Websphere - 休息服务 - 证书链错误

时间:2018-05-01 13:04:11

标签: spring rest certificate resttemplate

我正在尝试从我的应用程序连接Rest服务。我的应用程序已部署到WAS服务器。

我正在使用Spring RestTemplate来使用其他服务,并且在我的本地WAS设置中一切正常。

但是当我将我的代码部署到QA环境(较低的环境区域)时,我的日志文件中出现了以下错误。

    [4/30/18 17:18:22:355 EDT] 00000207 SystemErr     R org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://host:port/resourcename": com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=XXX Root CA, O="The XXX Services Group, Inc." is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error; nested exception is javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.j: PKIX path building failed: java.security.cert.CertPathBuilderException: PKIXCertPathBuilderImpl could not build a valid CertPath.; internal cause is: 
    java.security.cert.CertPathValidatorException: The certificate issued by CN=XXX Root CA, O="The XXX Services Group, Inc." is not trusted; internal cause is: 
    java.security.cert.CertPathValidatorException: Certificate chaining error
[4/30/18 17:18:22:355 EDT] 00000207 SystemErr     R     at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:607)
[4/30/18 17:18:22:356 EDT] 00000207 SystemErr     R     at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:557)
[4/30/18 17:18:22:357 EDT] 00000207 SystemErr     R     at org.springframework.web.client.RestTemplate.postForObject(RestTemplate.java:357)

我已使用签名者证书选项导入了端口和主机的证书,但问题仍未解决(也尝试导入根证书)。谁能让我知道可能是什么问题?

1 个答案:

答案 0 :(得分:0)

这看起来像您使用的JVM不相信其中一个中间证书,如错误所示。

您需要检索整个证书链,而不仅仅是根CA证书和服务器证书。您可以使用浏览器或foreach (var item in ID) { try { List<string> resultList = new List<string>(); url = string.Format(HttpContext.Current.Session["url"].ToString() + ConfigurationManager.AppSettings["propertyURL"].ToString(), HttpContext.Current.Session["ObjectID"].ToString(), item); var request1 = WebRequest.Create(url); request1.Headers["X-Authentication"] = HttpContext.Current.Session["vaultToken"].ToString(); request1.Method = "GET"; request.Headers.Add("Cache-Control", "no-cache"); //// Get the response. var response1 = request1.GetResponse(); var deserializer1 = new DataContractJsonSerializer(typeof(PropertyValue[])); var result1 = (PropertyValue[])deserializer1.ReadObject(response1.GetResponseStream()); } catch (Exception ex) { } } 来检索证书链。您的客户端JVM必须信任证书链中的每个证书。

请参阅以下内容: https://unix.stackexchange.com/questions/368123/how-to-extract-the-root-ca-and-subordinate-ca-from-a-certificate-chain-in-linux