我在Glassfish上有一个Java客户端,它必须使用来自第三方的肥皂网服务,但我无法解决错误:
"error": {
"code": "ClientTransportException",
"description": "HTTP transport error: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
}
我在JVM密钥库和cacert中有第三方证书,但仍然没有运气。
这是(摘要)ssl消息传递:
Info: Using SSLEngineImpl.
Info: Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Info: http-listener-2(5), READ: TLSv1 Handshake, length = 181
Info: *** ClientHello, TLSv1
Info: RandomCookie:
...
Info: ***
Info: %% Resuming [Session-5, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA]
Info: *** ServerHello, TLSv1
Info: RandomCookie:
Info: bytes = {
Info: 10
Info: ,
...
Info: ,
Info: 218
Info: }
Info: Session ID:
Info: Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Info: Compression Method: 0
Info: Extension renegotiation_info, renegotiated_connection: <empty>
Info: ***
Info: Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
Info: CONNECTION KEYGEN:
Info: Client Nonce:
Info: 0000:
Info: 55
Info: /
Info: http-listener-2(5), WRITE: TLSv1 Handshake, length = 81
Info: http-listener-2(5), WRITE: TLSv1 Change Cipher Spec, length = 1
Info: *** Finished
Info: verify_data: {
Info: 95
Info: ,
...
Info: ,
Info: 7
Info: }
Info: ***
Info: http-listener-2(5), WRITE: TLSv1 Handshake, length = 48
Info: http-listener-2(2), READ: TLSv1 Change Cipher Spec, length = 1
Info: http-listener-2(2), READ: TLSv1 Handshake, length = 48
Info: *** Finished
Info: verify_data: {
Info: 241
Info: ,
...
Info: ,
Info: 206
Info: }
Info: ***
Info: Finalizer, called close()
Info: Finalizer, called closeInternal(true)
Info: Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
Info: http-listener-2(2), setSoTimeout(0) called
Info: %% No cached client session
Info: *** ClientHello, TLSv1.2
Info: RandomCookie:
Info: GMT: 1431349301
Info: bytes = {
Info: 98
Info: ,
...
Info: Extension server_name, server_name: [type=host_name (0), value=*****]
Info: ***
Info: http-listener-2(2), WRITE: TLSv1.2 Handshake, length = 244
Info: http-listener-2(2), READ: TLSv1.2 Handshake, length = 81
Info: *** ServerHello, TLSv1.2
Info: RandomCookie:
Info: GMT: 305071236
Info: bytes = {
Info: 16
Info: ,
...
Info: ,
Info: 157
Info: }
Info: Session ID:
Info: Cipher Suite: SSL_RSA_WITH_RC4_128_SHA
Info: Compression Method: 0
Info: Extension renegotiation_info, renegotiated_connection: <empty>
Info: ***
Info: %% Initialized: [Session-7, SSL_RSA_WITH_RC4_128_SHA]
Info: ** SSL_RSA_WITH_RC4_128_SHA
Info: http-listener-2(2), READ: TLSv1.2 Handshake, length = 2084
Info: *** Certificate chain
<b>Info: chain [0] = [</b>
[
Version: V3
Subject: CN=*****, OU=*****, O=*****, L=*****, ST=*****, C=*****
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 2048 bits
modulus: *****
public exponent: *****
Validity: [From: Tue Apr 30 11:50:28 BST 2013,
To: Mon Dec 25 10:50:28 GMT 2017]
Issuer: EMAILADDRESS=*****, CN=*****, OU=*****K, O=*****, L=*****, ST=*****, C=*****
SerialNumber: [*****]
Certificate Extensions: 2
[1]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[2]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
]
Algorithm: [SHA1withRSA]
Signature:
0000: 52 52 A2 33 8F 48 81 85 F9 CD 8E A8 90 1B D0 01 RR.3.H..........
0010: 3E 09 FF EC F5 23 E0 6F 77 2B 5E 20 B2 BC FF CE >....#.ow+^ ....
...
00D0: 26 70 A9 5C 6D 80 9E 72 B0 F0 75 1D F3 E4 93 41 &p.\m..r..u....A
00E0: 6E 11 43 CB 6E 6D 1E C3 BB C7 A2 6F 65 A6 B6 58 n.C.nm.....oe..X
00F0: 53 98 4D CA 0A EC 18 6A D4 80 BE 19 43 AD 7D F7 S.M....j....C...
]
**Info: chain [1] = [**
[
Version: V3
Subject: EMAILADDRESS=*****, CN=*****, OU=*****, O=*****, L=*****, ST=*****, C=*****
Signature Algorithm: SHA1withRSA, OID = *****
Key: Sun RSA public key, 2048 bits
modulus: *****
public exponent: *****
Validity: [From: Thu May 06 11:35:16 BST 2010,
To: Sun May 03 11:35:16 BST 2020]
Issuer: EMAILADDRESS=*****, CN=*****, OU=*****, O=*****, L=*****, ST=*****, C=*****
SerialNumber: [*****]
Certificate Extensions: 3
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: A0 C0 66 47 F2 E2 D7 6F 44 6F 3C E9 44 77 32 1B ..fG...oDo<.Dw2.
0010: 00 3A B3 B6 .:..
]
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
[3]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: A0 C0 66 47 F2 E2 D7 6F 44 6F 3C E9 44 77 32 1B ..fG...oDo<.Dw2.
0010: 00 3A B3 B6 .:..
Algorithm: [SHA1withRSA]
Signature:
0000: C0 FC 52 0F 9F 43 A4 64 B4 F2 61 79 50 37 90 28 ..R..C.d..ayP7.(
0010: 0B F7 ED 2E C8 28 01 66 25 AD DC E6 9D 3E 30 ED .....(.f%....>0.
...
00E0: A6 19 A7 71 7A 55 BE 4F 54 FA 4E DE DE BF FD 29 ...qzU.OT.N....)
00F0: 12 29 D0 48 B8 BA BB CC 57 11 24 7A A4 F5 0B 03 .).H....W.$z....
]
Info: ***
**Info: %% Invalidated: [Session-7, SSL_RSA_WITH_RC4_128_SHA]**
Info: http-listener-2(2)
Info: , SEND TLSv1.2 ALERT:
Info: fatal,
**Info: description = certificate_unknown**
Info: http-listener-2(2), WRITE: TLSv1.2 Alert, length = 2
Info: http-listener-2(2), called closeSocket()
**Info: http-listener-2(2), handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target**
Info: http-listener-2(2), called close()
Info: http-listener-2(2), called closeInternal(true)
Info: http-listener-2(2), WRITE: TLSv1 Application Data, length = 637
Info: http-listener-2(2), WRITE: TLSv1 Application Data, length = 1
Info: http-listener-2(2), WRITE: TLSv1 Application Data, length = 4
我做错了吗?
答案 0 :(得分:1)
终于搞定了。 我必须明确告诉Glassfish使用的cacerts即使在/ jdk / jr,/ jre和glassfish domain config cacerts中可用的证书......
asadmin> create-jvm-options -Djavax.net.ssl.trustStore="/Program Files/Java/jre7/lib/security/cacerts"