Java “无法找到到请求目标的有效认证路径”,但浏览器说没关系
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/26180650/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
"unable to find valid certification path to requested target", but browser says it's OK
提问by usr-local-ΕΨΗΕΛΩΝ
I'm developing a Java application that connects to SOAP services exposed at https://ut.eurodw.eu/(test environment for European Datawarehouse). I'm working on my development machine, recently reformatted with Windows 8.1. Today, I tried to send them a creation request via SOAP from my program and got this error:
我正在开发一个 Java 应用程序,该应用程序连接到在https://ut.eurodw.eu/(欧洲数据仓库的测试环境)上公开的 SOAP 服务。我正在我的开发机器上工作,最近用 Windows 8.1 重新格式化。今天,我尝试从我的程序中通过 SOAP 向他们发送创建请求,并收到此错误:
Caused by: javax.xml.ws.WebServiceException: Could not send Message.
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
at com.sun.proxy.$Proxy110.createDeal(Unknown Source)
at it.csttech.edwin.services.spring.EdwinServiceImpl.createDeal(EdwinServiceImpl.java:102)
at it.csttech.edwin.consumercredit.data.managers.spring.DealManagerImpl.createEdCode(DealManagerImpl.java:319)
... 77 more
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://ut.eurodw.eu/edservices/2.2/DealService.svc: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1339)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1323)
at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:628)
at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
... 80 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1283)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1239)
at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201)
at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1296)
... 90 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
... 108 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
... 114 more
As you can see by clicking my above link, that's no self-signed certificate, but released by GoDaddy public CA, recognized by my Firefox browser. My Java version is 1.7.0_60-b19. It will be a bad ideato modify the code in order to allow insecure SSL connections.
正如您通过单击我上面的链接所看到的,这不是自签名证书,而是由 GoDaddy 公共 CA 发布的,可被我的 Firefox 浏览器识别。我的 Java 版本是1.7.0_60-b19. 修改代码以允许不安全的 SSL 连接将是一个坏主意。
I'd like instead to ensure that eurodw's certificate is in the trust store. How do I check that? And how do I possibly import a new certificate?
我想确保 eurodw 的证书在信任库中。我如何检查?我如何才能导入新证书?
PS I cannot currently test on the server where the final application is deployed: I can only use my own Tomcat installation.
PS 我目前无法在部署最终应用程序的服务器上进行测试:我只能使用我自己的 Tomcat 安装。
采纳答案by Francois Laroche
The different certificates can be found in the following keystore :
可以在以下密钥库中找到不同的证书:
%JAVA_HOME%/jre/lib/security/cacerts
%JAVA_HOME%/jre/lib/security/cacerts
If you want to list the trusted certificates :
如果要列出受信任的证书:
keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts
The password is optionnal to list.
密码是可选的。
If you want to add an entry :
如果要添加条目:
First, export the certificate to import, let's say it will be c:\cert.crt. The best way to do it is using firefox, right click on the lock picture in the url, and after a few clicks, you have an export feature.
首先,导出要导入的证书,假设它是 c:\cert.crt。最好的方法是使用firefox,右键点击url中的锁图片,点击几下后,你就有了导出功能。
Then type :
然后输入:
keytool -import -alias my-cert -file c:\cert.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts
The password is : changeit
密码是:changeit
The alias being a user defined label, choose it wisely, to remember if you need it one day, what it was.
别名是用户定义的标签,明智地选择它,记住有一天你是否需要它,它是什么。
With all this, you should be able to trust the certificate and have everything working again.
有了这一切,您应该能够信任证书并让一切恢复正常。
