资讯专栏INFORMATION COLUMN

解决https安全证书缺少的问题

TerryCai / 3314人阅读

摘要:解决的问题问题描述这两天上测试服务器的时候突然报这样的异常问题的根本访问的时候缺少安全证书,导致的错误解决措施将安全证书下载到本地。输入等待程序执行完成,当前目录下会生成一个的安全文件将证书拷贝到目录下重新启动完成

解决PKIX:unable to find valid certification path to target 的问题 问题描述

这两天上测试服务器的时候突然报这样的异常javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

问题的根本

访问https的时候缺少安全证书,导致的错误

解决措施

将安全证书下载到本地 =.= 。查阅了很久的资料,找到如下一份大神的源码特来分享

附上代码
/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
 
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
 
public class InstallCert {
 
    public static void main(String[] args) throws Exception {
        String host;
        int port;
        char[] passphrase;
        if ((args.length == 1) || (args.length == 2)) {
            String[] c = args[0].split(":");
            host = c[0];
            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
            String p = (args.length == 1) ? "changeit" : args[1];
            passphrase = p.toCharArray();
        } else {
            System.out
                    .println("Usage: java InstallCert [:port] [passphrase]");
            return;
        }
 
        File file = new File("jssecacerts");
        if (file.isFile() == false) {
            char SEP = File.separatorChar;
            File dir = new File(System.getProperty("java.home") + SEP + "lib"
                    + SEP + "security");
            file = new File(dir, "jssecacerts");
            if (file.isFile() == false) {
                file = new File(dir, "cacerts");
            }
        }
        System.out.println("Loading KeyStore " + file + "...");
        InputStream in = new FileInputStream(file);
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(in, passphrase);
        in.close();
 
        SSLContext context = SSLContext.getInstance("TLS");
        TrustManagerFactory tmf = TrustManagerFactory
                .getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        X509TrustManager defaultTrustManager = (X509TrustManager) tmf
                .getTrustManagers()[0];
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
        context.init(null, new TrustManager[] { tm }, null);
        SSLSocketFactory factory = context.getSocketFactory();
 
        System.out
                .println("Opening connection to " + host + ":" + port + "...");
        SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
        socket.setSoTimeout(10000);
        try {
            System.out.println("Starting SSL handshake...");
            socket.startHandshake();
            socket.close();
            System.out.println();
            System.out.println("No errors, certificate is already trusted");
        } catch (SSLException e) {
            System.out.println();
            e.printStackTrace(System.out);
        }
 
        X509Certificate[] chain = tm.chain;
        if (chain == null) {
            System.out.println("Could not obtain server certificate chain");
            return;
        }
 
        BufferedReader reader = new BufferedReader(new InputStreamReader(
                System.in));
 
        System.out.println();
        System.out.println("Server sent " + chain.length + " certificate(s):");
        System.out.println();
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
        MessageDigest md5 = MessageDigest.getInstance("MD5");
        for (int i = 0; i < chain.length; i++) {
            X509Certificate cert = chain[i];
            System.out.println(" " + (i + 1) + " Subject "
                    + cert.getSubjectDN());
            System.out.println("   Issuer  " + cert.getIssuerDN());
            sha1.update(cert.getEncoded());
            System.out.println("   sha1    " + toHexString(sha1.digest()));
            md5.update(cert.getEncoded());
            System.out.println("   md5     " + toHexString(md5.digest()));
            System.out.println();
        }
 
        System.out
                .println("Enter certificate to add to trusted keystore or "q" to quit: [1]");
        String line = reader.readLine().trim();
        int k;
        try {
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
        } catch (NumberFormatException e) {
            System.out.println("KeyStore not changed");
            return;
        }
 
        X509Certificate cert = chain[k];
        String alias = host + "-" + (k + 1);
        ks.setCertificateEntry(alias, cert);
 
        OutputStream out = new FileOutputStream("jssecacerts");
        ks.store(out, passphrase);
        out.close();
 
        System.out.println();
        System.out.println(cert);
        System.out.println();
        System.out
                .println("Added certificate to keystore "jssecacerts" using alias ""
                        + alias + """);
    }
 
    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
 
    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(" ");
        }
        return sb.toString();
    }
 
    private static class SavingTrustManager implements X509TrustManager {
 
        private final X509TrustManager tm;
        private X509Certificate[] chain;
 
        SavingTrustManager(X509TrustManager tm) {
            this.tm = tm;
        }
 
        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }
 
        public void checkClientTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            throw new UnsupportedOperationException();
        }
 
        public void checkServerTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            this.chain = chain;
            tm.checkServerTrusted(chain, authType);
        }
    }
}
如何执行

1.首先将java文件编译成class文件,使用javac命令 javac InstallCert.java
2.当前目录下即产生InstallCert.class文件以及InstallCert$SavingTrustManager.class文件
3.运行InstallCert.class文件并传入参数,java InstallCert host:port 通过作者的源码可以得知默认端口为443

