Question

我正在尝试使用java检索使用SSL证书的论坛的索引页面：

WebClient webClient = new WebClient(...);
HtmlPage sectionPage = webClient.getPage("https://rstforums.com/");

在调用任何与SSL相关的方法之前，我已经以编程方式禁用了SNI作为推荐的here。在this问题的第二个答案和this问题的第三个答案之后，我将论坛的证书添加到证书列表中：

C:\Program Files\Java\jdk1.8.0_65\jre\lib\security>keytool -import -alias RST_CERT -file forums_certificate -keystore cacerts

forums_certificate包含：

证书已成功添加，并在列出其条目时显示在密钥库中：

rst_cert, Feb 3, 2016, trustedCertEntry, 
Certificate fingerprint (SHA1): 25:39:98:FC:FF:DE:2D:24:BC:F0:78:93:D6:2E:5A:55:64:D5:09:8A

当我尝试重新运行发出新请求的应用程序时，会出现同样的错误：

sun.security.validator.ValidatorException: PKIX path building failed: sun.securi
ty.provider.certpath.SunCertPathBuilderException: unable to find valid certifica
tion path to requested target
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
        at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.jav
a:292)
        at sun.security.validator.Validator.validate(Validator.java:260)
        at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.j
ava:324)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerIm
pl.java:229)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustMan
agerImpl.java:124)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.
java:1491)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.jav
a:216)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.
java:1375)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:138)
        at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to
 find valid certification path to requested target
        at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBu
ilder.java:146)
        at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCert
PathBuilder.java:131)
        at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
        at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
        ... 15 more

我有here建议（已下载SSLPoke），但错误仍然存在。为什么证书不被认可？

Answer 1

我已经设法使用openssl删除并将证书添加到密钥库（来自cygwin（我正在使用Win7））。

使用openssl检索证书：

protocol="TLSv1,TLSv1.1,TLSv1.2" 
cipher-suite="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"

从商店中移除当前openssl x509 -in <(openssl s_client -connect rstforums.com:443 -prexit 2>/dev/null) -out ~/rst_cert.crt：

rst_cert

添加使用openssl下载的证书：

keytool -delete -alias rst_cert -keystore cacerts

使用firefox下载的证书显然无效。

Answer 2

对于localhost开发人员，经过几个小时的处理，例如向cacert添加证书，生成jks文件，使用InstallCert.java ......这是解决方案，忽略证书，覆盖TrustManager，就像魅力一样：

http://www.rgagnon.com/javadetails/java-fix-certificate-problem-in-HTTPS.html

Java“sun.security.validator.ValidatorException：PKIX路径构建失败”证书验证错误

2 个答案: