当前位置: 文江博客 话题详情

无法找到请求目标的有效证书路径 - 即使在导入证书后也会出现错误

发布于 2025-01-04 12:38:03 字数 646 浏览 1 评论 0 原文

我有一个 Java 客户端尝试使用自签名证书访问服务器。

当我尝试发布到服务器时,出现以下错误:

无法找到请求目标的有效认证路径

在对该问题进行了一些研究后,我执行了以下操作。

  1. 将我的服务器域名保存为 root.cer 文件。

  2. 在我的 Glassfish 服务器的 JRE 中,我运行了以下命令:

    keytool -import -alias example -keystore cacerts -file root.cer

  3. 为了检查证书是否已成功添加到我的 cacert,我执行了以下操作:

    keytool -list -v -keystore cacerts

    我可以看到证书存在。

  4. 然后我重新启动 Glassfish 并重试“发布”。

我仍然遇到同样的错误。

我有一种感觉,这是因为我的 Glassfish 实际上并未读取我修改过的 cacert 文件,而可能读取其他文件。

你们中有人遇到过这个问题吗?可以将我推向正确的方向吗?

原文

I have a Java client trying to access a server with a self-signed certificate.

When I try to Post to the server, I get the following error:

unable to find valid certification path to requested target

Having done some research on the issue, I then did the following.

  1. Saved my servers domain name as a root.cer file.

  2. In my Glassfish server's JRE, I ran this:

    keytool -import -alias example -keystore cacerts -file root.cer

  3. To check the cert was added to my cacert successfully, I did this:

    keytool -list -v -keystore cacerts

    I can see the cert is present.

  4. I then restarted Glassfish and retried the 'post'.

I am still getting the same error.

I have a feeling this is because my Glassfish is not actually reading the cacert file that I have amended but maybe some other one.

Have any of you had this issue and can push me in the right direction?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(21

つ可否回来 2025-01-11 12:38:03

不幸的是 - 这可能是很多事情 - 并且许多应用程序服务器和其他 java“包装器”很容易使用属性和它们“自己的”钥匙串等。所以它可能会看到完全不同的东西。

缺少桁架-我会尝试:

java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...

看看这是否有帮助。除了“全部”之外,还可以将其设置为“ssl”、密钥管理器和信任管理器 - 这可能对您的情况有所帮助。将其设置为“帮助”将在大多数平台上列出如下所示的内容。

无论如何 - 请确保您完全理解密钥库(其中您拥有私钥和证明您自己身份的证书)和信任库(决定您信任的人)之间的区别 - 以及您自己的身份也有一条到根的信任“链”——它与任何到根的信任链是分开的,您需要找出您信任的“谁”。

all            turn on all debugging
ssl            turn on ssl debugging

The   following can be used with ssl:
    record       enable per-record tracing
    handshake    print each handshake message
    keygen       print key generation data
    session      print session activity
    defaultctx   print default SSL initialization
    sslctx       print SSLContext tracing
    sessioncache print session cache tracing
    keymanager   print key manager tracing
    trustmanager print trust manager tracing
    pluggability print pluggability tracing

    handshake debugging can be widened with:
    data         hex dump of each handshake message
    verbose      verbose handshake message printing

    record debugging can be widened with:
    plaintext    hex dump of record plaintext
    packet       print raw SSL/TLS packets

来源:http://download. oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

Unfortunately - it could be many things - and lots of app servers and other java 'wrappers' are prone to play with properties and their 'own' take on keychains and what not. So it may be looking at something totally different.

Short of truss-ing - I'd try:

java -Djavax.net.debug=all -Djavax.net.ssl.trustStore=trustStore ...

to see if that helps. Instead of 'all' one can also set it to 'ssl', key manager and trust manager - which may help in your case. Setting it to 'help' will list something like below on most platforms.

Regardless - do make sure you fully understand the difference between the keystore (in which you have the private key and cert you prove your own identity with) and the trust store (which determines who you trust) - and the fact that your own identity also has a 'chain' of trust to the root - which is separate from any chain to a root you need to figure out 'who' you trust.

all            turn on all debugging
ssl            turn on ssl debugging

The   following can be used with ssl:
    record       enable per-record tracing
    handshake    print each handshake message
    keygen       print key generation data
    session      print session activity
    defaultctx   print default SSL initialization
    sslctx       print SSLContext tracing
    sessioncache print session cache tracing
    keymanager   print key manager tracing
    trustmanager print trust manager tracing
    pluggability print pluggability tracing

    handshake debugging can be widened with:
    data         hex dump of each handshake message
    verbose      verbose handshake message printing

    record debugging can be widened with:
    plaintext    hex dump of record plaintext
    packet       print raw SSL/TLS packets

Source: http://download.oracle.com/javase/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#Debug

回复 原文
深陷 2025-01-11 12:38:03

这是解决方案,请按照以下链接逐步操作:

http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderException-unable-to-find-valid-certification-path-to-requested-target/

JAVA 文件:博客中缺失

/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */



import java.io.*;
import java.net.URL;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

    public static void main(String[] args) throws Exception {
    String host;
    int port;
    char[] passphrase;
    if ((args.length == 1) || (args.length == 2)) {
        String[] c = args[0].split(":");
        host = c[0];
        port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
        String p = (args.length == 1) ? "changeit" : args[1];
        passphrase = p.toCharArray();
    } else {
        System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
        return;
    }

