我有一个通过HTTPS连接启动的JNLP应用程序,但遇到了一些问题。
注意:这是使用Java 8 +证书不是自签名的
WebServer是WebLogic + OHS
通过HTTPS启动时,出现安全警告:
你想继续吗?与该网站的连接不受信任
注意:证书无效,不能用于验证该网站的身份。
详细信息->证书表明SHA-1指纹是正确的(与浏览器显示的指纹相同)。
如果我单击“继续”,则该应用程序将启动并可以正常运行。
内部使用apache.commons.httpclient
并引发异常:
DEBUG org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry:404|Closing the connection.
DEBUG org.apache.commons.httpclient.HttpConnection.closeSocketAndStreams:1228|Exception caught when closing output
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.SSLSocketImpl.checkEOF(Unknown Source)
at sun.security.ssl.SSLSocketImpl.checkWrite(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at java.io.FilterOutputStream.close(Unknown Source)
at org.apache.commons.httpclient.HttpConnection.closeSocketAndStreams(HttpConnection.java:1226)
at org.apache.commons.httpclient.HttpConnection.close(HttpConnection.java:1149)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:405)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at com.teamead.cs.sysmon.SendToServerRunnable.run(SendToServerRunnable.java:74)
at com.teamead.cs.sysmon.SysMonHttpThreadTask.run(SysMonHttpThreadTask.java:40)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
at sun.security.ssl.Handshaker.processLoop(Unknown Source)
at sun.security.ssl.Handshaker.process_record(Unknown Source)
at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at sun.security.ssl.SSLSocketImpl.writeRecord(Unknown Source)
at sun.security.ssl.AppOutputStream.write(Unknown Source)
at java.io.BufferedOutputStream.flushBuffer(Unknown Source)
at java.io.BufferedOutputStream.flush(Unknown Source)
at java.io.FilterOutputStream.flush(Unknown Source)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:506)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
... 5 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source)
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source)
at sun.security.validator.Validator.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)
... 20 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
... 26 more
DEBUG org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry:434|Method retry handler returned false. Automatic recovery will not be attempted
DEBUG org.apache.commons.httpclient.HttpConnection.releaseConnection:1178|Releasing connection back to connection manager.
似乎证书没有被接受。
但是证书的签署者:
DigiCert高保证EV根CA
-> DigiCert SHA2高保证服务器CA
->域证书
我试图将根证书“ DigiCert High Assurance EV Root CA”导入Java用户Castore:
但这失败了keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect
我试图将 Root证书“ DigiCert高保证EV根CA ”导入Java JDK Castore(作为Admiistartor):
%JAVA_HOME%\bin\keytool -import -alias digicertRootCA -file C:\Users\USERNAME\DigiCertHighAssuranceEVRootCA.crt -keystore %JAVA_HOME%\lib\security\cacerts
但问题仍然存在...
比起我尝试将 Intermediate 证书“ DigiCert SHA2 High Assurance Server CA ”(我从浏览器导出)导入Java JDK Castore(作为Admiistartor) :
%JAVA_HOME%\bin\keytool -import -alias digicertServerCA -file C:\Users\USERNAME\DigiCertSHA2HighAssuranceServerCABrowserExport.crt -keystore %JAVA_HOME%\lib\security\cacerts
使用此证书导入后,两个问题都消失了。
我现在的问题: