无法find要求的目标的有效证书path – 即使在导入证书后也是如此
可能重复:
PKIXpathbuild立失败:无法find有效的证书path到请求的目标
我有一个Java客户端尝试访问具有自签名证书的服务器。
当我尝试发布到服务器时,出现以下错误:
无法find要求的目标的有效证书path
在对这个问题做了一些研究后,我做了以下工作。
- 将我的服务器域名保存为root.cer文件。
- 在我的Glassfish服务器的JRE中,我运行了这个:keytool -import -alias示例-keystore cacerts -file root.cer。
- 要检查证书是成功添加到我的cacert,我做到了这一点:keytool -list -v -keystore cacerts我可以看到证书是存在的。
- 然后,我重新启动了Glassfish并退休了。
我仍然得到相同的错误。
我有一种感觉,这是因为我的Glassfish实际上并没有阅读我已经修改的cacert文件,但也许还有一些。
有没有人有这个问题,可以推动我在正确的方向吗?
不幸的是 – 这可能是很多事情 – 许多应用程序服务器和其他Java包装器都倾向于使用属性,而他们的“自己”则采用钥匙链,而不是。 所以它可能在看完全不同的东西。
桁架的缺点 – 我会尝试:
java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...
看看是否有帮助。 也可以将其设置为“ssl”,密钥pipe理器和信任pipe理器,而不是“全部”,这可能对您有帮助。 设置为“帮助”将在大多数平台上列出如下所示。
无论如何 – 确保您完全理解密钥库(您拥有私钥并certificate您certificate自己的身份)和信任库(它确定您信任的人)之间的区别 – 以及您自己的身份有一个“连锁”信任的根源 – 这是从任何链条分离到根,你需要找出“谁”你信任。
all turn on all debugging ssl turn on ssl debugging The following can be used with ssl: record enable per-record tracing handshake print each handshake message keygen print key generation data session print session activity defaultctx print default SSL initialization sslctx print SSLContext tracing sessioncache print session cache tracing keymanager print key manager tracing trustmanager print trust manager tracing pluggability print pluggability tracing handshake debugging can be widened with: data hex dump of each handshake message verbose verbose handshake message printing record debugging can be widened with: plaintext hex dump of record plaintext packet print raw SSL/TLS packets
来源:#请参阅http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug
这里是解决scheme,按照下面的链接一步一步:
JAVA文件:这是从博客丢失
/* * Copyright 2006 Sun Microsystems, Inc. All Rights Reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * - Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * - Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * * - Neither the name of Sun Microsystems nor the names of its * contributors may be used to endorse or promote products derived * from this software without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ import java.io.*; import java.net.URL; import java.security.*; import java.security.cert.*; import javax.net.ssl.*; public class InstallCert { public static void main(String[] args) throws Exception { String host; int port; char[] passphrase; if ((args.length == 1) || (args.length == 2)) { String[] c = args[0].split(":"); host = c[0]; port = (c.length == 1) ? 443 : Integer.parseInt(c[1]); String p = (args.length == 1) ? "changeit" : args[1]; passphrase = p.toCharArray(); } else { System.out.println("Usage: java InstallCert <host>[:port] [passphrase]"); return; } File file = new File("jssecacerts"); if (file.isFile() == false) { char SEP = File.separatorChar; File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security"); file = new File(dir, "jssecacerts"); if (file.isFile() == false) { file = new File(dir, "cacerts"); } } System.out.println("Loading KeyStore " + file + "..."); InputStream in = new FileInputStream(file); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(in, passphrase); in.close(); SSLContext context = SSLContext.getInstance("TLS"); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0]; SavingTrustManager tm = new SavingTrustManager(defaultTrustManager); context.init(null, new TrustManager[] {tm}, null); SSLSocketFactory factory = context.getSocketFactory(); System.out.println("Opening connection to " + host + ":" + port + "..."); SSLSocket socket = (SSLSocket)factory.createSocket(host, port); socket.setSoTimeout(10000); try { System.out.println("Starting SSL handshake..."); socket.startHandshake(); socket.close(); System.out.println(); System.out.println("No errors, certificate is already trusted"); } catch (SSLException e) { System.out.println(); e.printStackTrace(System.out); } X509Certificate[] chain = tm.chain; if (chain == null) { System.out.println("Could not obtain server certificate chain"); return; } BufferedReader reader = new BufferedReader(new InputStreamReader(System.in)); System.out.println(); System.out.println("Server