logo标签列表

间歇性 - SunCertPathBuilderException:无法找到请求目标的有效认证路径

javasslldap
5
我编写了一个Java客户端来连接Ldap over ssl。我向Java密钥库导入了CA证书,并且能够通过ssl连接到Ldap并拉取信息。问题是它并不总是有效。经常会抛出:CommunicationException:sun.security.validator.ValidatorException:PKIX路径构建失败。如果我重新运行(没有改变任何内容),它就会起作用。
这个问题困扰着我好几天了,作为一种解决方法,我捕获这个异常并重试。但我正在寻找一种永久的解决方法。任何帮助都将不胜感激。
以下是我获取上下文的代码:
Hashtable<String, String> env = new Hashtable<String, String>();
        env.put(Context.INITIAL_CONTEXT_FACTORY,
                "com.sun.jndi.ldap.LdapCtxFactory");
        env.put(Context.SECURITY_AUTHENTICATION, "simple");
        env.put(Context.SECURITY_PRINCIPAL, securityPrincipal);
        env.put(Context.PROVIDER_URL, url);
env.put(Context.SECURITY_CREDENTIALS, securityCredential);
        env.put("java.naming.provider.url", url);
        return new InitialLdapContext(env, null);

堆栈跟踪:

javax.naming.CommunicationException: simple bind failed: adapps.nms.comm:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
        at javax.naming.InitialContext.init(InitialContext.java:240)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:151)
        at NMSLdapServiceDAOImpl.getLdapContext(NMSLdapServiceDAOImpl.java:149)
        at NMSLdapServiceDAOImpl.getUserByNTID(NMSLdapServiceDAOImpl.java:97)
        at NMSLdapServiceDAOImpl.main(NMSLdapServiceDAOImpl.java:287)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1682)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1168)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:930)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175)
        at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:805)
        at sun.security.ssl.AppInputStream.read(AppInputStream.java:94)
        at java.io.BufferedInputStream.fill(BufferedInputStream.java:235)
        at java.io.BufferedInputStream.read1(BufferedInputStream.java:275)
        at java.io.BufferedInputStream.read(BufferedInputStream.java:334)
        at com.sun.jndi.ldap.Connection.run(Connection.java:820)
        at java.lang.Thread.run(Thread.java:679)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
        at sun.security.validator.Validator.validate(Validator.java:235)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1147)
        ... 12 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
        ... 18 more
CommunicationException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.naming.CommunicationException: simple bind failed: adapps.nms.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
        at javax.naming.InitialContext.init(InitialContext.java:240)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:151)
        at NMSLdapServiceDAOImpl.getLdapContext(NMSLdapServiceDAOImpl.java:149)
        at NMSLdapServiceDAOImpl.getUserByNTID(NMSLdapServiceDAOImpl.java:97)
        at NMSLdapServiceDAOImpl.getUserByNTID(NMSLdapServiceDAOImpl.java:109)
        at NMSLdapServiceDAOImpl.main(NMSLdapServiceDAOImpl.java:287)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1682)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1168)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:930)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
        ... 19 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
        at sun.security.validator.Validator.validate(Validator.java:235)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1147)
        ... 31 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
        ... 37 more
CommunicationException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.naming.CommunicationException: simple bind failed: adapps.nms.com:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:215)
        at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2685)
        at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:306)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
        at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
        at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
        at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
        at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
        at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:305)
        at javax.naming.InitialContext.init(InitialContext.java:240)
        at javax.naming.ldap.InitialLdapContext.<init>(InitialLdapContext.java:151)
        at NMSLdapServiceDAOImpl.getLdapContext(NMSLdapServiceDAOImpl.java:149)
        at NMSLdapServiceDAOImpl.getUserByNTID(NMSLdapServiceDAOImpl.java:97)
        at NMSLdapServiceDAOImpl.getUserByNTID(NMSLdapServiceDAOImpl.java:109)
        at NMSLdapServiceDAOImpl.getUserByNTID(NMSLdapServiceDAOImpl.java:109)
        at NMSLdapServiceDAOImpl.main(NMSLdapServiceDAOImpl.java:287)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:616)
        at org.eclipse.jdt.internal.jarinjarloader.JarRsrcLoader.main(JarRsrcLoader.java:58)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1682)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:257)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:251)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1168)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:609)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:545)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:930)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
        at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
        at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
        at com.sun.jndi.ldap.Connection.writeRequest(Connection.java:409)
        at com.sun.jndi.ldap.LdapClient.ldapBind(LdapClient.java:352)
        at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:210)
        ... 20 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224)
        at sun.security.validator.Validator.validate(Validator.java:235)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1147)
        ... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319)
        ... 38 more
请发布异常堆栈跟踪(至少到进入您自己代码的那一点)。 - David Moles
url 是否涉及经常更改的 DNS 记录?您的网络连接稳定,没有网络中断吗?是否有第三方软件检测到您的程序为恶意软件,从而阻止文件/网络 I/O? - gerrytan
@DavidMoles..感谢您的快速回复..我已经更新了我的问题,并提供了完整的堆栈跟踪.. - Sarath krish
@gerrytan .. 感谢您的快速回复.. 我不认为有任何网络故障或类似问题,当我不使用ssl时它完美地工作。 - Sarath krish
@gerrytan.. 很好的观点.. 谢谢.. 我会研究这个方向。 - Sarath krish
显示剩余3条评论
1个回答
1