此时会输出如下信息

G:com>java InstallCert www.baidu.com
Loading KeyStore C:Program FilesJavajre1.8.0_191libsecuritycacerts...
Opening connection to www.baidu.com:443...
Starting SSL handshake...

javax.net.ssl.SSLException: java.lang.UnsupportedOperationException
        at sun.security.ssl.Alerts.getSSLException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.handleException(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)
        at InstallCert.main(InstallCert.java:95)
Caused by: java.lang.UnsupportedOperationException
        at InstallCert$SavingTrustManager.getAcceptedIssuers(InstallCert.java:18
0)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraint
s(Unknown Source)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(Unk
nown Source)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(Unkno
wn Source)
        at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
        at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)
        at sun.security.ssl.Handshaker.processLoop(Unknown Source)
        at sun.security.ssl.Handshaker.process_record(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.readRecord(Unknown Source)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source
)
        ... 3 more

Server sent 2 certificate(s):

 1 Subject CN=baidu.com, O="Beijing Baidu Netcom Science Technology Co., Ltd", O
U=service operation department, L=beijing, ST=beijing, C=CN
   Issuer  CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign
nv-sa, C=BE
   sha1    d6 aa f8 cf a0 e0 23 65 47 fc 2a 89 4f 89 5e c9 47 24 a6 0d
   md5     fd 63 96 dc 4e 9f 1e a9 16 51 d6 87 73 4d 39 76

 2 Subject CN=GlobalSign Organization Validation CA - SHA256 - G2, O=GlobalSign
nv-sa, C=BE
   Issuer  CN=GlobalSign Root CA, OU=Root CA, O=GlobalSign nv-sa, C=BE
   sha1    90 2e f2 de eb 3c 5b 13 ea 4c 3d 51 93 62 93 09 e2 31 ae 55
   md5     d3 e8 70 6d 82 92 ac e4 dd eb f7 a8 bb bd 56 6b

Enter certificate to add to trusted keystore or "q" to quit: [1]

4.输入q为退出,输入1为下载。输入1等待程序执行完成,当前目录下会生成一个jssecacerts的安全文件
5.将证书拷贝到$JAVA_HOME/jre/lib/security目录下
6.重新启动web server

完成~

文章版权归作者所有,未经允许请勿转载,若此文章存在违规行为,您可以联系管理员删除。

转载请注明本文地址:https://www.ucloud.cn/yun/74032.html

相关文章

  • 通过 Certbot 安装 Let's Encrypt 证书,来实现全站 HTTPS 访

    摘要:甚至和百度的搜索结果也正在给予的网站更高的排名和优先收录权。由于预设的解码器是,所以就不能识别中文。那理解了这个错误原因后,我这边首先想到的就是网站的配置文件中是否含有中文。打开一看,确实存在中文注释。 相关知识 HTTP/HTTPS 是什么? 简单来说,HTTP 是一个传输网页内容的协议,比如我们浏览一个网页,网页上的文字、图片、 CSS 、 JS 等文件都是通过 HTTP 协议传输...

    Lsnsh 评论0 收藏0
  • 关于微信支付服务器于2018年5月29日更换SSL数字证书

    摘要:年月日微信支付团队向所有开发者或者支付账户管理员发送了微信支付服务器将于年月日更换服务器的数字证书,如果商户平台所在的服务器过于老旧或者缺少根证书,届时将会导致接口支付通信故障。 2018年3月14日微信支付团队向所有开发者或者支付账户管理员发送了微信支付HTTPS服务器将于2018年5月29日更换服务器的SSL数字证书,如果商户平台所在的服务器过于老旧或者缺少DigiCert根证书,...

    godiscoder 评论0 收藏0
  • App架构设计经验谈:接口设计

    摘要:安全机制的设计现在,大部分的接口都采用架构,最重要的一个设计原则就是,客户端与服务器的交互在请求之间是无状态的,也就是说,当涉及到用户状态时,每次请求都要带上身份验证信息。 App与服务器的通信接口如何设计得好,需要考虑的地方挺多的,在此根据我的一些经验做一些总结分享,旨在抛砖引玉。 安全机制的设计 现在,大部分App的接口都采用RESTful架构,RESTFul最重要的一个设计原则就...

    zombieda 评论0 收藏0
  • 外贸建站需要花多少钱?外贸独立建站费用包括哪些?

    摘要:外贸网站通常访客量大并且面向的多是海外客户,为了网站安全稳定运行,所以我们在搭建网站时会选择高配置的海外服务器,常见的海外服务器包括美国服务器欧洲服务器日本服务器韩国服务器等。外贸建站一般要花多少钱?随着跨境电商的兴起,不少用户会选择外贸独立站,即自己搭建个网站,方便国外客户浏览。用户在做外贸网站前,一般会对外贸独立建站费用做个预算,那么外贸建站需要花多少钱?费用主要包括哪些方面?下面一起来...

    antz 评论0 收藏0

发表评论

0条评论

TerryCai

|高级讲师

TA的文章

阅读更多
最新活动
阅读需要支付1元查看
<