我有一个Java客户端试图使用自签名证书访问服务器。

当我试图发布到服务器,我得到以下错误:

无法找到请求目标的有效认证路径

在对这个问题做了一些研究之后,我做了以下工作。

保存我的服务器域名为根。cer文件。 在我的Glassfish服务器的JRE中,我运行了这个: Keytool -import -alias example -keystore cacerts -file root.cer 为了检查证书是否成功添加到我的cacert,我这样做: Keytool -list -v -keystore cacerts 我可以看到证书是存在的。 然后我重新启动Glassfish并重新尝试“post”。

我还是得到同样的错误。

我有一种感觉,这是因为我的Glassfish实际上没有读取我修改过的cacert文件,但可能是其他一些文件。

你们中有人遇到过这样的问题吗,可以帮我找到正确的方向吗?


当前回答

我在试图从我的应用程序访问https url时遇到了这个错误,该应用程序正在使用自签名证书。 他们提供的是一个.cert文件,我不知道该把它放在哪里。我是这样解决的:

keytool的位置在JDK/bin文件夹下

方法1:将证书添加到默认的Java信任库- cacerts:

keytool -import -alias myCert -file C://certificate.cert -keystore C://Program Files//Java//jdk1.8.0_271//jre//lib//security//cacerts

密码:changeit

方法2:

创建信任存储:

keytool -import -alias myCert -file C://certificate.cert -keystore myTrustStore

它会给你以下提示,可以填充为:

Enter keystore password:changeit
Re-enter new password:changeit
Trust this certificate?yes

这将在运行此命令的文件夹中创建一个myTrustStore文件。 将这个“mytrustStore”复制到一个方便的位置。

使用信任存储:

当你运行你的应用程序/服务器时,传递这些JVM参数:

-Djavax.net.ssl.trustStore=C://myTrustStore -Djavax.net.ssl.trustStorePassword=changeit

其他回答

这就是我所做的。

我想在Java 10上开发应用程序,我有Eclipse IDE 2020-06。 证书导入解决方案对我不起作用。 因此,我安装了Java 11 JDK,切换到最新的Eclipse IDE(在Java 11上运行),并通过在Maven POM下添加以下语句来确保源代码仍然可以根据Java 10编译:

    <maven.compiler.target>1.10</maven.compiler.target>
    <maven.compiler.source>1.10</maven.compiler.source>
    <maven.compiler.release>10</maven.compiler.release>

它就像一个魔法;没有错误。

在我的情况下,我得到错误连接到AWS Gov Postgres RDS。GOV RDS CA证书有一个单独的链接- https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem

将此pem certs添加到java的cacerts中。您可以使用下面的脚本。

——WINDOWDS步骤

使用VSCODE编辑器,安装openssl, keytool插件 在C:/rds-ca目录下创建目录 将“cacerts”文件和下面的脚本文件-“addCerts.sh”在目录“rd-ca” 运行vscode: 4.1 CD /c/rds-ca/ . 4.2。/ addCerts.sh 拷贝cacerts到${JAVA_HOME}/jre/lib/security目录下

脚本代码:

#!/usr/bin/env sh

OLDDIR="$PWD"

CACERTS_FILE=cacerts

cd /c/rds-ca

echo "Downloading RDS certificates..."

curl  https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem > rds-combined-ca-bundle.pem

csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"

for CERT in xx*; do
    # extract a human-readable alias from the cert
    ALIAS=$(openssl x509 -noout -text -in $CERT |
                   perl -ne 'next unless /Subject:/; s/.*CN=//; print')
    echo "importing $ALIAS"
    
    keytool -import \
            -keystore  $CACERTS_FILE \
            -storepass changeit -noprompt \
            -alias "$ALIAS" -file $CERT
done

cd "$OLDDIR"
echo "$NEWDIR"

不幸的是——这可能是很多事情——很多应用服务器和其他java“包装器”都倾向于玩弄属性和他们自己的钥匙链等。所以它可能会看一些完全不同的东西。

少了桁架-我会试试:

java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...

看看这是否有用。除了“all”,还可以将其设置为“ssl”,密钥管理器和信任管理器-这可能对您的情况有帮助。在大多数平台上,将它设置为“帮助”会列出如下内容。

无论如何,一定要确保您完全理解密钥存储库(其中有您用来证明自己身份的私钥和证书)和信任存储库(它决定您信任谁)之间的区别,以及您自己的身份也有一个到根的信任“链”,这与您需要确定您信任“谁”的根的任何链是分开的。

all            turn on all debugging
ssl            turn on ssl debugging

The   following can be used with ssl:
    record       enable per-record tracing
    handshake    print each handshake message
    keygen       print key generation data
    session      print session activity
    defaultctx   print default SSL initialization
    sslctx       print SSLContext tracing
    sessioncache print session cache tracing
    keymanager   print key manager tracing
    trustmanager print trust manager tracing
    pluggability print pluggability tracing

    handshake debugging can be widened with:
    data         hex dump of each handshake message
    verbose      verbose handshake message printing

    record debugging can be widened with:
    plaintext    hex dump of record plaintext
    packet       print raw SSL/TLS packets