sent " + chain.length + " certificate(s):"); System.out.println(); MessageDigest sha1 = MessageDigest.getInstance("SHA1"); MessageDigest md5 = MessageDigest.getInstance("MD5"); for (int i = 0; i < chain.length; i++) { X509Certificate cert = chain[i]; System.out.println (" " + (i + 1) + " Subject " + cert.getSubjectDN()); System.out.println(" Issuer " + cert.getIssuerDN()); sha1.update(cert.getEncoded()); System.out.println(" sha1 " + toHexString(sha1.digest())); md5.update(cert.getEncoded()); System.out.println(" md5 " + toHexString(md5.digest())); System.out.println(); } System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]"); String line = reader.readLine().trim(); int k; try { k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1; } catch (NumberFormatException e) { System.out.println("KeyStore not changed"); return; } X509Certificate cert = chain[k]; String alias = host + "-" + (k + 1); ks.setCertificateEntry(alias, cert); OutputStream out = new FileOutputStream("jssecacerts"); ks.store(out, passphrase); out.close(); System.out.println(); System.out.println(cert); System.out.println(); System.out.println ("Added certificate to keystore 'jssecacerts' using alias '" + alias + "'"); } private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray(); private static String toHexString(byte[] bytes) { StringBuilder sb = new StringBuilder(bytes.length * 3); for (int b : bytes) { b &= 0xff; sb.append(HEXDIGITS[b >> 4]); sb.append(HEXDIGITS[b & 15]); sb.append(' '); } return sb.toString(); } private static class SavingTrustManager implements X509TrustManager { private final X509TrustManager tm; private X509Certificate[] chain; SavingTrustManager(X509TrustManager tm) { this.tm = tm; } public X509Certificate[] getAcceptedIssuers() { throw new UnsupportedOperationException(); } public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { throw new UnsupportedOperationException(); } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { this.chain = chain; tm.checkServerTrusted(chain, authType); } } }
您需要configurationJSSE系统属性,特别指向客户端证书存储。
通过命令行:
java -Djavax.net.ssl.trustStore=truststores/client.ts com.progress.Client
或通过Java代码:
import java.util.Properties; ... Properties systemProps = System.getProperties(); systemProps.put("javax.net.ssl.keyStorePassword","passwordForKeystore"); systemProps.put("javax.net.ssl.keyStore","pathToKeystore.ks"); systemProps.put("javax.net.ssl.trustStore", "pathToTruststore.ts"); systemProps.put("javax.net.ssl.trustStorePassword","passwordForTrustStore"); System.setProperties(systemProps); ...
有关更多信息,请参阅RedHat网站上的详细信息。
我和sbt有同样的问题。
它试图通过ssl从repo1.maven.org获取依赖关系
但表示“无法find要求的目标url的有效authenticationpath”。
所以我跟着这个post ,仍然没有validation连接。
所以我读了一下,发现这个根证书是不够的,正如这个post所build议的那样,
我的工作是将中间CA证书导入密钥库 。
我实际上在链中添加了所有的证书,它像一个魅力。
我的问题是,通过软件更新,我的工作笔记本电脑上安装了Cloud Access安全代理NetSkope。 这是改变证书链,我仍然无法通过我的Java客户端连接到服务器后,整个链导入我的cacerts密钥库。 我禁用了NetSkope,并能够成功连接。
比方说,如果你在pom.xml中使用类pathvariables像$ {JAVA_HOME}。
<target> <property name="compile_classpath" refid="maven.compile.classpath"/> <property name="runtime_classpath" refid="maven.runtime.classpath"/> <property name="test_classpath" refid="maven.test.classpath"/> <property name="plugin_classpath" refid="maven.plugin.classpath"/> <property name="jaxb-api.jar" value="${maven.dependency.javax.xml.bind.jaxb-api.jar.path}"/> <property name="project_home" value="${PROJECT_HOME}"/> <property name="java_home" value="${JAVA_HOME}"/> <property name="ant_home" value="${ANT_HOME}"/> <property name="common_home" value="${COMMON_HOME}"/> <property name="JAXP_HOME" value="${common_home}/lib"/> <property name="ejfw_home" value="${PROJECT_HOME}/lib"/> <property name="weblogic_home" value="${WL_HOME}"/> <property name="fw_home" value="${FW_HOME}"/> <property name="env" value="${BUILDENV}"/> <property name="tokenfile" value="${BUILDENV}${BUILDENV_S2S}.properties"/>
在目标上,添加类pathvariables。 即..,-DANT_HOME,-DJAVA_HOME
clean install -e -DPROJECT_HOME=..... -DANT_HOME=C:\bea1036\modules\org.apache.ant_1.7.1 -DJAVA_HOME=C:\bea1036\jdk160_31