    File file = new File("jssecacerts");
    if (file.isFile() == false) {
        char SEP = File.separatorChar;
        File dir = new File(System.getProperty("java.home") + SEP
            + "lib" + SEP + "security");
        file = new File(dir, "jssecacerts");
        if (file.isFile() == false) {
        file = new File(dir, "cacerts");
        }
    }
    System.out.println("Loading KeyStore " + file + "...");
    InputStream in = new FileInputStream(file);
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(in, passphrase);
    in.close();

    SSLContext context = SSLContext.getInstance("TLS");
    TrustManagerFactory tmf =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);
    X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
    SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
    context.init(null, new TrustManager[] {tm}, null);
    SSLSocketFactory factory = context.getSocketFactory();

    System.out.println("Opening connection to " + host + ":" + port + "...");
    SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
    socket.setSoTimeout(10000);
    try {
        System.out.println("Starting SSL handshake...");
        socket.startHandshake();
        socket.close();
        System.out.println();
        System.out.println("No errors, certificate is already trusted");
    } catch (SSLException e) {
        System.out.println();
        e.printStackTrace(System.out);
    }

    X509Certificate[] chain = tm.chain;
    if (chain == null) {
        System.out.println("Could not obtain server certificate chain");
        return;
    }

    BufferedReader reader =
        new BufferedReader(new InputStreamReader(System.in));

    System.out.println();
    System.out.println("Server sent " + chain.length + " certificate(s):");
    System.out.println();
    MessageDigest sha1 = MessageDigest.getInstance("SHA1");
    MessageDigest md5 = MessageDigest.getInstance("MD5");
    for (int i = 0; i < chain.length; i++) {
        X509Certificate cert = chain[i];
        System.out.println
            (" " + (i + 1) + " Subject " + cert.getSubjectDN());
        System.out.println("   Issuer  " + cert.getIssuerDN());
        sha1.update(cert.getEncoded());
        System.out.println("   sha1    " + toHexString(sha1.digest()));
        md5.update(cert.getEncoded());
        System.out.println("   md5     " + toHexString(md5.digest()));
        System.out.println();
    }

    System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
    String line = reader.readLine().trim();
    int k;
    try {
        k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
    } catch (NumberFormatException e) {
        System.out.println("KeyStore not changed");
        return;
    }

    X509Certificate cert = chain[k];
    String alias = host + "-" + (k + 1);
    ks.setCertificateEntry(alias, cert);

    OutputStream out = new FileOutputStream("jssecacerts");
    ks.store(out, passphrase);
    out.close();

    System.out.println();
    System.out.println(cert);
    System.out.println();
    System.out.println
        ("Added certificate to keystore 'jssecacerts' using alias '"
        + alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

    private final X509TrustManager tm;
    private X509Certificate[] chain;

    SavingTrustManager(X509TrustManager tm) {
        this.tm = tm;
    }

    public X509Certificate[] getAcceptedIssuers() {
        throw new UnsupportedOperationException();
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        throw new UnsupportedOperationException();
    }

    public void checkServerTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        this.chain = chain;
        tm.checkServerTrusted(chain, authType);
    }
    }

}

Here is the solution , follow the below link Step by Step :

http://www.mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/

JAVA FILE : which is missing from the blog

/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *   - Redistributions of source code must retain the above copyright
 *     notice, this list of conditions and the following disclaimer.
 *
 *   - Redistributions in binary form must reproduce the above copyright
 *     notice, this list of conditions and the following disclaimer in the
 *     documentation and/or other materials provided with the distribution.
 *
 *   - Neither the name of Sun Microsystems nor the names of its
 *     contributors may be used to endorse or promote products derived
 *     from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */



import java.io.*;
import java.net.URL;

import java.security.*;
import java.security.cert.*;

import javax.net.ssl.*;

public class InstallCert {

    public static void main(String[] args) throws Exception {
    String host;
    int port;
    char[] passphrase;
    if ((args.length == 1) || (args.length == 2)) {
        String[] c = args[0].split(":");
        host = c[0];
        port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
        String p = (args.length == 1) ? "changeit" : args[1];
        passphrase = p.toCharArray();
    } else {
        System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
        return;
    }

    File file = new File("jssecacerts");
    if (file.isFile() == false) {
        char SEP = File.separatorChar;
        File dir = new File(System.getProperty("java.home") + SEP
            + "lib" + SEP + "security");
        file = new File(dir, "jssecacerts");
        if (file.isFile() == false) {
        file = new File(dir, "cacerts");
        }
    }
    System.out.println("Loading KeyStore " + file + "...");
    InputStream in = new FileInputStream(file);
    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
    ks.load(in, passphrase);
    in.close();

    SSLContext context = SSLContext.getInstance("TLS");
    TrustManagerFactory tmf =
        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);
    X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
    SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
    context.init(null, new TrustManager[] {tm}, null);
    SSLSocketFactory factory = context.getSocketFactory();

    System.out.println("Opening connection to " + host + ":" + port + "...");
    SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
    socket.setSoTimeout(10000);
    try {
        System.out.println("Starting SSL handshake...");
        socket.startHandshake();
        socket.close();
        System.out.println();
        System.out.println("No errors, certificate is already trusted");
    } catch (SSLException e) {
        System.out.println();
        e.printStackTrace(System.out);
    }

