我有一个Java客户端试图使用自签名证书访问服务器。

当我试图发布到服务器,我得到以下错误:

无法找到请求目标的有效认证路径

在对这个问题做了一些研究之后,我做了以下工作。

保存我的服务器域名为根。cer文件。 在我的Glassfish服务器的JRE中,我运行了这个: Keytool -import -alias example -keystore cacerts -file root.cer 为了检查证书是否成功添加到我的cacert,我这样做: Keytool -list -v -keystore cacerts 我可以看到证书是存在的。 然后我重新启动Glassfish并重新尝试“post”。

我还是得到同样的错误。

我有一种感觉,这是因为我的Glassfish实际上没有读取我修改过的cacert文件,但可能是其他一些文件。

你们中有人遇到过这样的问题吗,可以帮我找到正确的方向吗?


当前回答

I had the same problem with sbt. It tried to fetch dependencies from repo1.maven.org over ssl but said it was "unable to find valid certification path to requested target url". so I followed this post and still failed to verify a connection. So I read about it and found that the root cert is not enough, as was suggested by the post,so - the thing that worked for me was importing the intermediate CA certificates into the keystore. I actually added all the certificates in the chain and it worked like a charm.

其他回答

我的问题是通过软件更新在我的工作笔记本电脑上安装了一个云访问安全代理NetSkope。这正在改变证书链,在将整个链导入到cacerts密钥存储库后,我仍然无法通过java客户端连接到服务器。我禁用了NetSkope,并且能够成功连接。

不幸的是——这可能是很多事情——很多应用服务器和其他java“包装器”都倾向于玩弄属性和他们自己的钥匙链等。所以它可能会看一些完全不同的东西。

少了桁架-我会试试:

java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...

看看这是否有用。除了“all”,还可以将其设置为“ssl”,密钥管理器和信任管理器-这可能对您的情况有帮助。在大多数平台上,将它设置为“帮助”会列出如下内容。

无论如何,一定要确保您完全理解密钥存储库(其中有您用来证明自己身份的私钥和证书)和信任存储库(它决定您信任谁)之间的区别,以及您自己的身份也有一个到根的信任“链”,这与您需要确定您信任“谁”的根的任何链是分开的。

all            turn on all debugging
ssl            turn on ssl debugging

The   following can be used with ssl:
    record       enable per-record tracing
    handshake    print each handshake message
    keygen       print key generation data
    session      print session activity
    defaultctx   print default SSL initialization
    sslctx       print SSLContext tracing
    sessioncache print session cache tracing
    keymanager   print key manager tracing
    trustmanager print trust manager tracing
    pluggability print pluggability tracing

    handshake debugging can be widened with:
    data         hex dump of each handshake message
    verbose      verbose handshake message printing

    record debugging can be widened with:
    plaintext    hex dump of record plaintext
    packet       print raw SSL/TLS packets

来源:#见http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

I am working on a tutorial for REST web services at www.udemy.com (REST Java Web Services). The example in the tutorial said that in order to have SSL, we must have a folder called "trust_store" in my eclipse "client" project that should contain a "key store" file (we had a "client" project to call the service, and "service" project that contained the REST web service - 2 projects in the same eclipse workspace, one the client, the other the service). To keep things simple, they said to copy "keystore.jks" from the glassfish app server (glassfish\domains\domain1\config\keystore.jks) we are using and put it into this "trust_store" folder that they had me make in the client project. That seems to make sense: the self-signed certs in the server's key_store would correspond to the certs in the client trust_store. Now, doing this, I was getting the error that the original post mentions. I have googled this and read that the error is due to the "keystore.jks" file on the client not containing a trusted/signed certificate, that the certificate it finds is self-signed.

为了让事情更清楚,让我说一下我理解的“密钥库”。“Jks”包含自签名的certs,以及“cacerts. Jks”。“jks”文件中包含CA证书(由CA签名)。“密钥存储库。Jks是“密钥存储库”,cacerts是“cacerts”。Jks”是“信任商店”。正如一位名叫“布鲁诺”的评论者所说,“密钥库。Jks是本地的,cacerts是本地的。Jks”用于远程客户端。

So, I said to myself, hey, glassfish also has the "cacerts.jks" file, which is glassfish's trust_store file. cacerts.jsk is supposed to contain CA certificates. And apparently I need my trust_store folder to contain a key store file that has at least one CA certificate. So, I tried putting the "cacerts.jks" file in the "trust_store" folder I had made, on my client project, and changing the VM properties to point to "cacerts.jks" instead of "keystore.jks". That got rid of the error. I guess all it needed was a CA cert to work.

这对于生产来说可能并不理想,甚至对于开发来说也不理想。例如,您可以使用“keytool”命令将CA证书添加到“密钥存储库”中。Jks”文件在客户端。但无论如何,希望这至少能缩小可能导致错误的情况。

另外:我的方法似乎对客户端有用(服务器证书添加到客户端trust_store),看起来上面解决原始帖子的注释对服务器有用(客户端证书添加到服务器trust_store)。欢呼。

Eclipse项目设置:

MyClientProject src 测验 JRE系统库 ... trust_store ——cacerts.jks ——keystore.jks

MyClientProject.java文件片段:

static {
  // Setup the trustStore location and password
  System.setProperty("javax.net.ssl.trustStore","trust_store/cacerts.jks");
  // comment out below line
  System.setProperty("javax.net.ssl.trustStore","trust_store/keystore.jks");
  System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
  //System.setProperty("javax.net.debug", "all");

  // for localhost testing only
  javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(new javax.net.ssl.HostnameVerifier() {
        public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
          return hostname.equals("localhost");
        }

  });
}

这就是我所做的。

我想在Java 10上开发应用程序,我有Eclipse IDE 2020-06。 证书导入解决方案对我不起作用。 因此,我安装了Java 11 JDK,切换到最新的Eclipse IDE(在Java 11上运行),并通过在Maven POM下添加以下语句来确保源代码仍然可以根据Java 10编译:

    <maven.compiler.target>1.10</maven.compiler.target>
    <maven.compiler.source>1.10</maven.compiler.source>
    <maven.compiler.release>10</maven.compiler.release>

它就像一个魔法;没有错误。

您需要配置JSSE系统属性,特别是指向客户端证书存储。

通过命令行:

java -Djavax.net.ssl.trustStore=truststores/client.ts com.progress.Client

或者通过Java代码:

import java.util.Properties;
    ...
    Properties systemProps = System.getProperties();
    systemProps.put("javax.net.ssl.keyStorePassword","passwordForKeystore");
    systemProps.put("javax.net.ssl.keyStore","pathToKeystore.ks");
    systemProps.put("javax.net.ssl.trustStore", "pathToTruststore.ts");
    systemProps.put("javax.net.ssl.trustStorePassword","passwordForTrustStore");
    System.setProperties(systemProps);
    ...

更多详情请参阅RedHat网站。