如何在Heroku上解决javax.net.ssl.SSLHandshakeException?

时间:2012-06-12 11:57:06

标签: java ssl heroku jvm keytool

我在Heroku面对SSLHandshakeException

此应用不是SSL应用。但是这个应用程序从应用程序内部调用了一个基于ssl的web api。 通常,使用keytool对JVM采用SSL证书可以解决这类问题。

但是我如何在Heroku上这样做?

记录在这里:

    2012-06-12T11:08:08+00:00 app[web.1]: Caused by: sun.security.validator.ValidatorException:  PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:  unable to find valid certification path to requested target
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:324) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.validator.Validator.validate(Validator.java:235) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:230) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]: Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:270) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:197) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:255) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:319) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.validator.Validator.validate(Validator.java:235) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:147) ~[na:1.6.0_20]
    2012-06-12T11:08:08+00:00 app[web.1]:   at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:224) ~[na:1.6.0_20]

4 个答案:

答案 0 :(得分:1)

实际上我不确定heroku是否支持更新密钥库,但是您可以随时在配置或proc文件中提供自己的密钥库作为java环境参数

web: java -jar -Djavax.net.ssl.trustStore=path/to/keystore -Djavax.net.ssl.trustStorePassword=changeit --port $PORT target/*.war

答案 1 :(得分:0)

在客户端信任库中创建SSL connection to a server, you should be having the Server's certificate时。

您应该import the server certificate into a keystore并使用javax.net.ssl.trustStorejavax.net.ssl.trustStorePassword指定密钥库。

检查您是否指定了这些属性。如果已经指定,请检查它们是否正确指向密钥库。

答案 2 :(得分:0)

为了修复SSL证书验证问题(通常在自签名证书上发生),您需要将证书添加到java密钥库以告诉JVM始终信任它。

在本地添加:

  • 找到您的密钥库文件(通常位于 jre / lib / security / cacerts
  • 下载证书.cer文件(here are few ways to do that,我认为使用Firefox下载是最简单的一个)
  • 将证书导入您的密钥库:keytool -import -keystore cacerts -file custom.cer

通过adding cacerts file as a custom JVM file将您的密钥库上传到Heroku。

答案 3 :(得分:0)

我已经更新了 blog 中的流程,使用它我可以成功地自定义 Heroku 中的 cacerts。

https://deepaksinghviblog.blogspot.com/2021/04/heroku-custom-trust-store-for-ssl.html

相关问题
最新问题