    X509Certificate[] chain = tm.chain;
    if (chain == null) {
        System.out.println("Could not obtain server certificate chain");
        return;
    }

    BufferedReader reader =
        new BufferedReader(new InputStreamReader(System.in));

    System.out.println();
    System.out.println("Server sent " + chain.length + " certificate(s):");
    System.out.println();
    MessageDigest sha1 = MessageDigest.getInstance("SHA1");
    MessageDigest md5 = MessageDigest.getInstance("MD5");
    for (int i = 0; i < chain.length; i++) {
        X509Certificate cert = chain[i];
        System.out.println
            (" " + (i + 1) + " Subject " + cert.getSubjectDN());
        System.out.println("   Issuer  " + cert.getIssuerDN());
        sha1.update(cert.getEncoded());
        System.out.println("   sha1    " + toHexString(sha1.digest()));
        md5.update(cert.getEncoded());
        System.out.println("   md5     " + toHexString(md5.digest()));
        System.out.println();
    }

    System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
    String line = reader.readLine().trim();
    int k;
    try {
        k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
    } catch (NumberFormatException e) {
        System.out.println("KeyStore not changed");
        return;
    }

    X509Certificate cert = chain[k];
    String alias = host + "-" + (k + 1);
    ks.setCertificateEntry(alias, cert);

    OutputStream out = new FileOutputStream("jssecacerts");
    ks.store(out, passphrase);
    out.close();

    System.out.println();
    System.out.println(cert);
    System.out.println();
    System.out.println
        ("Added certificate to keystore 'jssecacerts' using alias '"
        + alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

    private final X509TrustManager tm;
    private X509Certificate[] chain;

    SavingTrustManager(X509TrustManager tm) {
        this.tm = tm;
    }

    public X509Certificate[] getAcceptedIssuers() {
        throw new UnsupportedOperationException();
    }

    public void checkClientTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        throw new UnsupportedOperationException();
    }

    public void checkServerTrusted(X509Certificate[] chain, String authType)
        throws CertificateException {
        this.chain = chain;
        tm.checkServerTrusted(chain, authType);
    }
    }

}
回复 原文
北城半夏 2025-01-11 12:38:03

您需要配置 JSSE 系统属性,特别是指向客户端证书存储。

通过命令行:

java -Djavax.net.ssl.trustStore=truststores/client.ts com.progress.Client

或通过 Java 代码:

import java.util.Properties;
    ...
    Properties systemProps = System.getProperties();
    systemProps.put("javax.net.ssl.keyStorePassword","passwordForKeystore");
    systemProps.put("javax.net.ssl.keyStore","pathToKeystore.ks");
    systemProps.put("javax.net.ssl.trustStore", "pathToTruststore.ts");
    systemProps.put("javax.net.ssl.trustStorePassword","passwordForTrustStore");
    System.setProperties(systemProps);
    ...

有关更多信息,请参阅 RedHat 站点

You need to configuring JSSE System Properties, specifically point to client certificate store.

Via command line:

java -Djavax.net.ssl.trustStore=truststores/client.ts com.progress.Client

or via Java code:

import java.util.Properties;
    ...
    Properties systemProps = System.getProperties();
    systemProps.put("javax.net.ssl.keyStorePassword","passwordForKeystore");
    systemProps.put("javax.net.ssl.keyStore","pathToKeystore.ks");
    systemProps.put("javax.net.ssl.trustStore", "pathToTruststore.ts");
    systemProps.put("javax.net.ssl.trustStorePassword","passwordForTrustStore");
    System.setProperties(systemProps);
    ...

For more refer to details on RedHat site.

回复 原文
单身狗的梦 2025-01-11 12:38:03

(转发自我的其他回复 )
使用 java 软件发行版中的 cli 实用程序 keytool 导入(和信任!)所需的证书

示例:

  1. 从 cli 将目录更改为 jre\bin

  2. 检查密钥库(在 jre\bin 目录中找到的文件)
    keytool -list -keystore ..\lib\security\cacerts
    密码是changeit

  3. 从所需服务器下载并保存链中的所有证书。

  4. 添加证书(在需要删除文件 ..\lib\security\cacerts 上的“只读”属性之前),运行:

    keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore.\lib\security\cacerts -file "r:\root.crt"

无意间发现了这么简单的提示。
其他解决方案需要使用 InstallCert.Java 和 JDK

源:http://www. java-samples.com/showtutorial.php?tutorialid=210

(repost from my other response)
Use cli utility keytool from java software distribution for import (and trust!) needed certificates

Sample:

  1. From cli change dir to jre\bin

  2. Check keystore (file found in jre\bin directory)
    keytool -list -keystore ..\lib\security\cacerts
    Password is changeit

  3. Download and save all certificates in chain from needed server.

  4. Add certificates (before need to remove "read-only" attribute on file ..\lib\security\cacerts), run:

    keytool -alias REPLACE_TO_ANY_UNIQ_NAME -import -keystore.\lib\security\cacerts -file "r:\root.crt"

accidentally I found such a simple tip.
Other solutions require the use of InstallCert.Java and JDK

source: http://www.java-samples.com/showtutorial.php?tutorialid=210

回复 原文
酒解孤独 2025-01-11 12:38:03

我在尝试从使用自签名证书的应用程序访问 https 网址时遇到此错误。
他们提供的是一个 .cert 文件,我不知道该把它放在哪里。我通过以下方式解决了这个问题:

keytool位置位于JDK/bin文件夹下

方法1:将证书添加到默认Java信任库 - cacerts:

keytool -import -alias myCert -file C://certificate.cert -keystore C://Program Files//Java//jdk1.8.0_271//jre//lib//security//cacerts