  • You should import certificate of the server:port to java JRE keystore for example for following server and port:

    serverAddress: myserver.mydomain.com
serverPort: 443
keystore password is default: changeit

  • First of all, check $JAVA_HOME and java executable before continue, you should be sure about the choosing correct JAVA_HOME for importing , if you have different ones:

    $ ~/bin$ echo $JAVA_HOME
/opt/jdk
$ ~/bin$ which java
/usr/bin/java
$ ~/bin$ ls -l /usr/bin/java
lrwxrwxrwx 1 root root 22 May 10  2014 /usr/bin/java -> /etc/alternatives/java
$ ~/bin$ ls -l /etc/alternatives/java
lrwxrwxrwx 1 root root 17 Jun  6  2014 /etc/alternatives/java -> /opt/jdk/bin/java
$ ~/bin$ java -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
$ ~/bin$ `which java` -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
$ ~/bin$   $JAVA_HOME/bin/java -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)

  • Extracting certificate from the server:

    $ openssl s_client -connect <serverAddress:serverPort> 2>&1 < "/" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/myserver.crt

    For this example <serverAddress:serverPort> should be replaced with myserver.mydomain.com:443

  • The extracted file should be look like as follows:

    $ cat /tmp/myserver.crt
-----BEGIN CERTIFICATE-----
blahblahblahaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd
ME22AKpyBPIRbTwTBedJz/KFtwCAxO2jXIcIob99LXv8W4KMOJgazn2UUBm/azZ1
z+9qhq3UeIy8Z58WK2N5l/SI7s3+bkii/dnpW3Akw8OyXABnN1EyfwnL607POqXm
blahblahblah
  ...Certificate Data is variable for each server address...
blahblahblah
blahblahblahT9p1jar2vxoHv3/dSwKoeLL8XpkmVx9oVUZ3XuICPvEmu8eBfOEm
ZXNlYXJjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd4I7L
ME22AKpyBPIRbTwTBedJz/KFtwCAxO2jXIcIob99LXv8W4KMOJgazn2UUBm/azZ1
-----END CERTIFICATE-----

  • You need to import the extracted certificate into JRE keystore:

    $ keytool -import -alias myserverCert -file  /tmp/myserver.crt -keystore $JAVA_HOME/jre/lib/security/cacerts

  • You can check that the certification existence in java JRE keystore or not after the import:

     $ keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

  • Default password for java JRE keystore is

    changeit

  • For applying the changes you need to restart the java JVM.

  • After finish you can remove the temporary file if you had created it in a non temporary place:

    $ rm /tmp/myserver.crt
这并没有解决问题是间歇性的事实。 - Zoomzoom
它准确地解决了堆栈跟踪中的这个异常: PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException 你已经获得了评论员徽章!:D 为什么你要花时间在这里对非常旧的问题发表评论? 看起来你来自Dot.Net世界,试图在Java世界中写一些关于一个旧答案的东西,而已经有人发现它很有用!我想你是想增加你在Stackoverflow上的贡献! ChatGPT是正确的答案,把正确的答案粘贴上来,而不是浪费其他人的时间! - undefined
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接