我有一个客户,其中间证书位于客户证书本身中。此中间证书由存储在服务器信任库中的根CA签名。
现在我正在运行curl命令:
curl -v -X GET -H "Accept: application/json" -H "Accept-Challenge: SW" --cert /opt/store/certificate.pem --key /opt/store/certificate_key.pem --cacert /opt/store/cms-ca.cert -w "%{http_code}" https://127.0.0.1:2443/v1/keys/1234/transfer
请注意: certificate.pem:包含客户的证书+中间证书。
cms-ca-cert:包含服务器信任库中的根CA。
certficate_key.pem:客户端的私钥。
输出:
* Connected to 127.0.0.1 (127.0.0.1) port 2443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /opt/skc/store/cms-ca.cert
CApath: none
* NSS: client certificate from file
* subject: CN=skcUser@ngnix
* start date: Oct 24 05:23:17 2019 GMT
* expire date: Oct 24 05:23:17 2020 GMT
* common name: skcUser@ngnix
* issuer: CN=CMS TLS Client CA,O=INTEL,L=SC,ST=SF,C=US
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection 0
curl: (35) Encountered end of file
我从服务器日志中收到以下错误:
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[na:1.8.0_191]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302) ~[na:1.8.0_191]
at sun.security.validator.Validator.validate(Validator.java:262) ~[na:1.8.0_191]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[na:1.8.0_191]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279) ~[na:1.8.0_191]
at sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130) ~[na:1.8.0_191]
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1970) ~[na:1.8.0_191]
... 12 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_191]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_191]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_191]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392) ~[na:1.8.0_191]
... 18 common frames omitted
我没有解决该问题的方法。