“无法找到请求目标的有效认证路径”,但浏览器说没关系
Posted
技术标签:
【中文标题】“无法找到请求目标的有效认证路径”,但浏览器说没关系【英文标题】:"unable to find valid certification path to requested target", but browser says it's OK 【发布时间】:2014-11-28 14:42:03 【问题描述】:我正在开发一个 Java 应用程序,该应用程序连接到在 https://ut.eurodw.eu/(欧洲数据仓库的测试环境)上公开的 SOAP 服务。我正在使用我的开发机器,最近使用 Windows 8.1 重新格式化。今天,我尝试从我的程序中通过 SOAP 向他们发送创建请求并收到此错误:
Caused by: javax.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
at com.sun.proxy.$Proxy110.createDeal(Unknown Source)
at it.csttech.edwin.services.spring.EdwinServiceImpl.createDeal(EdwinServiceImpl.java:102)
at it.csttech.edwin.consumercredit.data.managers.spring.DealManagerImpl.createEdCode(DealManagerImpl.java:319)
... 77 more
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://ut.eurodw.eu/edservices/2.2/DealService.svc: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1339)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1323)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:628)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
... 80 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1283)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1239)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1296)
... 90 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 108 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 114 more
您可以通过单击我上面的链接看到,这不是自签名证书,而是由 GoDaddy 公共 CA 发布,我的 Firefox 浏览器可以识别。我的 Java 版本是1.7.0_60-b19。修改代码以允许不安全的 SSL 连接将是一个坏主意。
我想确保 eurodw 的证书在信任库中。我该如何检查?以及如何导入新证书?
PS 我目前无法在部署最终应用程序的服务器上进行测试:我只能使用我自己的 Tomcat 安装。
【问题讨论】:
刚刚发现 Eurodw 几天前更新了他们的证书 【参考方案1】:可以在以下密钥库中找到不同的证书:
%JAVA_HOME%/jre/lib/security/cacerts
如果您想列出受信任的证书:
keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts
密码是可选的。
如果要添加条目:
首先,导出要导入的证书,假设它是 c:\cert.crt。最好的方法是使用firefox,右键点击URL中的锁图,点击几下,就有了导出功能。
然后输入:
keytool -import -alias my-cert -file c:\cert.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts
默认密码为:changeit
别名是用户定义的标签,明智地选择它,记住如果有一天你需要它,它是什么。
有了这一切,您应该能够信任证书并让一切恢复正常。
【讨论】:
"%JAVA_HOME%/lib/security/cacerts" (带引号)对我有用。将不得不在客户站点重复该任务,直到 Oracle 发布更新的信任列表 你必须像@usr-local所说的那样添加双引号 我检查了我的 build.gradle 文件,并检查了所有存储库项目试图访问的内容,在浏览器中打开这些 URL 并按照@Francois 所述进行操作,在 Ubuntu 上进行了尝试,重新启动了 android Studio 项目并有效。如果你使用的是windows7,要运行keytool,你可以去运行,输入cmd,然后按Ctrl+Shift+enter。这将以管理员模式打开命令提示符,然后在 java 文件夹中查找 keytool.exe。 如果您没有“%JAVA_HOME%/lib/security/cacerts”的权限,因为它是一台工作计算机?以上是关于“无法找到请求目标的有效认证路径”,但浏览器说没关系的主要内容,如果未能解决你的问题,请参考以下文章
Android Studio - 无法找到请求目标的有效认证路径
获取 sbt 插件时“PKIX 路径构建失败”和“无法找到请求目标的有效认证路径”