篇文章 0 订阅
订阅专栏
客户端
1 篇文章 0 订阅
订阅专栏
服务端
1 篇文章 0 订阅
订阅专栏

项目场景:

请求https报错证书校验失败(javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target)

问题描述

项目中请求第三方https的URL,报错ssl证书校验失败

14:33:55.195 [main] ERROR com.bd.common.utils.OKHttpUtil - context
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
	at com.squareup.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:192)
	at com.squareup.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:149)
	at com.squareup.okhttp.internal.io.RealConnection.connect(RealConnection.java:112)
	at com.squareup.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:184)
	at com.squareup.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:126)
	at com.squareup.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:95)
	at com.squareup.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:281)

原因分析:

ssl校验失败有两种可能,一种是服务端ssl证书配置错误,一种是客户端请求的是非信任的https地址,客户端不信任该https的ssl证书。怀疑是使用了自签名证书,非各大厂提供签名证书

解决方案:

该问题有两种请求方案

  1. 手动下载ssl证书
    (1)在浏览器地址栏里找到“证书信息”->“详细信息”->“复制到文件”->选择DER编码二进制X.509(.CER)(D) 导出证书,如证书名为pro1.cer;
    (2)将pro1.cer上传至服务器/usr/java;
    (3)执行keytool -import -alias pro1 -keystore /usr/java/jdk1.8.0/jre/lib/security/cacerts -file /usr/java/pro1.cer;
    (4)输入密码:changeit
    (5)查看证书库keytool -list -keystore /usr/java/jdk1.8.0/jre/lib/security/cacerts|grep pro1.cer,如找到到 证书信息,代表完成导入。
    (6)回到程序,调试java程序不再报错。
  2. 使用提供的工具类自动下载证书
    使用该工具过程中,工具类会提示用户选择是否将证书添加到信任存储中。用户可以输入证书的序号,将指定的证书添加到信任存储中。
package com.sword.lasms.commons.httpClient;

/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

/**
 *  发送 Https 请求报错:PKIX: unable to find valid certification path to requested target
 *
 * 问题的根本是:缺少安全证书时出现的异常。
 * 解决问题方法:将要访问的webservice/url....的安全认证证书导入到客户端即可。
 *
 * 以下是获取安全证书的一种方法,通过以下程序获取安全证书
 * (仅需要修改参数 args )
 *
 */
public class InstallCert {

    public static void main(String[] args) throws Exception {
//        args= new String[]{"sgdzpic.3322.org:20008"};  // 填写要访问的 url:端口
        String host;
        int port;
        char[] passphrase;
        if ((args.length == 1) || (args.length == 2)) {
            String[] c = args[0].split(":");
            host = c[0];
            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
            String p = (args.length == 1) ? "changeit" : args[1];
            passphrase = p.toCharArray();
        } else {
            System.out
                    .println("Usage: java InstallCert <host>[:port] [passphrase]");
            return;
        }

        File file = new File("jssecacerts");
        if (file.isFile() == false) {
            char SEP = File.separatorChar;
            File dir = new File(System.getProperty("java.home") + SEP + "lib"
                    + SEP + "security");
            file = new File(dir, "jssecacerts");
            if (file.isFile() == false) {
                file = new File(dir, "cacerts");
            }
        }
        System.out.println("Loading KeyStore " + file + "...");
        InputStream in = new FileInputStream(file);
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(in, passphrase);
        in.close();

        SSLContext context = SSLContext.getInstance("TLS");
        TrustManagerFactory tmf = TrustManagerFactory
                .getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        X509TrustManager defaultTrustManager = (X509TrustManager) tmf
                .getTrustManagers()[0];
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
        context.init(null, new TrustManager[] { tm }, null);
        SSLSocketFactory factory = context.getSocketFactory();

        System.out
                .println("Opening connection to " + host + ":" + port + "...");
        SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
        socket.setSoTimeout(10000);
        try {
            System.out.println("Starting SSL handshake...");
            socket.startHandshake();
            socket.close();
            System.out.println();
            System.out.println("No errors, certificate is already trusted");
        } catch (SSLException e) {
            System.out.println();
            e.printStackTrace(System.out);
        }

        X509Certificate[] chain = tm.chain;
        if (chain == null) {
            System.out.println("Could not obtain server certificate chain");
            return;
        }

        BufferedReader reader = new BufferedReader(new InputStreamReader(
                System.in));

        System.out.println();
        System.out.println("Server sent " + chain.length + " certificate(s):");
        System.out.println();
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
        MessageDigest md5 = MessageDigest.getInstance("MD5");
        for (int i = 0; i < chain.length; i++) {
            X509Certificate cert = chain[i];
            System.out.println(" " + (i + 1) + " Subject "
                    + cert.getSubjectDN());
            System.out.println("   Issuer  " + cert.getIssuerDN());
            sha1.update(cert.getEncoded());
            System.out.println("   sha1    " + toHexString(sha1.digest()));
            md5.update(cert.getEncoded());
            System.out.println("   md5     " + toHexString(md5.digest()));
            System.out.println();
        }

        System.out
                .println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
        String line = reader.readLine().trim();
        int k;
        try {
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
        } catch (NumberFormatException e) {
            System.out.println("KeyStore not changed");
            return;
        }

        X509Certificate cert = chain[k];
        String alias = host + "-" + (k + 1);
        ks.setCertificateEntry(alias, cert);