密码:changeit

方法2:

创建信任存储:

keytool -import -alias myCert -file C://certificate.cert -keystore myTrustStore

它会向您提供以下提示,可以填写为:

Enter keystore password:changeit
Re-enter new password:changeit
Trust this certificate?yes

这将在运行此命令的文件夹内创建一个 myTrustStore 文件。
将此“mytrustStore”复制到方便的位置。

使用信任存储

当您运行应用程序/服务器时,传递以下 JVM 参数:

-Djavax.net.ssl.trustStore=C://myTrustStore -Djavax.net.ssl.trustStorePassword=changeit

I came across this error while trying to access a https url from my application which was using self-signed certificate.
What they provide is a .cert file and I was not sure where to put that. I solved it the following way:

keytool location is under JDK/bin folder

Method 1: Add the certificate to default Java Truststore - cacerts:

keytool -import -alias myCert -file C://certificate.cert -keystore C://Program Files//Java//jdk1.8.0_271//jre//lib//security//cacerts

Password: changeit

Method 2:

Create a Trust Store:

keytool -import -alias myCert -file C://certificate.cert -keystore myTrustStore

It gives you the following prompts, which can be filled up as:

Enter keystore password:changeit
Re-enter new password:changeit
Trust this certificate?yes

This will create a myTrustStore file inside a folder where you ran this command.
Copy this "mytrustStore" to a convenient location.

Use the Trust Store:

While you are running your application/server pass these JVM arguments:

-Djavax.net.ssl.trustStore=C://myTrustStore -Djavax.net.ssl.trustStorePassword=changeit
回复 原文
月依秋水 2025-01-11 12:38:03

我在 sbt 上遇到了同样的问题。
它尝试通过 ssl 从 repo1.maven.org 获取依赖项
但表示“无法找到请求的目标网址的有效认证路径”。
所以我关注了这篇文章
但仍然无法验证连接。
所以我读到了它,发现根证书是不够的,正如帖子所建议的,所以 -
对我有用的事情是将中间 CA 证书导入密钥库
实际上,我添加了链中的所有证书,它的作用就像一个魅力。

I had the same problem with sbt.
It tried to fetch dependencies from repo1.maven.org over ssl
but said it was "unable to find valid certification path to requested target url".
so I followed this post
and still failed to verify a connection.
So I read about it and found that the root cert is not enough, as was suggested by the post,so -
the thing that worked for me was importing the intermediate CA certificates into the keystore.
I actually added all the certificates in the chain and it worked like a charm.

回复 原文
指尖微凉心微凉 2025-01-11 12:38:03

从 JDK 8 迁移到 JDK 10 时的解决方案

JDK 10

root@c339504909345:/opt/jdk-minimal/jre/lib/security #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

JDK 8

root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 151 entries

修复步骤

  • 我删除了 JDK 10 证书并将其替换为 JDK 8
  • 因为我正在构建 Docker 映像,我可以使用多阶段构建快速做到这一点
    • 我正在使用 jlink 作为 /opt/jdk/bin/jlink \ 构建一个最小的 JRE
      --模块路径/opt/jdk/jmods...

所以,这是不同的路径和命令顺序...

# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts

Solution when migrating from JDK 8 to JDK 10

JDK 10

root@c339504909345:/opt/jdk-minimal/jre/lib/security #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

JDK 8

root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 151 entries

Steps to fix

  • I deleted the JDK 10 cert and replaced it with the JDK 8
  • Since I'm building Docker Images, I could quickly do that using Multi-stage builds
    • I'm building a minimal JRE using jlink as /opt/jdk/bin/jlink \
      --module-path /opt/jdk/jmods...

So, here's the different paths and the sequence of the commands...

# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts
回复 原文
画骨成沙 2025-01-11 12:38:03

我正在 www.udemy.com(REST Java Web 服务)上编写 REST Web 服务教程。本教程中的示例表示,为了拥有 SSL,我们必须在 Eclipse“客户端”项目中有一个名为“trust_store”的文件夹,其中应包含“密钥存储”文件(我们有一个“客户端”项目来调用服务) ,以及包含 REST Web 服务的“服务”项目 - 同一 Eclipse 工作区中的 2 个项目,一个是客户端,另一个是服务)。为了简单起见,他们说从我们正在使用的 glassfish 应用服务器 (glassfish\domains\domain1\config\keystore.jks) 复制“keystore.jks”并将其放入他们让我创建的“trust_store”文件夹中客户项目。这似乎是有道理的:服务器 key_store 中的自签名证书将对应于客户端 trust_store 中的证书。现在,这样做时,我收到了原始帖子提到的错误。我用谷歌搜索了这个并读到错误是由于客户端上的“keystore.jks”文件不包含受信任/签名的证书,它找到的证书是自签名的。

