2013-09-24
场景
项目对账系统涉及到第三方支付平台交易记录采集,通讯协议为HTTPS单向认证(客户端需要认证支付平台网关是否可信,支付平台网关不在协议层验证客户端是否可任),通讯层主要集成了Apache HttpClient组件。
项目测试过程中在测试环境(Linux)采集过三个月左右交易记录,通讯层这块没有任何问题,项目上线后发现异常日志中抛出大量与此项目相关异常信息,异常信息表述的主要意思为服务器提供的证书不被我们客户端信任。
异常信息
Caused by: sun.security.validator.ValidatorException: PKIX path
building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
at sun.security.validator.Validator.validate(Validator.java:218)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
at com.tvj.iphone.pay.unipay.AuthSSLX509TrustManager.checkServerTrusted(AuthSSLX509TrustManager.java:213)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1066)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:129)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:530)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:465)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1121)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:66)
at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:124)
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:508)
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114)
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:323)
at com.tvj.erp.payment.util.httpClient.HttpProtocolHandler.execute(HttpProtocolHandler.java:121)
at com.tvj.erp.payment.util.httpClient.HttpProtocolHandler.execute(HttpProtocolHandler.java:65)
at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.doRequest(AbstractPaymentImpl4Alipay.java:148)
at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.innerCollectsPaymentData(AbstractPaymentImpl4Alipay.java:94)
at com.tvj.erp.payment.alipay.AbstractPaymentImpl4Alipay.collectsPaymentData(AbstractPaymentImpl4Alipay.java:82)
at com.tvj.erp.payment.acquis.DefaultPaymentDataAcquisitionStratety.doDataAcquisition(DefaultPaymentDataAcquisitionStratety.java:48)
at com.tvj.erp.payment.PaymentDataAcquisition.doCollectsData(PaymentDataAcquisition.java:60)
... 2 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
... 31 more
解决办法
两个文件
1、%JAVA_HOME%\jre\lib\security\cacerts
2、%JAVA_HOME%\jre\lib\security\jssecerts
两种办法:
一、添加信任证书
这块也有两种办法,
1.1、指定运行时系统变量设置trustStore
"-Djavax.net.ssl.trustStore=/path/to/jssecacerts"
"-Djavax.net.ssl.trustStorePassword=truststorepassword"
1.2、使用keytool手动导入证书
二、实现自定义证书信任管理逻辑(这样做有风险)
三、Java安全#为JRE环境导入信任证书
1、使用浏览器访问目标网站,下载证书存储成cer格式
2、使用keytool导入
2.1、确认信任服务器cer文件路径/tmp/Base64.alipay.cer
2.2、确认JAVA_HOME,
2.3、keytool -import -trustcacerts -alias alipay.com -file /tmp/Base64_Alipay.cer -keystore/opt/jrockit-jdk1.6.0_20/jre/lib/security/cacerts -storepass changeit
2.4、执行中需要确认导入(y)
2.5、验证查看证书信息
2.5.1、keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts -alias alipay.com
2.5.2、输入密码changeit
2.5.3、检查输入结果
2013-10-07
整理java#keytool工具
这个工具的用途主要是管理java安全相关的认证证书、密钥,对证书或密钥条目的导入、导出、删除、变更。
1、创建证书
keytool -genkeypair -alias "org.ybygjy.ca" -keyalg "RSA" -keystore "d:\ca.keystore"
2、查看证书库
keytool -list -keystore d:\ca.keystore
3、导出到证书文件
keytool -export -alias org.ybygjy.ca -file d:\org.ybygjy.crt -keystore d:\ca.keystore
4、导入证书
keytool -import -keystore d:\ca.keystore -file d:\org.ybygjy.crt
5、查看证书
keytool -printcert -file d:\org.ybygjy.crt
6、删除条目
keytool -delete -keystore d:\ca.keystore -alias org.ybygjy.ca
7、修改条目口令
keytool -keypasswd -alias org.ybygjy.ca -keystore d:\ca.keystore
keytool -keypasswd -alias org.ybygjy.ca -keypass abcdefaaf -new abeedcedc -storepass changeit -keystore d:\ca.keystore
资料
分享到:
相关推荐
NULL 博文链接:https://mengyang.iteye.com/blog/575671
PKIX path building failed 的问题。解决本地环境中报错 PKIX path building failed 的问题。 其中有产生证书的代码,将运行产生的证书放在文档中指定位置即可
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
CAS默认走https,需要安装证书,但是自定义的证书貌似得不到信任,报PKIX path building failed。则可以修改源码来屏蔽错误。
maven环境配置和ecplise安装maven插件的步骤,有图有真相
Java\jar 1.8.0_141\lib\ext\里面缺少了一个安全凭证jssecacerts证书文件,通过运行下面类可以生成证书,将生成的证书放在Java\jar 1.8.0_141\lib\ext\这个目录下,重启编译器就可以解决。
SELINUX的有关使用手册。详细描述了与XORG的关系。
当在Java中使用URL.openConnection().connect()方法进行HTTPS请求时,如果遇到PKIX path building failed异常,通常意味着Java运行环境在验证服务器证书链时遇到了问题。具体错误信息sun.security.provider....
用maven的maven-archetype模板创建maven工程不全,不包括src目录; pom.xml更新jar包失败,提示PKIX path building failed
HTTP Status 500 - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find ...
mvn PKIX path building failed: 进行中央库授权, unable to find valid certification path to requested target
解决 sun.security.validator.ValidatorException: PKIX path building failed生成证书的代码
解决jdk证书问题 生成jssecacerts PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilde... 具体操作可参考:https://blog.csdn.net/Asia1752/article/details/119675793
在 Java 中,在进行 HTTPS 连接时,人们通常会遇到以下异常堆栈跟踪: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider....
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target 处理这种情况的常用 Java 方法是下载站点证书,将其导入...