SSLHandshakeException:ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:

时间:2016-06-19 10:50:57

标签: java spring ssl spring-boot ssl-certificate

我尝试使用https请求本地服务而不进行证书检查。但我得到了这个例子。

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

这是代码的一部分:

try {
            RestTemplate restTemplate = new RestTemplate();
            HttpsURLConnection.setDefaultHostnameVerifier(
                    (hostname, session) -> hostname.equals("IPADDRESS"));
            responseEntity = restTemplate.exchange(url, HttpMethod.POST, httpEntity, String.class);
        } catch (HttpClientErrorException e) {
            LOGGER.error(e.toString());
        }

这里有什么问题?

2 个答案:

答案 0 :(得分:1)

此问题是由于服务器证书的信任路径不完整:服务器证书可能不受客户端信任。

通常,修复方法是将服务器证书导入客户端信任库。默认的trustStore位于jre / lib / security / cacerts中,但使用自己的密钥库是更好的做法

您可以创建SSLSocketFactory并在使用静态方法连接或应用于所有连接之前添加到您的连接

 HttpsURLConnection.setDefaultSSLSocketFactory(sslFactory);

这是创建套接字工厂的示例

/* Load the keyStore that includes the server cert as a "trusted" entry. */
KeyStore keyStore = ... 
TrustManagerFactory tmf = 
  TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), null);
sslFactory = ctx.getSocketFactory();

加载keyStore的示例

KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(trustStore, trustStorePassword);
trustStore.close();

还可以使用系统属性

配置信任库
 System.setProperty("javax.net.ssl.trustStore", "pathtoyourjavakeystorefile");
 System.setProperty("javax.net.ssl.trustStorePassword", "password");

创建密钥库文件的最简单方法是使用GUI工具Portecle。 New KeyStore>导入可信证书

如果您想要信任,可以导入连锁的根证书。来自root的所有证书,或仅导入服务器证书。对于自签名证书,请直接导入

答案 1 :(得分:1)

HY,

我用这个代码部分解决了它:

private void disableCertificateVerification() {
        TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {
            public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                return null;
            }

            @Override
            public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1)                  throws CertificateException {
            }

            @Override
            public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1)
                    throws CertificateException {
            }
        } };

        try {
            SSLContext sslContext = SSLContext.getInstance("SSL");
            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
            HttpsURLConnection.setDefaultHostnameVerifier(
                    (hostname, session) -> hostname.equals("IPADDRESS"));
        } catch (NoSuchAlgorithmException | KeyManagementException e) {
            LOGGER.error(e.toString());
        }
    }

我在创建RestTemplate之前调用了这个函数。