为了让事情清楚,让我说,据我了解,“keystore.jks”包含自签名证书,“cacerts.jks”文件包含 CA 证书(由 CA 签名)。 “keystore.jks”是“密钥库”,“cacerts.jks”是“信任库”。正如评论者“Bruno”在上面所说,“keystore.jks”是本地的,“cacerts.jks”是用于远程客户端的。

所以,我对自己说,嘿,glassfish 还有“cacerts.jks”文件,这是 glassfish 的 trust_store 文件。 cacerts.jsk 应该包含 CA 证书。显然我需要我的 trust_store 文件夹包含一个至少具有一个 CA 证书的密钥存储文件。因此,我尝试将“cacerts.jks”文件放入我在客户端项目上创建的“trust_store”文件夹中,并将虚拟机属性更改为指向“cacerts.jks”而不是“keystore.jks”。这样就消除了错误。我想它只需要一个 CA 证书就可以工作。

这对于生产来说可能并不理想,甚至对于除了让某些东西发挥作用之外的开发也是不理想的。例如,您可以使用“keytool”命令将 CA 证书添加到客户端中的“keystore.jks”文件中。但无论如何,希望这至少可以缩小可能导致错误的情况的范围。

另外:我的方法似乎对客户端有用(服务器证书添加到客户端 trust_store),看起来上面解决原始帖子的评论对服务器有用(客户端证书添加到服务器 trust_store)。干杯。

Eclipse 项目设置:

  • MyClientProject
  • src
  • test
  • JRE System Library
  • ...
  • trust_store
    ---cacerts.jks
    keystore.jks片段:

---MyClientProject.java文件中的

static {
  // Setup the trustStore location and password
  System.setProperty("javax.net.ssl.trustStore","trust_store/cacerts.jks");
  // comment out below line
  System.setProperty("javax.net.ssl.trustStore","trust_store/keystore.jks");
  System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
  //System.setProperty("javax.net.debug", "all");

  // for localhost testing only
  javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(new javax.net.ssl.HostnameVerifier() {
        public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
          return hostname.equals("localhost");
        }

  });
}

I am working on a tutorial for REST web services at www.udemy.com (REST Java Web Services). The example in the tutorial said that in order to have SSL, we must have a folder called "trust_store" in my eclipse "client" project that should contain a "key store" file (we had a "client" project to call the service, and "service" project that contained the REST web service - 2 projects in the same eclipse workspace, one the client, the other the service). To keep things simple, they said to copy "keystore.jks" from the glassfish app server (glassfish\domains\domain1\config\keystore.jks) we are using and put it into this "trust_store" folder that they had me make in the client project. That seems to make sense: the self-signed certs in the server's key_store would correspond to the certs in the client trust_store. Now, doing this, I was getting the error that the original post mentions. I have googled this and read that the error is due to the "keystore.jks" file on the client not containing a trusted/signed certificate, that the certificate it finds is self-signed.

To keep things clear, let me say that as I understand it, the "keystore.jks" contains self-signed certs, and the "cacerts.jks" file contains CA certs (signed by the CA). The "keystore.jks" is the "keystore" and the "cacerts.jks" is the "trust store". As "Bruno", a commenter, says above, "keystore.jks" is local, and "cacerts.jks" is for remote clients.

So, I said to myself, hey, glassfish also has the "cacerts.jks" file, which is glassfish's trust_store file. cacerts.jsk is supposed to contain CA certificates. And apparently I need my trust_store folder to contain a key store file that has at least one CA certificate. So, I tried putting the "cacerts.jks" file in the "trust_store" folder I had made, on my client project, and changing the VM properties to point to "cacerts.jks" instead of "keystore.jks". That got rid of the error. I guess all it needed was a CA cert to work.

This may not be ideal for production, or even for development beyond just getting something to work. For instance you could probably use "keytool" command to add CA certs to the "keystore.jks" file in the client. But anyway hopefully this at least narrows down the possible scenarios that could be going on here to cause the error.

ALSO: my approach seemed to be useful for the client (server cert added to client trust_store), it looks like the comments above to resolve the original post are useful for the server (client cert added to server trust_store). Cheers.

Eclipse project setup:

  • MyClientProject
  • src
  • test
  • JRE System Library
  • ...
  • trust_store
    ---cacerts.jks
    ---keystore.jks

Snippet from MyClientProject.java file:

static {
  // Setup the trustStore location and password
  System.setProperty("javax.net.ssl.trustStore","trust_store/cacerts.jks");
  // comment out below line
  System.setProperty("javax.net.ssl.trustStore","trust_store/keystore.jks");
  System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
  //System.setProperty("javax.net.debug", "all");

  // for localhost testing only
  javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(new javax.net.ssl.HostnameVerifier() {
        public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
          return hostname.equals("localhost");
        }

  });
}
回复 原文
∞觅青森が 2025-01-11 12:38:03

在这个问题上浪费了很多时间。如果您导入了证书,您可以在此处看到它列出。

keytool -list -v -keystore $JAVA_HOME/lib/security/cacerts

然后创建新的,使用以下命令,替换 SITE_NAME、SITE_PORT、CERTIFICATE_NAME 和保存文件的路径。

echo -n | openssl s_client -connect SITE_NAME:SITE_PORT  \
| openssl x509 > /path/to/save/CERTIFICATE_NAME.cert

就我而言,我在使用 Keycloak 和 Spring 时遇到了问题。当我使用此命令创建证书并将其导入密钥库后,问题得到解决并且工作正常

Wasted a lot of time on that issue. If you imported the certificate and you can see it listed here.

