需要帮助 运行 Spring restTemplate with cert files - 无法找到请求目标的有效证书路径
Need help running Spring restTemplate with cert files - unable to find valid certification path to requested target
我正在寻找一些帮助来解决以下问题,我试图通过带有 jks 的 restTemplate 从 java 进行休息调用。我环顾四周,无法弄清楚为什么这不起作用。
所以从我的服务器我有一个带有密码的 crt 和密钥文件。如果我对服务器进行以下 curl 调用,一切正常,它会检索我需要的信息。
curl --key example.key --cert example.crt:certpassword --digest --user user:password https://myhost/user?id={url_encoded_id}
当我尝试通过 Spring 从 java 运行 时,我创建了如下 jks 文件:
keytool -import -file example.crt -alias exampleCA -keystore truststore.jks
openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
然后我写了下面的java代码来使用jks:
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("Authorization", basicAuthValueForUser);
httpHeaders.setContentType(MediaType.APPLICATION_JSON);
String keystore = "<path>\keystore.jks";
String truststore = "<path>\truststore.jks";
String certPassPhrase = "certpassword";
SSLContext sslContext = SSLContextBuilder
.create()
.loadKeyMaterial(ResourceUtils.getFile(keystore), certPassPhrase.toCharArray(), certPassPhrase.toCharArray())
.loadTrustMaterial(ResourceUtils.getFile(truststore), certPassPhrase.toCharArray())
.build();
HttpClient client = HttpClients.custom()
.setSSLContext(sslContext)
.build();
HttpComponentsClientHttpRequestFactory factory =
new HttpComponentsClientHttpRequestFactory(client);
RestTemplate restTemplate = new RestTemplate(factory);
ResponseEntity<String> exchange = restTemplate.exchange("https://myhost/user?id={url_encoded_id}",
HttpMethod.GET, new HttpEntity<>("", httpHeaders), String.class);
当我尝试 运行 时,出现以下错误:
Exception in thread "main" org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myhost/user": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531)
at eid.test.restTest.main(restTest.java:49)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:89)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:652)
... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 32 more
如有任何帮助,我们将不胜感激!!
经过更多测试和研究后,我发现我的信任库缺少完成链所需的证书。
我必须打开浏览器,转到 https://myhost,从服务器下载证书 (crt) 文件并将其添加到我的 truststore.jks 之后错误被清除,我可以电话。
- 从浏览器下载站点的证书(.cer)。
- 将文件放在 $JAVA_HOME\Java\jdk-11.0.3\lib\security
- 使用以下命令安装证书:
keytool -import -noprompt -trustcacerts -alias <alias_name> -file <filename.cer> -keystore $JAVA_HOME\Java\jdk-11.0.3\lib\security\cacerts -storepass changeit
注意: 根据您的需要替换 <alias_name> 和 <filename.cer>。
- 检查是否从列表中安装了证书。
keytool -list -keystore $JAVA_HOME\jdk-11.0.3\lib\security\cacerts
我正在寻找一些帮助来解决以下问题,我试图通过带有 jks 的 restTemplate 从 java 进行休息调用。我环顾四周,无法弄清楚为什么这不起作用。
所以从我的服务器我有一个带有密码的 crt 和密钥文件。如果我对服务器进行以下 curl 调用,一切正常,它会检索我需要的信息。
curl --key example.key --cert example.crt:certpassword --digest --user user:password https://myhost/user?id={url_encoded_id}
当我尝试通过 Spring 从 java 运行 时,我创建了如下 jks 文件:
keytool -import -file example.crt -alias exampleCA -keystore truststore.jks
openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS
然后我写了下面的java代码来使用jks:
HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("Authorization", basicAuthValueForUser);
httpHeaders.setContentType(MediaType.APPLICATION_JSON);
String keystore = "<path>\keystore.jks";
String truststore = "<path>\truststore.jks";
String certPassPhrase = "certpassword";
SSLContext sslContext = SSLContextBuilder
.create()
.loadKeyMaterial(ResourceUtils.getFile(keystore), certPassPhrase.toCharArray(), certPassPhrase.toCharArray())
.loadTrustMaterial(ResourceUtils.getFile(truststore), certPassPhrase.toCharArray())
.build();
HttpClient client = HttpClients.custom()
.setSSLContext(sslContext)
.build();
HttpComponentsClientHttpRequestFactory factory =
new HttpComponentsClientHttpRequestFactory(client);
RestTemplate restTemplate = new RestTemplate(factory);
ResponseEntity<String> exchange = restTemplate.exchange("https://myhost/user?id={url_encoded_id}",
HttpMethod.GET, new HttpEntity<>("", httpHeaders), String.class);
当我尝试 运行 时,出现以下错误:
Exception in thread "main" org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myhost/user": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666)
at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531)
at eid.test.restTest.main(restTest.java:49)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:89)
at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:652)
... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
... 32 more
如有任何帮助,我们将不胜感激!!
经过更多测试和研究后,我发现我的信任库缺少完成链所需的证书。
我必须打开浏览器,转到 https://myhost,从服务器下载证书 (crt) 文件并将其添加到我的 truststore.jks 之后错误被清除,我可以电话。
- 从浏览器下载站点的证书(.cer)。
- 将文件放在 $JAVA_HOME\Java\jdk-11.0.3\lib\security
- 使用以下命令安装证书:
keytool -import -noprompt -trustcacerts -alias <alias_name> -file <filename.cer> -keystore $JAVA_HOME\Java\jdk-11.0.3\lib\security\cacerts -storepass changeit
注意: 根据您的需要替换 <alias_name> 和 <filename.cer>。
- 检查是否从列表中安装了证书。
keytool -list -keystore $JAVA_HOME\jdk-11.0.3\lib\security\cacerts