当连接SSL server时出现下面的错误,这是因为当你的application试图通过SSL连接另一个application时(HTTPS,IMAPS,LDAPS),它只能够连接它信任的application。信任的方法就是使用的trust store里导入对应的certificate, 或者certificate是被它信任的known CA签发的。通常在$JAVA_HOME/lib/security/cacerts这个默认的truststore中。
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
所以这个问题有两种可能:
1. 这个证书是self-signed,没有CA签发它。
2.或者签发这个证书的certificate chain不在java keystore(truststore)中。
所以“PKIX path building failed”的问题解决方法就是将这个public certificate导入到正在使用的java keystore中去,如下:
1.Go to URL in your firefox browser, click on HTTPS certificate chain (next to URL address). Click "more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer. Now you have file with keystore and you have to add it to your JVM 2. Determine location of cacerts files, eg. C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts. 3. Next import the example.cer file into cacerts in command line: keytool -import -alias example -keystore C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts -file example.cer You will be asked for password which default is “changeit” 4.Restart your JVM/PC.
source: http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
原文:https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ
如何导出certificate?
通过浏览器导出证书的功能好像firefox比较简单,Chrome和safari找起来比较麻烦。还可以通过portecle这个工具来导出证书。还可以通过下面命令行的方式来导出证书:
Unix: openssl s_client -connect google.com:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt Windows: openssl s_client -connect google.com:443 < NUL | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
如果没有安装sed,还可以:
openssl s_client -connect google.com:443 然后保存结果到一个文件中去,可以命名为public.cert 它包含的内容为: -----BEGIN CERTIFICATE----- < Certificate content as fetched by the command line. Don't change this content, only remove what is before and after the BEGIN CERTIFICATE and END CERTIFICATE. That's what your Sed command is doing for you :-) > -----END CERTIFICATE-----
有了这个方法如果你仍然有问题, 那就要注意下面的几个事项:
1.Make sure you have imported the public certificate of the target instance into the truststore according to the Connecting to SSL Services instructions. 2.Make sure any certificates have been imported into the correct truststore; you may have multiple JRE/JDKs. See Installing Java for this. 3.Check to see that the correct truststore is in use. If -Djavax.net.ssl.trustStore has been configured, it will override the location of the default truststore, which will need to be checked. 4.Check if your Anti Virus tool has "SSL Scanning" blocking SSL/TLS. If it does, disable this feature or set exceptions for the target addresses (check the product documentation to see if this is possible.) 5.If connecting to a mail server, such as Exchange, ensure authentication allows plain text. 6.Verify that the target server is configured to serve SSL correctly. This can be done with the SSL Server Test tool. 7.If all else fails, your truststore might be out of date. Upgrade Java to the latest version supported by your application.
即:
1. 确保目标server的pubic certificate已经被导入到truststore(也叫keystore)中. 这个可以参考“如何连接到SSL services"说明。
2. 确保证书被导入到正确的truststore; 因为你的环境可能有多个JRE/JDKs. 要确保导入正在使用的那个JRE/JDK的truststore中去。
3. 核实一下是否正确的truststore在被使用, 如果设置了 -Djavax.net.ssl.trustStore, 那么它会override默认的JRE/JDK的truststore.
4. 检查一下是否有反病毒工具的"SSL Scanning"阻碍了SSL/TLS. 如果是的话就需要disable这个feature,或者为target address打个洞,申请例外。
5. 如果正连接一个mail server(比如Exchange)确保authentication允许plain text。
6.检查一下目标服务器是否正确配置SSL。可以使用SSL Server Test工具。
7. 如果你的server在代理后面的话(client->Proxy->web server(Appache)->server),那就要为这个server打个洞,比如"http.nonProxyHosts" 为server申请exemption。
8.如果上面的都排查过并仍然有问题,那么有可能你的truststore已经过期,升级你应用支持的最新JAVA版本。
参考文档:
https://confluence.atlassian.com/kb/unable-to-connect-to-ssl-services-due-to-pkix-path-building-failed-779355358.html
https://confluence.atlassian.com/kb/connecting-to-ssl-services-802171215.html