keytool -list -v -keystore $JAVA_HOME/lib/security/cacerts

Then create the new one, with the following command, replace SITE_NAME, SITE_PORT, CERTIFICATE_NAME and path to save file.

echo -n | openssl s_client -connect SITE_NAME:SITE_PORT  \
| openssl x509 > /path/to/save/CERTIFICATE_NAME.cert

In my case, I experienced problem using Keycloak with Spring. After I created certificate with this command and imported to keystore, the problem was solved and it works fine

回复 原文
我的痛♀有谁懂 2025-01-11 12:38:03

我的问题是,通过软件更新在我的工作笔记本电脑上安装了云访问安全代理 NetSkope。这正在改变证书链,在将整个链导入我的 cacerts 密钥库后,我仍然无法通过我的 java 客户端连接到服务器。我禁用了 NetSkope 并且能够成功连接。

My problem was that a Cloud Access Security Broker, NetSkope, was installed on my work laptop through a software update. This was altering the certificate chain and I was still not able to connect to the server through my java client after importing the entire chain to my cacerts keystore. I disabled NetSkope and was able to successfully connect.

回复 原文
思念满溢 2025-01-11 12:38:03

检查文件 $JAVA_HOME/lib/security/cacerts 是否存在!
就我而言,它不是一个文件,而是一个到 /etc/ssl/certs/java/cacerts 的链接,而且这也是一个到其自身的链接(什么???),因此 JVM 可以'找不到该文件。

解决方案:
将真实的 cacerts 文件(您可以从另一个 JDK 进行操作)复制到 /etc/ssl/certs/java/ 目录,它将解决您的问题:)

Check if the file $JAVA_HOME/lib/security/cacerts exists!
In my case it was not a file but a link to /etc/ssl/certs/java/cacerts and also this was a link to itself (WHAT???) so due to it JVM can't find the file.

Solution:
Copy the real cacerts file (you can do it from another JDK) to /etc/ssl/certs/java/ directory and it'll solve your problem :)

回复 原文
纸短情长 2025-01-11 12:38:03

eclipse / Sts 用户注意事项:

由于 eclipse 使用自己的 JRE,因此您应该将证书添加到其自己的 JRE 密钥库中。
在我将证书添加到 Sts 的 JRE 之前,我遇到了这个问题。

SSL 日志:

`javax.net.ssl|DEBUG|1A|restartedMain|2021-12-06 23:04:00.874` IRST|TrustStoreManager.java:113|trustStore is: D:\sts-4.12.0.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\lib\security\cacerts
This is the full path: "sts-4.12.0.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\lib\security\cacerts"

note for eclipse / Sts users:

Because eclipse uses its own JRE, you should add certs to its own JRE keystore.
I had this issue until I added certs to Sts's JRE.

SSL log:

`javax.net.ssl|DEBUG|1A|restartedMain|2021-12-06 23:04:00.874` IRST|TrustStoreManager.java:113|trustStore is: D:\sts-4.12.0.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\lib\security\cacerts
This is the full path: "sts-4.12.0.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_16.0.2.v20210721-1149\jre\lib\security\cacerts"
回复 原文
给我一枪 2025-01-11 12:38:03

SSL 模式

发生在我身上,因为我的配置包含 sslmode=verify-full。您可能需要将其更改为 sslmode=require。或者是一个等价的程序。

这也适用于从应用程序使用 SSL/TLS。

例如,IntelliJ IDEA 中的数据库客户端。您需要转到连接属性、SSH/SSL 选项卡,并将 Mode 设置为 Require

有关 SSL/TLS 模式的更多信息,例如:https://developers.cloudflare。 com/ssl/origin-configuration/ssl-modes/

SSL mode

Happened to me because my config included sslmode=verify-full. You may need to change this to sslmode=require. Or a programatic equivalent of that.

This also applies to using SSL/TLS from applications.

For instance, a Database client in IntelliJ IDEA's. There you need to go to the connection properties, SSH/SSL tab, and set Mode to Require.

More about SSL/TLS modes e.g here: https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/

回复 原文
Smile简单爱 2025-01-11 12:38:03

就我而言,jdbc mssql 连接字符串添加 trustServerCertificate=true; 解决了该问题。

In my case, jdbc mssql connection string add trustServerCertificate=true; fix the issue.

回复 原文
深爱不及久伴 2025-01-11 12:38:03

就我而言,我遇到了这个问题,因为在我的 tomcat 进程中,特定的密钥库是使用

-Djavax.net.ssl.trustStore=/pathtosomeselfsignedstore/truststore.jks

Wheras 给出的,我将证书导入到 JRE/lib/security 的 cacert 中,并且更改没有反映出来。
然后我执行了以下命令,其中 /tmp/cert1.test 包含目标服务器的证书

keytool -import -trustcacerts -keystore /pathtosomeselfsignedstore/truststore.jks -storepass password123 -noprompt -alias rapidssl-myserver -file /tmp/cert1.test

我们可以仔细检查证书导入是否成功

keytool -list -v -keystore /pathtosomeselfsignedstore/truststore.jks

,并查看是否根据别名 Rapidssl-myserver 找到您的 taget 服务器

In my case I was facing the problem because in my tomcat process specific keystore was given using 

