The problem is your Java is not trusting the certificate. You have to import it to your java's truststore.

问题是您的 Java 不信任该证书。您必须将其导入到您的 java 的truststore.

# Copy the certificate into the directory Java_home\Jre\Lib\Security
# Change your directory to Java_home\Jre\Lib\Security>
# Import the certificate to a trust store.
# Here's the import command:

keytool -import -alias ca -file somecert.cer -keystore cacerts -storepass changeit [Return]

Trust this certificate: [Yes]

changeitis default truststore password.

changeit是默认的信任库密码。

For every certificate that you imported into your truststore you have to provide a new alias.

对于您导入信任库的每个证书，您必须提供一个新别名。

The import method is a quote from Here

导入方法引用自Here

This message is due to:

此消息是由于：

1. Either the JRE does not have the root CA as a trusted entry in its keystore.
2. The server is not sending a proper chain.

1. JRE 没有将根 CA 作为其密钥库中的可信条目。
2. 服务器没有发送正确的链。

But, 2 is not valid in your case since the browser is able to construct the chain and validate the certificate.

但是， 2 在您的情况下无效，因为浏览器能够构建链并验证证书。

Consequently you need to get the root CA and put it in the JRE keystore as a trusted entry. There are lots of resources that document the "how". One of them is: https://access.redhat.com/documentation/en-US/Fuse_Message_Broker/5.3/html/Security_Guide/files/i379776.html

因此，您需要获取根 CA 并将其作为受信任条目放入 JRE 密钥库中。有很多资源记录了“如何”。其中之一是：https: //access.redhat.com/documentation/en-US/Fuse_Message_Broker/5.3/html/Security_Guide/files/i379776.html

EDIT 1: Since you want to share the java app, it would we worth the effort to get a certificate from a CA whose root is already trusted in the trust store for the Java versions that your app supports.

编辑 1：由于您想共享 Java 应用程序，因此我们值得努力从 CA 获取证书，该 CA 的根已经在您的应用程序支持的 Java 版本的信任存储中受到信任。

I recomend use http-requestbuilt on apache http api.

我建议使用建立在 apache http api 上的http-request。

import org.junit.Test;

import static org.apache.http.HttpHeaders.ACCEPT;
import static org.apache.http.HttpStatus.SC_OK;
import static org.apache.http.entity.ContentType.APPLICATION_XML;
import static org.junit.Assert.assertEquals;

public class HttpRequestSSLTest {

private final HttpRequest<?> httpRequest = HttpRequestBuilder.createGet("https://mms.nw.ru/")
        .trustAllCertificates()
        .trustAllHosts()
        .addDefaultHeader(ACCEPT, APPLICATION_XML.getMimeType())
        .build();

@Test
public final void ignoreSSLAndHostsTest() throws Exception {

    assertEquals(SC_OK, httpRequest.execute().getStatusCode());
}

}

}

As far as I understand this is related to the Java Certificate Keystore. Your certificate is not accepted by java. Here is a link how to add your certificate to Java trusted Certificates keystore: https://docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html

据我了解，这与 Java 证书密钥库有关。java 不接受您的证书。这是如何将您的证书添加到 Java 可信证书密钥库的链接：https: //docs.oracle.com/javase/tutorial/security/toolsign/rstep2.html

There are a few questions like this already on SO (like this one: PKIX path building failed: unable to find valid certification path to requested target).

SO 上已经有一些这样的问题（例如：PKIX 路径构建失败：无法找到到请求目标的有效认证路径）。

The usual answer to this is that your java client doesn't have certificates needed to complete the certificate chain.

通常的答案是您的 Java 客户端没有完成证书链所需的证书。

If you need proper certificate validation, then you'll have to figure out where the certificate chain breaks down. If you don't (because this is a proof of concept or a dev sandbox, or whatever), then you can easily work around this by adding the certificate to the trust store you use with your client.

如果您需要适当的证书验证，那么您必须弄清楚证书链在哪里中断。如果您不这样做（因为这是一个概念证明或开发沙箱，或其他），那么您可以通过将证书添加到您与客户一起使用的信任存储中来轻松解决此问题。

Edit:

编辑：

As for why your browser accepts this, it's likely that either your browser has the certificates in the chain that you need or you've absentmindedly told your browser to trust the certificate even though it also wasn't able to validate the certificate.

至于您的浏览器为何接受这一点，很可能是您的浏览器在链中拥有您需要的证书，或者您心不在焉地告诉浏览器信任该证书，即使它也无法验证该证书。