在从tomcat调用https url时,在ssl握手日志中获取certificate_unknown。我可以从java main方法成功调用相同的URL,而不会出现任何问题。
试图将根证书和中间证书添加到trustStore,但无法下载SSL证书。
从tomcat呼叫时ssl握手错误日志:-
*** ClientHello, TLSv1.2
*** ServerHello, TLSv1.2
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
***
%% Invalidated: [Session-7, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
http-nio-8080-exec-8, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
http-nio-8080-exec-8, WRITE: TLSv1.2 Alert, length = 2
http-nio-8080-exec-8, called closeSocket()
http-nio-8080-exec-8, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ssl握手成功日志:-
*** ClientHello, TLSv1.2
*** ServerHello, TLSv1.2
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=Entrust Certification Authority - L1K, OU="(c) 2012 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
从tomcat / java调用时,我们使用的是同一trustStore。即使没有添加任何证书,它也可以通过java main方法工作,但是即使添加了根/中间证书,它也不能在tomcat中工作。我们已经使用
设置了信任库System.setProperty("trustStore","C:/Program Files/Java/jre1.8.0_202/lib/security/cacerts")