-Djavax.net.ssl.trustStore=/pathtosomeselfsignedstore/truststore.jks

Wheras I was importing the certificate to the cacert of JRE/lib/security and the changes were not reflecting.
Then I did below command where /tmp/cert1.test contains the certificate of the target server

keytool -import -trustcacerts -keystore /pathtosomeselfsignedstore/truststore.jks -storepass password123 -noprompt -alias rapidssl-myserver -file /tmp/cert1.test

We can double check if the certificate import is successful

keytool -list -v -keystore /pathtosomeselfsignedstore/truststore.jks

and see if your taget server is found against alias rapidssl-myserver

回复 原文
陈甜 2025-01-11 12:38:03

就我而言,连接到 AWS Gov Postgres RDS 时遇到错误。 GOV RDS CA 证书有一个单独的链接 - https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem

将此 pem 证书添加到 java 的 cacerts 。您可以使用下面的脚本。

------WINDOWDS 步骤--------

  1. 使用 VSCODE 编辑器并安装 openssl、keytool 插件
  2. 在 C:/rds-ca 中创建一个目录
  3. ,放置“cacerts”文件和下面的脚本文件 -“addCerts.sh” dir 'rd-ca'
  4. 从 vscode 运行 :
    4.1 cd /c/rds-ca/
    4.2 ./addCerts.sh
  5. 将cacerts复制到${JAVA_HOME}/jre/lib/security

脚本代码:

#!/usr/bin/env sh

OLDDIR="$PWD"

CACERTS_FILE=cacerts

cd /c/rds-ca

echo "Downloading RDS certificates..."

curl  https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem > rds-combined-ca-bundle.pem

csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"

for CERT in xx*; do
    # extract a human-readable alias from the cert
    ALIAS=$(openssl x509 -noout -text -in $CERT |
                   perl -ne 'next unless /Subject:/; s/.*CN=//; print')
    echo "importing $ALIAS"
    
    keytool -import \
            -keystore  $CACERTS_FILE \
            -storepass changeit -noprompt \
            -alias "$ALIAS" -file $CERT
done

cd "$OLDDIR"
echo "$NEWDIR"

In my case, I was getting error connecting to AWS Gov Postgres RDS. There is a separate link for GOV RDS CA certs- https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem

Add this pem certs to cacerts of java. You can use below script.

------WINDOWDS STEPS-------

  1. Use VSCODE editor and install openssl, keytool plugins
  2. create a dir in C:/rds-ca
  3. place 'cacerts' file and below script file - 'addCerts.sh' inside dir 'rd-ca'
  4. run from vscode:
    4.1 cd /c/rds-ca/
    4.2 ./addCerts.sh
  5. Copy cacerts to ${JAVA_HOME}/jre/lib/security

Script code:

#!/usr/bin/env sh

OLDDIR="$PWD"

CACERTS_FILE=cacerts

cd /c/rds-ca

echo "Downloading RDS certificates..."

curl  https://s3.us-gov-west-1.amazonaws.com/rds-downloads/rds-combined-ca-us-gov-bundle.pem > rds-combined-ca-bundle.pem

csplit -sk rds-combined-ca-bundle.pem "/-BEGIN CERTIFICATE-/" "{$(grep -c 'BEGIN CERTIFICATE' rds-combined-ca-bundle.pem | awk '{print $1 - 2}')}"

for CERT in xx*; do
    # extract a human-readable alias from the cert
    ALIAS=$(openssl x509 -noout -text -in $CERT |
                   perl -ne 'next unless /Subject:/; s/.*CN=//; print')
    echo "importing $ALIAS"
    
    keytool -import \
            -keystore  $CACERTS_FILE \
            -storepass changeit -noprompt \
            -alias "$ALIAS" -file $CERT
done

cd "$OLDDIR"
echo "$NEWDIR"
回复 原文
萌逼全场 2025-01-11 12:38:03

我在 Windows 10 笔记本电脑上创建了一个 ubuntu,当我尝试从 https: 加载 CMAK 网站下载时遇到了问题: //github.com/yahoo/CMAK 站点。首先它给出了致命的 ssl 错误。

openssl s_client -showcerts -servername github.com -connect github.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'  > github-com.pem

并使用以下命令(确保为 ca-cert 设置正确的路径)

cat github-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt

然后使用以下语句(确保证书的路径正确):

git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

然后我能够下载 CMAK,但在尝试 时遇到问题./sbt clean 语句。它给出了 pkix path 错误。原因是我的 cacert 文件中没有存储我公司颁发的证书。

我已经下载了公司证书(谷歌了解如何操作)并按照本文将我下载的证书添加到 cacert 文件中。在./sbt之前再次使用sudo update-ca-certificates。这对我有用。

注意:执行上述步骤时,您可能需要在 root 和 exit 之间切换。

I created a ubuntu on my windows 10 laptop and I ran into issue when I was trying to load CMAK site download from https://github.com/yahoo/CMAK site. First it gave fatal ssl error.

openssl s_client -showcerts -servername github.com -connect github.com:443 </dev/null 2>/dev/null | sed -n -e '/BEGIN\ CERTIFICATE/,/END\ CERTIFICATE/ p'  > github-com.pem

and use the following command (make sure you put right path for ca-cert)

cat github-com.pem | sudo tee -a /etc/ssl/certs/ca-certificates.crt

Then use the following statement (make sure the path for cert is correct):

git config --global http.sslCAinfo /etc/ssl/certs/ca-certificates.crt

Then I was able to download CMAK but ran into issue when i tried ./sbt clean statement. It was giving a pkix path error. The reason is that I do not have my company issue cert stored in my cacert file.

