我正在尝试通过需要证书的服务器连接到网址。我已将我的客户端身份验证证书导入{JAVA_HOME} / jre / bin / security / cacerts,并且我已将其放在Jboss / bin和jboss / server / conf /的密钥库中,然后我重新启动了我的服务器,它仍然给了我下面的错误。
Caused by: java.io.IOException: Could not transmit message
at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:265)
at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:71)
at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:340)
at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:290)
... 40 more
Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker after 1 attempt(s)
at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:249)
at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:161)
at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:165)
at org.jboss.remoting.Client.invoke(Client.java:1724)
at org.jboss.remoting.Client.invoke(Client.java:629)
at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:243)
... 43 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
at org.jboss.remoting.transport.http.HTTPClientInvoker.getOutputStream(HTTPClientInvoker.java:1214)
at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:334)
at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:231)
... 48 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
... 62 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 68 more
我想问一下我该怎么做才能解决它?我是否需要在server.xml中为此证书添加另一个:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
scheme="https" secure="false" strategy="ms" address="${jboss.bind.address}"
keystoreFile="${jboss.server.home.dir}/conf/.keystore"
keystorePass="changeit" sslProtocol="TLS"
truststoreFile="/usr/lib/jvm/java-6-sun-1.6.0.10/jre/lib/security/cacerts"
truststorePass="*****"
SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
acceptAnyCert="true" clientAuth="want" />
还是我犯了其他错误?
答案 0 :(得分:6)
我知道你说你已经导入了证书,但看看这些步骤是否错过了某个地方的步骤:
以下是如何导入证书以修复以下错误的总体摘要:
尝试执行请求时出错。 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:PKIX路径构建失败: sun.security.provider.certpath.SunCertPathBuilderException:无法 找到所请求目标的有效证书路径
如何导入证书
.der
使用以下内容将所有* .der文件导入cacerts文件中:
sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
sudo keytool -import -alias mysiteprod -keystore $JAVA_HOME/jre/lib/security/cacerts -file prod.der
sudo keytool -import -alias mysitedev -keystore $JAVA_HOME/jre/lib/security/cacerts -file dev.der
默认密钥库密码是&#39; changeit&#39;
您可以使用显示证书指纹的此命令查看您所做的更改。
keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
如果这不能解决问题,请尝试将这些java选项添加为参数:
-Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
-Djavax.net.ssl.trustStorePassword="changeit"
答案 1 :(得分:0)
对于SSL Web服务配置,我们必须执行以下步骤:
1)将CA证书插入密钥库,您可以将其放入JVM或将其放入jre安全目录,或者可以导入到jre默认密钥库。
2)使用密钥导入验证证书到密钥库(它可能是java密钥库或另一个)。密钥库也可以是jks,而不仅仅是pkcs12。我测试过,jks也很好用。
3)告诉JVM你需要那个密钥库 - 当我们启动Jboss时。它可以是这样的(在我看来是这样的):
> "-Dprogram.name=JBossTools: JBoss 4.0 CLONE OF ESS SERVER" -server
> -Xms256m -Xmx512m -XX:MaxPermSize=256m -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 "-Djava.endorsed.dirs=..\jboss-4.0.2\lib\endorsed"
> "-Djavax.net.ssl.keyStore=../Java/jdk1.6.0_45/jre/lib/security/cacerts"
> "-Djavax.net.ssl.keyStorePassword=changeit"
证书也可以被编码或基础64.这意味着您可能需要使用开放SSL等转换证书。另一个问题是有时转换可能会导致问题,因此您可以使用script更简单灵活的转换。
答案 2 :(得分:0)
由于禁用的TLSv1.2协议,我遇到了此问题。我已经通过在VM参数中添加TLSv1.2解决了它。以下是启用协议的步骤
您需要在vm参数中添加此行-> -Dhttps.protocols=TLSv1.1,TLSv1.2
在eclipse中转到“服务器”选项卡>>双击wildfly >>打开启动配置>>最后在vm参数中的行上方粘贴。
答案 3 :(得分:-1)
如果是客户端证书,则需要将其放入信任库;如果它是服务器证书,那么它将进入您的密钥库。此外,如果您的证书具有中间CA证书,您还需要添加它们。