来源:#见http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

我在我的windows 10笔记本电脑上创建了一个ubuntu,当我试图从https://github.com/yahoo/CMAK网站加载CMAK网站下载时遇到了问题。首先,它给出了致命的ssl错误。

openssl s_client -showcerts -servername github.com -connect github.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'  > github-com.pem

并使用以下命令(确保您为ca-cert设置了正确的路径)

cat github-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt

然后使用以下语句(确保cert的路径正确):

git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

然后我能够下载CMAK,但当我尝试。/sbt清洁语句时遇到了问题。它给出了一个pkix路径错误。原因是我的cacert文件中没有存储我的公司颁发证书。

我已经下载了公司证书(谷歌),并根据本文将下载的证书添加到cacert文件中。使用sudo update-ca-certificates之前一次。/ sbt。这对我很管用。

注意:在执行以上步骤时,您可能需要在root和exit之间切换。

这里是解决方案,按照下面的链接一步一步:

http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/

JAVA文件:博客中缺少的文件

/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */



import java.io.*;
import java.net.URL;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

    public static void main(String[] args) throws Exception {
    String host;
    int port;
    char[] passphrase;
    if ((args.length == 1) || (args.length == 2)) {
        String[] c = args[0].split(":");
        host = c[0];
        port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
        String p = (args.length == 1) ? "changeit" : args[1];
        passphrase = p.toCharArray();
    } else {
        System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
        return;
    }

    File file = new File("jssecacerts");
    if (file.isFile() == false) {
        char SEP = File.separatorChar;
        File dir = new File(System.getProperty("java.home") + SEP
            + "lib" + SEP + "security");
        file = new File(dir, "jssecacerts");
        if (file.isFile() == false) {
        file = new File(dir, "cacerts");
        }
    }
    System.out.println("Loading KeyStore " + file + "...");
    InputStream in = new FileInputStream(file);
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(in, passphrase);
    in.close();

    SSLContext context = SSLContext.getInstance("TLS");
    TrustManagerFactory tmf =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);
    X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
    SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
    context.init(null, new TrustManager[] {tm}, null);
    SSLSocketFactory factory = context.getSocketFactory();

    System.out.println("Opening connection to " + host + ":" + port + "...");
    SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
    socket.setSoTimeout(10000);
    try {
        System.out.println("Starting SSL handshake...");
        socket.startHandshake();
        socket.close();
        System.out.println();
        System.out.println("No errors, certificate is already trusted");
    } catch (SSLException e) {
        System.out.println();
        e.printStackTrace(System.out);
    }

    X509Certificate[] chain = tm.chain;
    if (chain == null) {
        System.out.println("Could not obtain server certificate chain");
        return;
    }

    BufferedReader reader =
        new BufferedReader(new InputStreamReader(System.in));

    System.out.println();
    System.out.println("Server sent " + chain.length + " certificate(s):");
    System.out.println();
    MessageDigest sha1 = MessageDigest.getInstance("SHA1");
    MessageDigest md5 = MessageDigest.getInstance("MD5");
    for (int i = 0; i < chain.length; i++) {
        X509Certificate cert = chain[i];
        System.out.println
            (" " + (i + 1) + " Subject " + cert.getSubjectDN());
        System.out.println("   Issuer  " + cert.getIssuerDN());
        sha1.update(cert.getEncoded());
        System.out.println("   sha1    " + toHexString(sha1.digest()));
        md5.update(cert.getEncoded());
        System.out.println("   md5     " + toHexString(md5.digest()));
        System.out.println();
    }

    System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
    String line = reader.readLine().trim();
    int k;
    try {
        k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
    } catch (NumberFormatException e) {
        System.out.println("KeyStore not changed");
        return;
    }

    X509Certificate cert = chain[k];
    String alias = host + "-" + (k + 1);
    ks.setCertificateEntry(alias, cert);

    OutputStream out = new FileOutputStream("jssecacerts");
    ks.store(out, passphrase);
    out.close();

    System.out.println();
    System.out.println(cert);
    System.out.println();
    System.out.println
        ("Added certificate to keystore 'jssecacerts' using alias '"
        + alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

    private final X509TrustManager tm;
    private X509Certificate[] chain;

    SavingTrustManager(X509TrustManager tm) {
        this.tm = tm;
    }

    public X509Certificate[] getAcceptedIssuers() {
        throw new UnsupportedOperationException();
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        throw new UnsupportedOperationException();
    }

    public void checkServerTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        this.chain = chain;
        tm.checkServerTrusted(chain, authType);
    }
    }

}