I have downloaded the company cert (google on how to do it) and followed this article to add my downloaded cert to cacert file. Used sudo update-ca-certificates one more time before ./sbt. It worked for me.

Note: You may have to switch between root and exit when you are following above steps.

回复 原文
蔚蓝源自深海 2025-01-11 12:38:03

这就是我所做的。

我想在 Java 10 上开发应用程序,并且我有 Eclipse IDE 2020-06。
证书导入解决方案对我不起作用。
来确保源代码仍然针对 Java 10 进行编译:

    <maven.compiler.target>1.10</maven.compiler.target>
    <maven.compiler.source>1.10</maven.compiler.source>
    <maven.compiler.release>10</maven.compiler.release>

然后我安装了 Java 11 JDK,切换到最新的 Eclipse IDE(在 Java 11 上运行),并通过在 Maven POM 下添加这些语句 一种魅力;没有错误。

This is what I did.

I wanted to develop the app on Java 10, and I had the Eclipse IDE 2020-06.
The cert import solution did not work for me.
So then I installed Java 11 JDK, switched to the latest Eclipse IDE (which runs on Java 11), and made sure that the source-code still gets compiled against the Java 10, by adding these statemements under Maven POM:

    <maven.compiler.target>1.10</maven.compiler.target>
    <maven.compiler.source>1.10</maven.compiler.source>
    <maven.compiler.release>10</maven.compiler.release>

And it works like a charm; no errors.

回复 原文
探春 2025-01-11 12:38:03

在弄清楚一段时间后,我发现我没有在配置中添加我的信任库,所以在我的情况下,这帮助

我使用 springboot gradle(kotlin),所以你可以添加你的信任库,就像我的信任库存在于资源文件夹中一样。

tasks{
    bootRun {
        jvmArgs = listOf("-Djavax.net.ssl.trustStore=${projectDir}/src/main/resources/global_truststore.jks", "-Djavax.net.ssl.trustStorePassword=changeit",
                "-Dspring.config.location=classpath:/")
    }
}

I got the similar issue after figuring out for a while I find that I have not added my truststore in configurations so in my case this helped

I was using springboot gradle(kotlin) so you can add your truststore like this mine was present in resources folder.

tasks{
    bootRun {
        jvmArgs = listOf("-Djavax.net.ssl.trustStore=${projectDir}/src/main/resources/global_truststore.jks", "-Djavax.net.ssl.trustStorePassword=changeit",
                "-Dspring.config.location=classpath:/")
    }
}
回复 原文
北音执念 2025-01-11 12:38:03

我已经看到,使用相对路径指向 cacerts 根本不会导入我的可信证书,即使使用 keytool 列表列出时显示,使用绝对路径也可以完成工作(您可以使用 keystore explorer< 更好地检查它) /strong>) 传递是changeit

keytool -import -alias ca -file <<absolute_path>>\<<cacert>>.crt -keystore cacerts -storepass changeit

替换<<>>>使用您的用例中的值

I' ve seen that using a relative path to point to cacerts wasn´t importing my trusted cert at all even if shown when listed using keytool list, using absolute path did the work(you can check it better using keystore explorer) pass is changeit

keytool -import -alias ca -file <<absolute_path>>\<<cacert>>.crt -keystore cacerts -storepass changeit

replace <<>> with values from your use case

回复 原文
小…楫夜泊 2025-01-11 12:38:03

从服务器导出自签名证书:

openssl s_client -connect <server>:<port> -showcerts

这将输出证书详细信息。 之间的部分

-----BEGIN CERTIFICATE-----

复制:和:

-----END CERTIFICATE-----

(包括BEGIN 和END 行)

将此块保存到文件中,例如my-cert.pem

然后将此文件导入到您的 Java 密钥库:

keytool -import -trustcacerts -alias my-cert -file /path/to/my-cert.pem -keystore <JAVA_HOME>/lib/security/cacerts

重新启动您的 Java 应用程序,现在它将能够连接到服务器。

您可以参阅本文以了解有关此过程的更多详细信息:如何将自签名证书导入 Java 密钥库以进行本地开发

Export the self-signed certificate from the server:

openssl s_client -connect <server>:<port> -showcerts

This will output the certificate details. Copy the section between:

-----BEGIN CERTIFICATE-----

and:

-----END CERTIFICATE-----

(including the BEGIN and END lines)

Save this block to a file, e.g. my-cert.pem.

Then import this file to your Java Keystore:

keytool -import -trustcacerts -alias my-cert -file /path/to/my-cert.pem -keystore <JAVA_HOME>/lib/security/cacerts

Restart your Java application, now it will be able to connect to the server.

You can refer to this article for more details on this procedure: How to Import Self-Signed Certificates into Java Keystore for Local Development.

回复 原文
~没有更多了~

关于作者

似狗非友

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

紫罗兰の梦幻

文章 0 评论 0

-2134

文章 0 评论 0

liuxuanli

文章 0 评论 0

意中人

文章 0 评论 0

○愚か者の日

文章 0 评论 0

xxhui

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文