Java 即使证书在浏览器中有效,也无法验证证书
Java not able to validate certificate even if certificate valid in browser
我有一个 GET API 可以使用 java 调用,我已经使用假客户端调用这个 API.
当我调用它时 API 它给出了错误:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1323)
... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
当我在浏览器中点击相同的 API 时,它工作正常。浏览器不显示为不受信任的连接。
来自 firefox 的证书信息:
我是 运行 我在 docker 图片 openjdk:11-slim 中的申请。
为什么即使证书有效,java 也无法验证证书?
这可能是因为它们没有添加到您的证书中 -
您可以尝试 运行 从下面的 link 安装证书,用于 URL 您正尝试从中下载证书或由于证书而不允许访问的站点问题。
java --source 11 InstallCert.java
https://github.com/escline/InstallCert
如果是自签名证书,请在您的 DockerFile 中尝试以下 -
FROM openjdk:11-jdk-slim
WORKDIR /opt/workdir/
#.crt file in the same folder as your Dockerfile
ARG CERT="certificate.crt"
#import cert into java
COPY $CERT /opt/workdir/
RUN keytool -importcert -file $CERT -alias $CERT -cacerts -storepass changeit -noprompt
如果您有 .cer 文件,您可以从浏览器中导出。将以下内容添加到您的 DockerFile。因此在 ssl 握手之前可以使用所需的证书。 -
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
我有一个 GET API 可以使用 java 调用,我已经使用假客户端调用这个 API.
当我调用它时 API 它给出了错误:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1323)
... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
当我在浏览器中点击相同的 API 时,它工作正常。浏览器不显示为不受信任的连接。
来自 firefox 的证书信息:
我是 运行 我在 docker 图片 openjdk:11-slim 中的申请。
为什么即使证书有效,java 也无法验证证书?
这可能是因为它们没有添加到您的证书中 -
您可以尝试 运行 从下面的 link 安装证书,用于 URL 您正尝试从中下载证书或由于证书而不允许访问的站点问题。
java --source 11 InstallCert.java
https://github.com/escline/InstallCert
如果是自签名证书,请在您的 DockerFile 中尝试以下 -
FROM openjdk:11-jdk-slim
WORKDIR /opt/workdir/
#.crt file in the same folder as your Dockerfile
ARG CERT="certificate.crt"
#import cert into java
COPY $CERT /opt/workdir/
RUN keytool -importcert -file $CERT -alias $CERT -cacerts -storepass changeit -noprompt
如果您有 .cer 文件,您可以从浏览器中导出。将以下内容添加到您的 DockerFile。因此在 ssl 握手之前可以使用所需的证书。 -
ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates