在 WAS 布署微信公众开放平台发布开发包时,发现在原来在 Tomcat 下运行正常的调用 https 接口报出了如下错误:
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed:java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is:java.security.cert.CertPathValidatorException: The certificate issued by OU=Equifax Secure Certificate Authority, O=Equifax, C=US is not trusted; internal cause is: java.security.cert.CertPathValidatorException: Certificate chaining error
原因:WAS 采用了更严格的SSL访问机制,需要事先将微信证书进行导入。
解决办法:将要访问网站的 SSL 证书导入到 WAS.
1. 打开管理控制台 【Security】 转到 【SSL certificate and key management】;
2. 点击右侧 【Key stores and certificates】 选择列表中的 【NodeDefaultTrustStore】,在新弹出界面上点击右侧 【Signer certificates】;
3. 在 Signer certificates 页面上点击表格上部的【Retrieve from port button】;
4. 在配置界面中输入 Host, Post, Alias, 例如:微信接口URL为 https://api.weixin.qq.com/.... 所以主机:api.weixin.qq.com 端口:443 别名起为:WeixinHttps
5. 点击【Retrieve signer information】,获取信息;
6. 成功后点击【OK】;
7. 然后根据顶部提示将变更保存到主配置文件中。 【Save changes directly to master configuration】
8. 重新启动 WAS
Add SSL certificate to trust store in WebSphere Application Server with exporting the certificate.
- Open Admin console under Security go to SSL certificate and key management
- Go to Key stores and certificates > CellDefaultTrustStore > Signer certificates
- On signer certificates page click Retrieve from port button
- Enter Host, and other information to import the SSL certificate
- Click on Retrieve signer information
- Click OK
- Save changes directly to master configuration
- Restart WAS