Java 如何解决“证书无效,无法用于验证本网站身份”错误?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26433285/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to solve "The certificate is not valid and cannot be used to verify the identity of this website" error?
提问by David
The question is, How to solve "The certificate is not valid and cannot be used to verify the identity of this website" error?.
问题是,如何解决“证书无效,无法用于验证本网站身份”的错误?.
Here are the details:
以下是详细信息:
I have a signed applet that has been working fine, until I updated Java to 8u25 (1.8.0_25-b18). Now, the application shows an alert message "Do you want to continue? The connection to this website is untrusted". There is a note in this message too, "The certificate is not valid and cannot be used to verify the identity of this website".
在我将 Java 更新为 8u25 (1.8.0_25-b18) 之前,我有一个运行良好的签名小程序。现在,该应用程序显示一条警告消息“您想继续吗?与该网站的连接不受信任”。这条消息中也有一个注释,“ The certificate is not valid and cannot be used to verify the identity of this website”。
The applet is loaded without problems. But when the user tries to use a specific function of that application, the warning message is displayed.
小程序加载没有问题。但是当用户尝试使用该应用程序的特定功能时,会显示警告消息。
I've checked the java console when this happens, and this warning message is displayed right after these lines:
发生这种情况时,我检查了 java 控制台,在这些行之后立即显示此警告消息:
security: Obtain certificate collection in SSL Root CA certificate store
security: Invalid certificate from HTTPS server
network: Cache entry not found [url: https://sub.domain.net:9876, version: null]
The application is downloaded from a different domain, say "https://app.domain.net/.....", so no jars are downloaded from "https://sub.domain.net:9876", but the applet connects to "https://sub.domain.net:9876" to send/receive data.
该应用程序是从不同的域下载的,比如“ https://app.domain.net/.....”,所以没有从“ https://sub.domain.net:9876”下载jar ,但是小程序连接到“ https://sub.domain.net:9876”以发送/接收数据。
The applet is signed correctly, and so far, it meets all the security requirements according to Java. This issue seems to happen when the application tries to connect internally with an HTTPS url like https://sub.domain.net:9876. That sites' SSL certificate is valid, issued by GoDaddy and has not expired.
小程序签名正确,到目前为止,它满足 Java 的所有安全要求。当应用程序尝试使用 HTTPS url 进行内部连接时,似乎会发生此问题https://sub.domain.net:9876。该网站的 SSL 证书有效,由 GoDaddy 颁发且未过期。
Again, this started to happen after updating my JRE to 8u25. I've tested adding the offending URL to Java security exception list, with no success.
同样,在将我的 JRE 更新为 8u25 后,这开始发生。我已经测试过将违规 URL 添加到 Java 安全例外列表,但没有成功。
Here are a few screenshot of this problem:
下面是这个问题的一些截图:
This is the warning message displayed:
这是显示的警告消息:
Edit 10/18/2014:
2014 年 10 月 18 日编辑:
Question posted in "Oracle Community" too, to increase answer options: Question in Oracle Community.
问题也发布在“Oracle 社区”中,以增加答案选项: Oracle 社区中的问题。
Edit 10/21/2014:
2014 年 10 月 21 日编辑:
I noticed this: When I click the link "More Information" displayed in the "Security Warning" dialog, the reason displayed says:
我注意到这一点:当我单击“安全警告”对话框中显示的“更多信息”链接时,显示的原因是:
The application is being downloaded from a site other than the one specified by the security certificate.
Downloading from "sub.domain.net"
Expecting "*.DOMAIN.NET"
正在从安全证书指定的站点以外的站点下载应用程序。
从“sub.domain.net”下载
期待“*.DOMAIN.NET”
This message says the application is BEING DOWNLOADED FROM "sub.domain.com", and that is false. The application (applet) is already downloaded, and it is only using that domain in an internal HTTPS request, to get/send business data, not to download additional Jars, JNLPs, etc.
此消息表示正在从“sub.domain.com”下载应用程序,这是错误的。应用程序(小程序)已经下载,它仅在内部 HTTPS 请求中使用该域来获取/发送业务数据,而不是下载额外的 Jars、JNLP 等。
采纳答案by David
I found how to solve this issue, and thanks to Steffen Ullrichfor a valid proposal.
我找到了解决这个问题的方法,感谢Steffen Ullrich提出的有效建议。
This is related to the certificate's Common Name (CN)value. In my case, that value was *.DOMAIN.NET, and to change it to *.domain.net, all we had to do was a procedure called "Domain Transfer". This means, to change the CN to *.REKEY.DOMAIN.NET, and then to change it again to *.domain.net. We could not change it to *.domain.netdirectly because the certificate provider says *.DOMAIN.NETand *.domain.netare the same.
这与证书的通用名称 (CN)值有关。就我而言,该值是*.DOMAIN.NET,要将其更改为*.domain.net,我们所要做的就是一个名为“域转移”的过程。这意味着,将 CN 更改为*.REKEY.DOMAIN.NET,然后再次将其更改为*.domain.net。我们无法*.domain.net直接将其更改为,因为证书提供者说*.DOMAIN.NET和*.domain.net是相同的。
Now, this issue happened only with Java 7.71 and Java 8.25. Previous version of Java 7 and 8 don't have this issue (SSL certificate restrictions for CN in a different casing).
现在,这个问题只发生在 Java 7.71 和 Java 8.25 上。以前版本的 Java 7 和 8 没有这个问题(不同大小写中 CN 的 SSL 证书限制)。
Anyway, this solved the issue, and now we receive a gentle information message about the domain:
无论如何,这解决了问题,现在我们收到有关域的温和信息消息:
回答by keshlam
If you trust the certificate and the website you are accessing, hit Continue to get past this message.
如果您信任证书和您正在访问的网站,请点击继续以跳过此消息。
However, unless you ABSOLUTELY trust that website, this is a red-flag warning that you may not be accessing the page you think you are, and there may be a serious security risk. That's why it warns you. A "wildcard certificate", if that is indeed possible, would be a Bad Idea unless it restricts itself to a very specific and limited set of domains.
但是,除非您绝对信任该网站,否则这是一个红旗警告,表明您可能无法访问您认为的页面,并且可能存在严重的安全风险。这就是它警告你的原因。如果确实可能,“通配符证书”将是一个坏主意,除非它将自己限制在一组非常具体且有限的域中。
I doubt this is case-sensitive.
我怀疑这是区分大小写的。
