首先:我知道,有很多" CertPathValidatorException"线程,我已经检查过它们了:))
我有以下问题,我无法找到解决方案。我真的很感激一些帮助。
我们有一个运行java Web应用程序的tomcat6。 ssl配置似乎没问题。用f.e.检查sslshopper显示没有问题。您可以通过浏览器和https连接,无任何问题。所以,看起来很好的方式。
从Web应用程序的类中,我们使用apache HTTPClient(简单SOAP POST)调用https webservice。当我们这样做时,会抛出异常:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1697)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:258)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:252)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1165)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:154)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:610)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:546)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:945)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190)
at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)
at java.io.FilterOutputStream.flush(FilterOutputStream.java:140)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:502)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:1973)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:993)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:397)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:170)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:396)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:324)
at net.umbrella.services.webclient.myclimate.MyClimateWebservice.callWebService(MyClimateWebservice.java:151)
... 67 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:266)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:249)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:162)
at sun.security.validator.Validator.validate(Validator.java:235)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1144)
... 85 more
Caused by: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
at sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:153)
奇怪的是:如果我们在系统上运行我们的单元测试 - 它也包含有问题的HTTPClient调用 - 一切都可以。对我来说,这看起来像是tomcat配置的问题。如果我用sslshopper检查Web服务的提供者,他的证书也很好。
我真的不是这个主题的专家,而且大多数配置都是由我们的主机公司完成的,而这个主机也找不到问题(这个问题在几个星期前突然出现)。
一般问题:哪个密钥库用于来自Web应用程序的HTTPClient调用?系统密钥库还是必须由tomcat提供的特定密钥库? tomcat ssl配置是否连接到来自webapplication的https请求?
谢谢!
致以最诚挚的问候,
罗伯特
已解决:我们终于解决了这个问题。系统的基本jvm是SUN JDK,但对于tomcat,OpenJDK被定义为JVM。切换回SUN JDK解决了我们所有的问题。
答案 0 :(得分:0)
回答这个问题的Tomcat方面:
如果您从Web应用程序建立HTTPS连接,则Tomcat不会参与该过程。您需要使用HttpClient提供的任何API来配置HttpClient。
关于您看到的错误消息,看起来您的信任存储不是很正确。你可能错过了中级证书吗?