问题描述
Java微服务通过https下载第三方站点某个资源(比如一个图片),java抛出以下异常:
WalletServiceImpl : 凭证图片下载失败,s**un.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target**
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188)
......
问题原因
问题是由于java服务器上缺失第三方网站证书导致,需要利用keytool工具导入证书解决。
解决方案
1、在浏览器(以firefox为例)访问https资源(https://XXX/XXX-template/finance.jpg),点击安全连接→更多信息→查看证书看到服务证书信息。往下拉有个“下载证书链”的功能,下载pem证书链文件。
2、登录到JAVA服务器上,运行以下命令安装证书解决异常:
1). 找到JDK下cacerts文件(命令:find / -name cacerts), 例如线上服务器的位置:/usr/local/jdk1.8.0_271/jre/lib/security/cacerts
2). 拷贝浏览器导出的pem证书文件到服务器某目录下,假如:/home/XXX.pem
运行: keytool -importcert -trustcacerts -alias XXXXX -file /home/XXX.pem -keystore /usr/local/jdk1.8.0_271/jre/lib/security/cacerts
3). Java微服务重新启动。
问题扩展
1、在排查问题过程,使用curl访问https资源也报错:
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
除了错误提示操作以外,可以把证书安装到信任证书目录下。
解决办法:拷贝以上提及的pem文件到目录/etc/pki/ca-trust/source/anchors/ , 再运行update-ca-trust命令解决问题。
参考链接
https://techcommunity.microsoft.com/t5/azure-database-support-blog/pkix-path-building-failed-unable-to-find-valid-certification/ba-p/2591304
https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find
|