Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?

后端 未结 22 2523
名媛妹妹
名媛妹妹 2020-11-21 05:59

Edit :- Tried to format the question and accepted answer in more presentable way at mine Blog

Here is the original issue.

相关标签:
22条回答
  • 2020-11-21 06:16

    For Tomcat running on Ubuntu server, to find out which Java is being used, use "ps -ef | grep tomcat" command:

    Sample:

    /home/mcp01$ **ps -ef |grep tomcat**
    tomcat7  28477     1  0 10:59 ?        00:00:18 **/usr/local/java/jdk1.7.0_15/bin/java** -Djava.util.logging.config.file=/var/lib/tomcat7/conf/logging.properties -Djava.awt.headless=true -Xmx512m -XX:+UseConcMarkSweepGC -Djava.net.preferIPv4Stack=true -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/share/tomcat7/endorsed -classpath /usr/share/tomcat7/bin/bootstrap.jar:/usr/share/tomcat7/bin/tomcat-juli.jar -Dcatalina.base=/var/lib/tomcat7 -Dcatalina.home=/usr/share/tomcat7 -Djava.io.tmpdir=/tmp/tomcat7-tomcat7-tmp org.apache.catalina.startup.Bootstrap start
    1005     28567 28131  0 11:34 pts/1    00:00:00 grep --color=auto tomcat
    

    Then, we can go in to: cd /usr/local/java/jdk1.7.0_15/jre/lib/security

    Default cacerts file is located in here. Insert the untrusted certificate into it.

    0 讨论(0)
  • 2020-11-21 06:18

    Below code works for me :

    import java.security.cert.CertificateException;
    import java.security.cert.X509Certificate;
    
    import javax.net.ssl.X509TrustManager;
    
    public class TrustAnyTrustManager implements X509TrustManager {
    
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    }
    
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    }
    
    public X509Certificate[] getAcceptedIssuers() {
    return new X509Certificate[] {};
    }
    }
    

    HttpsURLConnection conn = null;
                URL url = new URL(serviceUrl);
                conn = (HttpsURLConnection) url.openConnection();
                 SSLContext sc = SSLContext.getInstance("SSL");  
                 sc.init(null, new TrustManager[]{new TrustAnyTrustManager()}, new java.security.SecureRandom());  
    
                 conn.setSSLSocketFactory(sc.getSocketFactory());
    
    0 讨论(0)
  • 2020-11-21 06:18

    This seems as good a place as any to document another possible reason for the infamous PKIX error message. After spending far too long looking at the keystore and truststore contents and various java installation configs I realised that my issue was down to... a typo.

    The typo meant that I was also using the keystore as the truststore. As my companies Root CA was not defined as a standalone cert in the keystore but only as part of a cert chain, and was not defined anywhere else (i.e. cacerts) I kept getting the PKIX error.

    After a failed release (this is prod config, it was ok elsewhere) and two days of head scratching I finally saw the typo, and now all is good.

    Hope this helps someone.

    0 讨论(0)
  • 2020-11-21 06:22

    javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

    • When I got the error, I tried to Google out the meaning of the expression and I found, this issue occurs when a server changes their HTTPS SSL certificate, and our older version of java doesn’t recognize the root certificate authority (CA).

    • If you can access the HTTPS URL in your browser then it is possible to update Java to recognize the root CA.

    • In your browser, go to the HTTPS URL that Java could not access. Click on the HTTPS certificate chain (there is lock icon in the Internet Explorer), click on the lock to view the certificate.

    • Go to “Details” of the certificate and “Copy to file”. Copy it in Base64 (.cer) format. It will be saved on your Desktop.

    • Install the certificate ignoring all the alerts.

    • This is how I gathered the certificate information of the URL that I was trying to access.

    Now I had to make my java version to know about the certificate so that further it doesn’t refuse to recognize the URL. In this respect I must mention that I googled out that root certificate information stays by default in JDK’s \jre\lib\security location, and the default password to access is: changeit.

    To view the cacerts information the following are the procedures to follow:

    • Click on Start Button-->Run

    • Type cmd. The command prompt opens (you may need to open it as administrator).

    • Go to your Java/jreX/bin directory

    • Type the following

    keytool -list -keystore D:\Java\jdk1.5.0_12\jre\lib\security\cacerts

    It gives the list of the current certificates contained within the keystore. It looks something like this:

    C:\Documents and Settings\NeelanjanaG>keytool -list -keystore D:\Java\jdk1.5.0_12\jre\lib\security\cacerts

    Enter keystore password: changeit

    Keystore type: jks

    Keystore provider: SUN

    Your keystore contains 44 entries

    verisignclass3g2ca, Mar 26, 2004, trustedCertEntry,

    Certificate fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9

    entrustclientca, Jan 9, 2003, trustedCertEntry,

    Certificate fingerprint (MD5): 0C:41:2F:13:5B:A0:54:F5:96:66:2D:7E:CD:0E:03:F4

    thawtepersonalbasicca, Feb 13, 1999, trustedCertEntry,

    Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41

    addtrustclass1ca, May 1, 2006, trustedCertEntry,

    Certificate fingerprint (MD5): 1E:42:95:02:33:92:6B:B9:5F:C0:7F:DA:D6:B2:4B:FC

    verisignclass2g3ca, Mar 26, 2004, trustedCertEntry,

    Certificate fingerprint (MD5): F8:BE:C4:63:22:C9:A8:46:74:8B:B8:1D:1E:4A:2B:F6

    • Now I had to include the previously installed certificate into the cacerts.

    • For this the following is the procedure:

    keytool –import –noprompt –trustcacerts –alias ALIASNAME -file FILENAME_OF_THE_INSTALLED_CERTIFICATE -keystore PATH_TO_CACERTS_FILE -storepass PASSWORD

    If you are using Java 7:

    keytool –importcert –trustcacerts –alias ALIASNAME -file PATH_TO_FILENAME_OF_THE_INSTALLED_CERTIFICATE -keystore PATH_TO_CACERTS_FILE -storepass changeit

    • It will then add the certificate information into the cacert file.

    It is the solution I found for the Exception mentioned above!!

    0 讨论(0)
  • 2020-11-21 06:23

    I was having this problem with Android Studio when I'm behind a proxy. I was using Crashlytics that tries to upload the mapping file during a build.

    I added the missing proxy certificate to the truststore located at /Users/[username]/Documents/Android Studio.app/Contents/jre/jdk/Contents/Home/jre/lib/security/cacerts

    with the following command: keytool -import -trustcacerts -keystore cacerts -storepass [password] -noprompt -alias [alias] -file [my_certificate_location]

    for example with the default truststore password keytool -import -trustcacerts -keystore cacerts -storepass changeit -noprompt -alias myproxycert -file /Users/myname/Downloads/MyProxy.crt

    0 讨论(0)
  • 2020-11-21 06:25

    Using Tomcat 7 under Linux, this did the trick.

    String certificatesTrustStorePath = "/etc/alternatives/jre/lib/security/cacerts";
    System.setProperty("javax.net.ssl.trustStore", certificatesTrustStorePath);
    System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
    

    Under Linux, $JAVA_HOME is not always setup, but usually /etc/alternatives/jre points to $JAVA_HOME/jre

    0 讨论(0)
提交回复
热议问题