        OutputStream out = new FileOutputStream("jssecacerts");
        ks.store(out, passphrase);
        out.close();

        System.out.println();
        System.out.println(cert);
        System.out.println();
        System.out
                .println("Added certificate to keystore 'jssecacerts' using alias '"
                        + alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

        private final X509TrustManager tm;
        private X509Certificate[] chain;

        SavingTrustManager(X509TrustManager tm) {
            this.tm = tm;
        }

        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }

        public void checkClientTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            throw new UnsupportedOperationException();
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            this.chain = chain;
            tm.checkServerTrusted(chain, authType);
        }
    }

}
HU_AZAI
关注
专栏目录
解决javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path
u013816904的博客
11-27 7271
参考博客:https://blog.csdn.net/u014256984/article/details/73330573 1、新建一个空的InstallCert.java 文件,用notepad++打开 2、复制下面的代码到文件里面,保存 /*  * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.  *  * Red...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building f
qq_38603819的博客
02-13 4440
1、问题发生背景:HttpClient4.5.6获取https链接时报的错。 2、问题分析:大概好像是说没有通过证书验证,具体就是跟证书有关系,再详尽一点也没有研究。 3、解决方法: //采用绕过验证的方式处理https请求 SSLContext sslcontext = null; try { //主要是通过该方法createIgnoreVerifySSL sslconte...
解决远程调用三方接口:javax.net.ssl.SSLHandshakeException报错
qq_38031730的博客
05-08 1万+
最近在对接腾讯会议API接口,在鉴权完成后开始调用对方的接口,在此过程中出现调用报错javax.net.ssl.SSLHandshakeException
解决远程调用三方接口:javax.net.ssl.SSLHandshakeExceptionsun.security.validator.ValidatorException报错
最新发布
chenxuezhou的博客
08-22 1637
最近在对接腾讯会议API接口,在鉴权完成后开始调用对方的接口,在此过程中出现调用报错javax.net.ssl.SSLHandshakeException
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building
weixin_43845433的博客
03-16 706
解决 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certific ...
证书异常导致:javax.net.ssl.SSLHandshakeException: sun.security.validator
Aikes Blog
10-08 1万+
程序访问Https地址时报错处理
报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException
zhangmiaoping23的专栏
04-09 6026
版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/u010248330/article/details/70161899[java] view plain copyimport java.io.File;  import java.io.FileNotFoundException;  import java.io.FileOutputStream; ...
jsoup爬虫报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException
qq_27346503的博客
03-15 1623
在使用jsoup爬取某个https开头的网站时(使用了ssl证书的网站),结果出现以下错误: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBu...
Mac解决javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path build
qq_36631249的博客
07-17 958
一、错误截图 二、解决办法 1. 下载所请求的网站证书,保存到本地。 注:Mac没有导出按钮,直接拖拽证书,进行保存。 2. 寻找项目所用Jdk在Mac中的位置,进入bin目录 注:因为我是①、②、③、④顺序执行解决问题,但是我怀疑可以直接使用第④个命令解决问题,不过因为要记录自己的实际操作,所以把①、②、③步骤也记录在文章中。 ① 执行导入证书命令 sudo ./keytool -import -file “这里写刚刚导出的cer文件的绝对位置” -keystore “这里写java的cacerts绝对
BUG处理:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path buil
狐狸是一只狐狸
12-08 1586
分享目的: 如果别人已经讲述了,这里只会给出相关链接 只补充解决思路。 每个人在寻找解决答案过程中,遇到的痛点难点都是不同的。 这里仅阐述我实际项目遇到问题的解决方案。 BUG描述: tomcat配置如下: <Connector port="8843" protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" scheme=.
Caused by:javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException: https接口证书异常
频繁输入,积极输出
01-11 1万+
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: 访问接口证书异常问题解决 原因:在linux访问第三方webservice https接口时会抛javax.net.ssl.SSLHandshakeException异常,这是因为jdk不信任此接口地址,需将webse...
解决 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path buildin
热门推荐
chaishen10000的专栏
10-10 13万+
详细分析Java中访问https请求exception(SSLHandshakeException, SSLPeerUnverifiedException)的原因及解决方法。1、现象 用JAVA测试程序访问下面两个链接。 https链接一:web服务器为jetty,后台语言为javahttps链接二:web服务器为nginx,后台语言为php。 链接一能正常访问,访问链接二报异常,且用Http...
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExcepti
figosoar的专栏
03-25 2万+
Java Spring应用发送数据报如下问题。 复制如下代码到文本文件中,改名为InstallCert.java。然后分别执行如下两条命令。 D:\Java\jdk1.8.0_221\bin\javac D:\code\InstallCert.java java InstallCert domain.company.com.cn 网站不需要输入(https://)信息。 随后服务器会返回认证的主题,发行方,加密方式等信息。 在这里输入1后,回车。 Enter certificate
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException
u012230451的专栏
01-16 472
在使用httpclient3.1登陆某https网站的时候,遇到如下异常: Login failure javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCer...
解决javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException
qq_38772354的博客
05-23 1万+
问题现象: Java Spring应用发送数据报如下问题。 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested tar
https javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
09-21
如果在握手过程中出现异常javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException,可能是由于证书验证失败导致的。这种异常通常有两种原因:一是服务端证书不被信任,二是客户端无法找到...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值