我有一个Java客户端试图使用自签名证书访问服务器。

当我试图发布到服务器,我得到以下错误:

无法找到请求目标的有效认证路径

在对这个问题做了一些研究之后,我做了以下工作。

保存我的服务器域名为根。cer文件。 在我的Glassfish服务器的JRE中,我运行了这个: Keytool -import -alias example -keystore cacerts -file root.cer 为了检查证书是否成功添加到我的cacert,我这样做: Keytool -list -v -keystore cacerts 我可以看到证书是存在的。 然后我重新启动Glassfish并重新尝试“post”。

我还是得到同样的错误。

我有一种感觉,这是因为我的Glassfish实际上没有读取我修改过的cacert文件,但可能是其他一些文件。

你们中有人遇到过这样的问题吗,可以帮我找到正确的方向吗?


当前回答

JDK 8迁移到JDK 10时的解决方案

证书是非常不同的 JDK 10有80个,而JDK 8有151个 JDK 10最近添加了certs https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates http://openjdk.java.net/jeps/319

JDK 10

root@c339504909345:/opt/jdk-minimal/jre/lib/security #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

JDK 8

root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 151 entries

修复步骤

我删除了JDK 10证书,并将其替换为JDK 8 由于我正在构建Docker图像,我可以使用多阶段构建快速完成 我正在使用jlink作为/opt/jdk/bin/jlink \构建一个最小的JRE ——模块路径/ opt / jdk / jmods……

这里是不同的路径和命令的顺序…

# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts

其他回答

I had the same problem with sbt. It tried to fetch dependencies from repo1.maven.org over ssl but said it was "unable to find valid certification path to requested target url". so I followed this post and still failed to verify a connection. So I read about it and found that the root cert is not enough, as was suggested by the post,so - the thing that worked for me was importing the intermediate CA certificates into the keystore. I actually added all the certificates in the chain and it worked like a charm.

我在试图从我的应用程序访问https url时遇到了这个错误,该应用程序正在使用自签名证书。 他们提供的是一个.cert文件,我不知道该把它放在哪里。我是这样解决的:

keytool的位置在JDK/bin文件夹下

方法1:将证书添加到默认的Java信任库- cacerts:

keytool -import -alias myCert -file C://certificate.cert -keystore C://Program Files//Java//jdk1.8.0_271//jre//lib//security//cacerts

密码:changeit

方法2:

创建信任存储:

keytool -import -alias myCert -file C://certificate.cert -keystore myTrustStore

它会给你以下提示,可以填充为:

Enter keystore password:changeit
Re-enter new password:changeit
Trust this certificate?yes

这将在运行此命令的文件夹中创建一个myTrustStore文件。 将这个“mytrustStore”复制到一个方便的位置。

使用信任存储:

当你运行你的应用程序/服务器时,传递这些JVM参数:

-Djavax.net.ssl.trustStore=C://myTrustStore -Djavax.net.ssl.trustStorePassword=changeit

您需要配置JSSE系统属性,特别是指向客户端证书存储。

通过命令行:

java -Djavax.net.ssl.trustStore=truststores/client.ts com.progress.Client

或者通过Java代码:

import java.util.Properties;
    ...
    Properties systemProps = System.getProperties();
    systemProps.put("javax.net.ssl.keyStorePassword","passwordForKeystore");
    systemProps.put("javax.net.ssl.keyStore","pathToKeystore.ks");
    systemProps.put("javax.net.ssl.trustStore", "pathToTruststore.ts");
    systemProps.put("javax.net.ssl.trustStorePassword","passwordForTrustStore");
    System.setProperties(systemProps);
    ...

更多详情请参阅RedHat网站。

在我的情况下,我得到错误连接到AWS Gov Postgres RDS。GOV RDS CA证书有一个单独的链接- https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem

将此pem certs添加到java的cacerts中。您可以使用下面的脚本。

——WINDOWDS步骤

使用VSCODE编辑器,安装openssl, keytool插件 在C:/rds-ca目录下创建目录 将“cacerts”文件和下面的脚本文件-“addCerts.sh”在目录“rd-ca” 运行vscode: 4.1 CD /c/rds-ca/ . 4.2。/ addCerts.sh 拷贝cacerts到${JAVA_HOME}/jre/lib/security目录下

脚本代码:

#!/usr/bin/env sh

OLDDIR="$PWD"

CACERTS_FILE=cacerts

cd /c/rds-ca

echo "Downloading RDS certificates..."

curl  https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem > rds-combined-ca-bundle.pem

csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"

for CERT in xx*; do
    # extract a human-readable alias from the cert
    ALIAS=$(openssl x509 -noout -text -in $CERT |
                   perl -ne 'next unless /Subject:/; s/.*CN=//; print')
    echo "importing $ALIAS"
    
    keytool -import \
            -keystore  $CACERTS_FILE \
            -storepass changeit -noprompt \
            -alias "$ALIAS" -file $CERT
done

cd "$OLDDIR"
echo "$NEWDIR"

JDK 8迁移到JDK 10时的解决方案

证书是非常不同的 JDK 10有80个,而JDK 8有151个 JDK 10最近添加了certs https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates http://openjdk.java.net/jeps/319

JDK 10

root@c339504909345:/opt/jdk-minimal/jre/lib/security #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

JDK 8

root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 151 entries

修复步骤

我删除了JDK 10证书,并将其替换为JDK 8 由于我正在构建Docker图像,我可以使用多阶段构建快速完成 我正在使用jlink作为/opt/jdk/bin/jlink \构建一个最小的JRE ——模块路径/ opt / jdk / jmods……

这里是不同的路径和命令的顺序…

# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts