当前位置:theitroad>java 引起:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径

java 引起:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效认证路径

声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow 原文地址: http://stackoverflow.com/questions/28521266/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me): StackOverFlow

提示:将鼠标放在中文语句上可以显示对应的英文。显示中英文
时间:2020-11-02 13:45:02  来源:igfitidea点击:

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

javaemailssljavamailimap

提问by CodeMed

A spring mvc app uses JavaMail to connect to dovecot/postfix. Both the spring mvc app and the dovecot/postfix installation are running on the same CentOS 7 physical server box. The app was able to use JavaMail to successfully make an imap connection until just recently, when some scripts for setting up OpenVPN seem to have changed things including the SSL configuration. How can I change the JavaMail code (or other configuration parameters) to get the IMAP connection to work again?

spring mvc 应用程序使用 JavaMail 连接到 dovecot/postfix。spring mvc 应用程序和 dovecot/postfix 安装都运行在同一个 CentOS 7 物理服务器上。该应用程序能够使用 JavaMail 成功建立 imap 连接,直到最近,一些用于设置 OpenVPN 的脚本似乎已经改变了一些内容,包括 SSL 配置。 如何更改 JavaMail 代码(或其他配置参数)以使 IMAP 连接再次工作?

The root error I am currently getting is:

我目前得到的根本错误是: 

Caused by: sun.security.provider.certpath.SunCertPathBuilderException:  
unable to find valid certification path to requested target

The line of code that throws this error is:

引发此错误的代码行是: 

store.connect("hostname", "username", "password");

The context of this code is:

这段代码的上下文是: 

Properties props = new Properties();
props.setProperty("mail.imap.starttls.enable", "true");
props.setProperty("mail.store.protocol", "imap");
props.setProperty("mail.imap.partialfetch", "false");
String dirStart = "/home/import/xml/xmlimporttest/";
try {
    Session session = Session.getInstance(props, null);
    session.setDebug(true);
    Store store = session.getStore();
    store.connect("hostname", "username", "password");
    Folder inbox = store.getFolder("INBOX");  
    //other stuff
} catch....

The complete stack trace is:

完整的堆栈跟踪是: 

DEBUG: setDebug: JavaMail version 1.5.0-b01
DEBUG: getProvider() returning javax.mail.Provider[STORE,imap,com.sun.mail.imap.IMAPStore,Oracle]
DEBUG IMAP: mail.imap.partialfetch: false
DEBUG IMAP: mail.imap.ignorebodystructuresize: false
DEBUG IMAP: mail.imap.statuscachetimeout: 1000
DEBUG IMAP: mail.imap.appendbuffersize: -1
DEBUG IMAP: mail.imap.minidletime: 10
DEBUG IMAP: enable STARTTLS
DEBUG IMAP: trying to connect to host "mydomain.com", port 143, isSSL false
* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE STARTTLS LOGINDISABLED] Dovecot ready.
DEBUG IMAP: protocolConnect login, host=mydomain.com, user=username, password=<non-null>
A0 STARTTLS  
A0 OK Begin TLS negotiation now.
DEBUG IMAP: STARTTLS Exception, THROW:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable$
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
    at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:527)
    at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:464)
    at com.sun.mail.iap.Protocol.startTLS(Protocol.java:388)
    at com.sun.mail.imap.protocol.IMAPProtocol.startTLS(IMAPProtocol.java:820)
    at com.sun.mail.imap.IMAPStore.login(IMAPStore.java:697)
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:642)
    at javax.mail.Service.connect(Service.java:295)
    at javax.mail.Service.connect(Service.java:176)        at com.hpp.kp.web.HL7PatientController.processInbox(HL7PatientController.java:1373)
    at com.hpp.kp.web.HL7PatientController.processEmailInbox(HL7PatientController.java:118)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:219)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:686)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:827)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:618)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.github.dandelion.datatables.core.web.filter.DatatablesFilter.doFilter(DatatablesFilter.java:73)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.github.dandelion.datatables.extras.servlet2.filter.DatatablesFilter.doFilter(DatatablesFilter.java:71)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.github.dandelion.datatables.core.web.filter.DatatablesFilter.doFilter(DatatablesFilter.java:73)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.github.dandelion.datatables.extras.servlet2.filter.DatatablesFilter.doFilter(DatatablesFilter.java:71)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
     at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
    at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:831)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1513)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificati$
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
    ... 101 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 107 more
javax.mail.MessagingException: STARTTLS failure;
  nested exception is:
    com.sun.mail.iap.ProtocolException: STARTTLS failure
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:668)
    at javax.mail.Service.connect(Service.java:295)
    at javax.mail.Service.connect(Service.java:176)
    at com.hpp.kp.web.HL7PatientController.processInbox(HL7PatientController.java:1373)
    at com.hpp.kp.web.HL7PatientController.processEmailInbox(HL7PatientController.java:118)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:606)
    at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:219)
    at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
    at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:745)
    at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:686)
    at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:925)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:856)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:936)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:827)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:618)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:812)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:725)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.github.dandelion.datatables.core.web.filter.DatatablesFilter.doFilter(DatatablesFilter.java:73)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at com.github.dandelion.datatables.extras.servlet2.filter.DatatablesFilter.doFilter(DatatablesFilter.java:71)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118)
    at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:110)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:57)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:610)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:537)
    at org.apache.coyote.ajp.AbstractAjpProcessor.process(AbstractAjpProcessor.java:831)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:658)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1556)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1513)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: com.sun.mail.iap.ProtocolException: STARTTLS failure
    at com.sun.mail.imap.protocol.IMAPProtocol.startTLS(IMAPProtocol.java:834)
    at com.sun.mail.imap.IMAPStore.login(IMAPStore.java:697)
    at com.sun.mail.imap.IMAPStore.protocolConnect(IMAPStore.java:642)
    ... 88 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExcept$
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)
    at com.sun.mail.util.SocketFetcher.configureSSLSocket(SocketFetcher.java:527)
    at com.sun.mail.util.SocketFetcher.startTLS(SocketFetcher.java:464)
    at com.sun.mail.iap.Protocol.startTLS(Protocol.java:388)
    at com.sun.mail.imap.protocol.IMAPProtocol.startTLS(IMAPProtocol.java:820)
    ... 90 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certificati$
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)
    ... 101 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 107 more

EDIT

编辑

As per @jCoder's suggestion, I typed export JAVA_OPTS=-Djavax.net.debug=allbefore running startup.shand then clicking the link in the app that triggers the imaplogin request that throws the error. The same stack trace as above was thrown, but the new debug instructions caused 1100+ lines of relevant additional output in the catalina.outlogs. I have uploaded these additional logs to a file sharing site, and you can view the additional logs by clicking on this link.

根据@jCoder 的建议,我export JAVA_OPTS=-Djavax.net.debug=all在运行之前输入startup.sh,然后单击应用程序中触发imap引发错误的登录请求的链接。抛出了与上面相同的堆栈跟踪,但新的调试指令在catalina.out日志中导致了 1100 多行相关的附加输出。我已将这些附加日志上传到文件共享站点,您可以单击此链接查看附加日志

回答by softwariness

The SSL certificate isn't trusted by Java. The certificate may be self-signed, or it may be signed by a CA (Certificate Authority) whose root certificate is not in the Java certificate store. The set of root certificates known by Java isn't as extensive as the set that your web browser knows about.

Java 不信任 SSL 证书。证书可以是自签名的,也可以由根证书不在 Java 证书存储中的 CA(证书颁发机构)签名。Java 已知的一组根证书并不像您的 Web 浏览器所知道的那样广泛。

Assuming you do indeed trust the certificate in question, you can add it to the Java certificate store (which is called cacerts) using the keytoolcommand. For example (change paths as appropriate for your installation and OS):

假设您确实信任有问题的证书,您可以cacerts使用keytool命令将其添加到 Java 证书存储区(称为)。例如(根据您的安装和操作系统更改路径):

keytool -import -trustcacerts -file NewRootCACertificate.crt -keystore "C:\Program Files\Java\jre1.8.0_31\lib\security\cacerts"

keytool -import -trustcacerts -file NewRootCACertificate.crt -keystore "C:\Program Files\Java\jre1.8.0_31\lib\security\cacerts"

By default the cacertskeystore has a password of changeit.

默认情况下,cacerts密钥库的密码为changeit

UPDATE:

更新:

Problem resolved to a working system in chat, although not with ideal configuration.

问题在聊天中解决了一个工作系统,虽然没有理想的配置。

  • It looks like the previously working set-up was not using SSL.
  • This set-up stopped working, perhaps because of software updates changing the configuration (my speculation) to prevent login in the plain.
  • starttlswas switched on to address the inability to login in the plaintext IMAP mode.
  • The lack of suitably-trusted certificate then emerged as an issue, hence the error in the question.
  • The certificate that was there (probably default created during installation of the mail server) didn't have the right domain name in the Common Name, but even with a fresh certificate, and adding it to what seemed to be the right cacertskey store (the key store path was mentioned in the application logs) the client failed to trust the certificate. We never got to the bottom of that.
  • Working set-up was arrived at with the following configuration (i.e. trusting the server by hostname and connecting directly with SSL rather than using starttls):
    • props.setProperty("mail.imap.ssl.enable", "true");
    • props.setProperty("mail.imap.ssl.trust", "mydomain.com");
  • 看起来以前的工作设置没有使用 SSL。
  • 此设置停止工作,可能是因为软件更新更改了配置(我的推测)以防止以普通方式登录。
  • starttls开启是为了解决无法在明文 IMAP 模式下登录的问题。
  • 缺乏适当信任的证书随后成为一个问题,因此问题出现了错误。
  • 那里的证书(可能是在安装邮件服务器期间默认创建的)在 Common Name 中没有正确的域名,但即使有一个新证书,并将其添加到似乎是正确的cacerts密钥库(应用程序日志中提到了密钥存储路径)客户端无法信任证书。我们从来没有深究过。
  • 使用以下配置完成工作设置(即通过主机名信任服务器并直接使用 SSL 连接而不是使用starttls):
    • props.setProperty("mail.imap.ssl.enable", "true");
    • props.setProperty("mail.imap.ssl.trust", "mydomain.com");

This isn't ideal, however the client application is running on the same machine as the IMAP server, so this is probably not a huge risk.

这并不理想,但是客户端应用程序与 IMAP 服务器在同一台机器上运行,因此这可能不是一个巨大的风险。

In the long run, you may want to make a note that you did this work-around, and see whether you can get the certificate verification happening by other means, possibly a custom certificate verification handler or explicitly specifying the certificate store.

从长远来看,您可能需要记下您已完成此变通方法,并查看是否可以通过其他方式进行证书验证,可能是自定义证书验证处理程序或明确指定证书存储。

回答by Reza Rahimi

  • You should import certificate of the server:port to java JRE keystore for example for following server and port:

    serverAddress myserver.mydomain.com
serverPort 443
keystore default password did not changed, so it is **changeit** if you changed it use yours as password.

  • First of all, check $JAVA_HOME and java executable before continue, you should be sure about the choosing correct JAVA_HOME for importing , if you have different ones:

    $ ~/bin$ echo $JAVA_HOME
/opt/jdk
$ ~/bin$ which java
/usr/bin/java
$ ~/bin$ ls -l /usr/bin/java
lrwxrwxrwx 1 root root 22 May 10  2014 /usr/bin/java -> /etc/alternatives/java
$ ~/bin$ ls -l /etc/alternatives/java
lrwxrwxrwx 1 root root 17 Jun  6  2014 /etc/alternatives/java -> /opt/jdk/bin/java
$ ~/bin$ java -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
$ ~/bin$ `which java` -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
$ ~/bin$   $JAVA_HOME/bin/java -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)

  • Extracting certificate from the server:

    $ openssl s_client -connect <serverAddress:serverPort> 2>&1 < "/" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/myserver.crt

    For this example <serverAddress:serverPort>should be replaced with myserver.mydomain.com:443

  • The extracted file should be look like as follows:

    $ cat /tmp/myserver.crt
-----BEGIN CERTIFICATE-----
blahblahblahaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd
ME22AKpyBPIRbTwTBedJz/KFtwCAxO2jXIcIob99LXv8W4KMOJgazn2UUBm/azZ1
z+9qhq3UeIy8Z58WK2N5l/SI7s3+bkii/dnpW3Akw8OyXABnN1EyfwnL607POqXm
blahblahblah
  ...Certificate Data is variable for each server address...
blahblahblah
blahblahblahT9p1jar2vxoHv3/dSwKoeLL8XpkmVx9oVUZ3XuICPvEmu8eBfOEm
ZXNlYXJjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd4I7L
ME22AKpyBPIRbTwTBedJz/KFtwCAxO2jXIcIob99LXv8W4KMOJgazn2UUBm/azZ1
-----END CERTIFICATE-----

  • You need to import the extracted certificate into JRE keystore:

    $ keytool -import -alias myserverCert -file  /tmp/myserver.crt -keystore $JAVA_HOME/jre/lib/security/cacerts

  • You can check that the certification existence in java JRE keystore or not after the import:

     $ keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

  • Default password for java JRE keystore is

    changeit

  • For applying the changes you need to restartthe java JVM.

  • After finish you can remove the temporary file if you had created it in a non temporary place:

    $ rm /tmp/myserver.crt

  • for your case you can do entire this process two times onetime before VPN establishment and onetime after establishmentonly you should to use two alias for each time as follows:

    # Before VPN Connect
$ openssl s_client -connect myserver.mydomain.com:443 2>&1 < "/" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/myserver.crt
$ keytool -import -alias myserverCert -file  /tmp/myserver.crt -keystore $JAVA_HOME/jre/lib/security/cacerts
# After VPN Connect
$ openssl s_client -connect myserver.mydomain.com:443 2>&1 < "/" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/myserver-vpn.crt
$ keytool -import -alias myserverVPNCert -file  /tmp/myserver-vpn.crt -keystore $JAVA_HOME/jre/lib/security/cacerts

    If two extracted certificates are same the problem is another thing and you should find another solution.

