Java应用程序中的PKIX路径构建失败

宗安宁

2023-03-14

问题内容：

将我的应用程序从Windows 2000迁移到Windows 2008 R2 Server之后，我一直在努力运行我的应用程序近一周。

步骤：

已安装Java JDK 1.7.0_25
将系统环境变量设置JAVA_HOME为C:\Progra~1\Java\jdk1.7.0_25\
使用以下命令将证书导入到cacerts中 keytool
确保证书存在于keytool中-list。

我尝试重复执行 步骤3 ，InstallCert以确保我没有弄乱任何东西。

上面的方法不能解决我的问题，所以我尝试以编程方式做到这一点：

System.setProperty("javax.net.ssl.trustStore",
"C:/Progra~1/Java/jdk1.7.0_25/jre/lib/security/cacerts");
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");

仍然没有运气。我被困住了，不太确定从哪个方向去。

堆栈跟踪：

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1886)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:515)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:153)
    at util.SMS.send(SMS.java:93)
    at domain.ActivationSMSSenderMain.sendActivationMessagesToCustomers(ActivationSMSSenderMain.java:80)
    at domain.ActivationSMSSenderMain.<init>(ActivationSMSSenderMain.java:44)
    at domain.ActivationSMSSenderMain.main(ActivationSMSSenderMain.java:341)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 14 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 20 more

更新：

双方 System.out.println(System.getProperty("javax.net.ssl.trustStore")); 并
System.out.println(System.getProperty("javax.net.ssl.keyStore"));

返回null。

问题答案：

我遇到了类似的问题，其原因和解决方案都非常简单：

主要原因 ：未使用keytool导入正确的证书

注意：仅导入根CA（或您自己的自签名）证书

注意：不要导入中间非证书链根证书

imap.gmail.com解决方案示例

确定根CA证书：

openssl s_client -showcerts -connect imap.gmail.com:993

在这种情况下，我们发现根CA是 Equifax安全证书颁发机构

下载根CA证书。
通过与 此处找到的 信息进行比较，验证下载的证书具有正确的SHA-1和/或MD5指纹 __

进口证书javax.net.ssl.trustStore：

keytool -import -alias gmail_imap -file Equifax_Secure_Certificate_Authority.pem

运行您的Java代码

Java应用程序中的PKIX路径构建失败

相关阅读

相关文章

相关问答

相关工具

相关文档