logo标签列表

PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径。

ssltomcat
10

我正在通过TLS连接(https)在Tomcat 7.x上调用Webservice。

在调用WebService时,我遇到了以下错误。问题可能是什么?我已经尝试创建证书和CA。

FYI - https://sites.google.com/site/ddmwsst/create-your-own-certificate-and-ca

我导入了CA证书和其他证书,但仍然遇到此问题。请给予建议。

Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://localhost:8443/myDomain/MyService?wsdl'.: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(Unknown Source)
at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:262)
at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:205)
at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:92)
... 37 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1902)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1032)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1328)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1355)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1299)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:632)
    at com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:189)
    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:799)
    at com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:764)
    at com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:123)
    at com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:237)
    at com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:300)
    ... 43 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 61 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)

我正在本地创建证书,通过执行以下步骤:

Keys>keytool -genkey -alias TLS -keystore TLSKeyStore.jks -keyalg RSA -sigalg SHA1withRSA Keys>keytool -export -alias TLS -file TLS.cer -keystore TLSKeyStore.jks Keys>keytool -certreq -alias TLS -keystore TLSKeyStore.jks -file TLS.csr

CA>set RANDFILE=rand

CA>openssl req -new -keyout TLSkey.pem -out TLSreq.pem -config C:\OpenSSL-Win64\bin\openssl.cfg

CA>openssl x509 -signkey TLSkey.pem -req -days 3650 -in TLSreq.pem -out TLSroot.cer -extensions v3_ca

CA>openssl x509 -CA TLSroot.cer -CAkey TLSkey.pem -CAserial serial.txt -req -in ../Keys/TLS.csr -out ../Keys/TLSTestCA.cer -days 365

Keys>keytool -import -alias TLSCA -file ../CA/TLSroot.cer -keystore TLSKeyStore.jks Keys>keytool -import -alias TLS -file TLSTestCA.cer -keystore TLSKeyStore.jks

2个回答
13

以下是如何导入证书以修复以下错误的总体摘要:

Error while trying to execute request. javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

如何导入证书

  1. 在浏览器中输入网址,点击 HTTPS 证书链(URL 地址旁边的小锁头图标)以导出证书
    • 点击“更多信息” > “安全性” > “显示证书” > “详细信息” > “导出…”。
    • 保存为.der文件
    • 对于需要导入的任何其他证书,请重复此操作
  2. 找到$JAVA_HOME/jre/lib/security/cacerts

  3. 使用以下命令将所有 *.der 文件导入 cacerts 文件:

    sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
sudo keytool -import -alias mysiteprod -keystore  $JAVA_HOME/jre/lib/security/cacerts -file prod.der
sudo keytool -import -alias mysitedev -keystore  $JAVA_HOME/jre/lib/security/cacerts -file dev.der

  4. 默认的keystore密码是'changeit'

  5. 您可以使用此命令查看您所做的更改,该命令显示证书指纹。

    6. keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

  6. 如果这不能解决问题,请尝试将以下Java选项作为参数添加:

    7. -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
-Djavax.net.ssl.trustStorePassword="changeit"

    我猜你可能漏了一步。我之前也遇到同样的错误,后来发现我导入了错误的证书。

我不得不在 bin/netbeans 脚本中添加类似的行:-J-Djavax.net.ssl.trustStore="$netbeans_jdkhome/jre/lib/security/cacerts"-J-Djavax.net.ssl.trustStorePassword="" 然后 Apache Netbeans 15 能够连接到任何插件中心。 - Roland
@Katie 如果我不知道证书的指纹,我该如何验证? - Mubasher
9
最终我找到了解决这个问题的方法。请参考此链接中的InstallCert.java,并将其作为独立程序运行,通过传递参数localhost:9443,程序将在eclipse下创建jssecacerts文件。将此jssecacerts文件复制到JDK_HOME\jre\lib\security\文件夹中即可解决该问题。祝TLS设置愉快!
2
该程序的稍作修改版本可在以下链接中找到:http://infposs.blogspot.it/2013/06/installcert-and-java-7.html 该版本解决了Java 7中运行InstallCert进行第二次检查证书是否正确安装时出现UnsupportedOperationException的问题。 - Pino
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接