    $ diff /tmp/myserver.crt /tmp/myserver-vpn.crt

  • 您应该将 server:port 的证书导入 java JRE 密钥库,例如以下服务器和端口:

    serverAddress myserver.mydomain.com
serverPort 443
keystore default password did not changed, so it is **changeit** if you changed it use yours as password.

  • 首先,在继续之前检查 $JAVA_HOME 和 java 可执行文件,您应该确保选择正确的 JAVA_HOME 进行导入,如果您有不同的:

    $ ~/bin$ echo $JAVA_HOME
/opt/jdk
$ ~/bin$ which java
/usr/bin/java
$ ~/bin$ ls -l /usr/bin/java
lrwxrwxrwx 1 root root 22 May 10  2014 /usr/bin/java -> /etc/alternatives/java
$ ~/bin$ ls -l /etc/alternatives/java
lrwxrwxrwx 1 root root 17 Jun  6  2014 /etc/alternatives/java -> /opt/jdk/bin/java
$ ~/bin$ java -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
$ ~/bin$ `which java` -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)
$ ~/bin$   $JAVA_HOME/bin/java -version
java version "1.8.0_05"
Java(TM) SE Runtime Environment (build 1.8.0_05-b13)
Java HotSpot(TM) 64-Bit Server VM (build 25.5-b02, mixed mode)

  • 从服务器提取证书:

    $ openssl s_client -connect <serverAddress:serverPort> 2>&1 < "/" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/myserver.crt

    对于这个例子<serverAddress:serverPort>应该替换为myserver.mydomain.com:443

  • 提取的文件应如下所示:

    $ cat /tmp/myserver.crt
-----BEGIN CERTIFICATE-----
blahblahblahaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd
ME22AKpyBPIRbTwTBedJz/KFtwCAxO2jXIcIob99LXv8W4KMOJgazn2UUBm/azZ1
z+9qhq3UeIy8Z58WK2N5l/SI7s3+bkii/dnpW3Akw8OyXABnN1EyfwnL607POqXm
blahblahblah
  ...Certificate Data is variable for each server address...
blahblahblah
blahblahblahT9p1jar2vxoHv3/dSwKoeLL8XpkmVx9oVUZ3XuICPvEmu8eBfOEm
ZXNlYXJjaC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCd4I7L
ME22AKpyBPIRbTwTBedJz/KFtwCAxO2jXIcIob99LXv8W4KMOJgazn2UUBm/azZ1
-----END CERTIFICATE-----

  • 您需要将提取的证书导入 JRE 密钥库:

    $ keytool -import -alias myserverCert -file  /tmp/myserver.crt -keystore $JAVA_HOME/jre/lib/security/cacerts

  • 您可以在导入后检查证书是否存在于 java JRE 密钥库中:

     $ keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts

  • java JRE 密钥库的默认密码是

    更改

  • 要应用更改,您需要重新启动java JVM。

  • 完成后,如果您在非临时位置创建了临时文件,则可以删除它:

    $ rm /tmp/myserver.crt

  • 对于您的情况,您可以在 VPN 建立前一次和一次建立后两次完成此过程,每次您应该使用两个别名,如下所示:

    # Before VPN Connect
$ openssl s_client -connect myserver.mydomain.com:443 2>&1 < "/" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/myserver.crt
$ keytool -import -alias myserverCert -file  /tmp/myserver.crt -keystore $JAVA_HOME/jre/lib/security/cacerts
# After VPN Connect
$ openssl s_client -connect myserver.mydomain.com:443 2>&1 < "/" | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/myserver-vpn.crt
$ keytool -import -alias myserverVPNCert -file  /tmp/myserver-vpn.crt -keystore $JAVA_HOME/jre/lib/security/cacerts

    如果两个提取的证书相同,则问题是另一回事,您应该找到另一种解决方案。

    $ diff /tmp/myserver.crt /tmp/myserver-vpn.crt

I hope this can help you

我希望这可以帮助你

相关推荐

java Spring Boot 安全性 - 默认映射上的匿名用户访问 /

java Spring Boot 安全性 - 默认映射上的匿名用户访问 /

如何使用 Java 中的命令行将文本文件读入扫描仪

如何使用 Java 中的命令行将文本文件读入扫描仪

Java POI - 从 Excel 文件中读取日期

Java POI - 从 Excel 文件中读取日期

绝对 uri:http://java.sun.com/jsp/jstl/core 无法在 web.xml 或使用此应用程序部署的 jar 文件中解析

绝对 uri:http://java.sun.com/jsp/jstl/core 无法在 web.xml 或使用此应用程序部署的 jar 文件中解析

相关推荐
最近更新
标签