Java无法验证证书,即使证书在浏览器中有效

时间:2020-10-27 12:50:34

标签: java spring-boot ssl https ssl-certificate

我有一个使用Java调用的GET API,并且我已经使用伪装客户端来调用此API。

当我调用此API时,出现错误:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
    at java.base/sun.security.validator.Validator.validate(Validator.java:264)
    at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1323)
    ... 18 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)

当我在浏览器中点击相同的API时,它工作正常。浏览器不会显示为不受信任的连接。

firefox的证书信息:

enter image description here

我正在docker镜像openjdk:11-slim中运行我的应用程序。

为什么即使证书有效,Java也无法验证证书?

1 个答案:

答案 0 :(得分:1)

这可能是因为它们未添加到您的证书-

您可以尝试从下面的链接运行installCerts,以获取您尝试从中下载证书或由于证书问题而不允许访问的站点的URL。

java --source 11 InstallCert.java

https://github.com/escline/InstallCert

如果它是自签名证书,请在下面的DockerFile中尝试-

FROM openjdk:11-jdk-slim
WORKDIR /opt/workdir/

#.crt file in the same folder as your Dockerfile
ARG CERT="certificate.crt"

#import cert into java
COPY $CERT /opt/workdir/
RUN keytool -importcert -file $CERT -alias $CERT -cacerts -storepass changeit -noprompt

如果具有.cer文件,则可以从浏览器中导出该文件。将以下内容添加到您的DockerFile中。因此,所需的证书在ssl握手之前可用。 -

ADD your_ca_root.crt /usr/local/share/ca-certificates/foo.crt
RUN chmod 644 /usr/local/share/ca-certificates/foo.crt && update-ca-certificates
相关问题
最新问题