踩坑日记(三):换个证书报PKIX path building failed: sun.sec错误
前言
线上https证书马上到期了,跟运维同事沟通后只需要把 Nginx 下的域名证书更新成最新的即可,以为很简单的事情无需投入开发资源。由于是主域名涉及到好多个系统,为了不影响线上业务选择晚上去更新,更新后只有 1 个系统有问题,其他的都可以正常使用,没办法进行了回滚。
问题
线上服务报错日志如下:
com.mashape.unirest.http.exceptions.UnirestException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target......根据报错信息初步判断是找不到安全证书抛出的异常。以为是新证书导出的“姿势”不对,又让同事重新操作了一遍,重试后依然不行。
......
是在Nginx层更换的证书,跟应用有什么关系?
这里到网上查了一下,找到了同样问题的解决方案,如下图所示:
原文:https://blogs.oracle.com/gc/unable-to-find-valid-certification-path-to-requested-target
大致意思是:在与运行在 https 协议中的启用 SSL 的服务器一起工作的客户端上工作时,如果服务器证书不是由证书颁发机构颁发的,而是由自签名或由以下机构颁发的,您可能会收到错误“无法找到到请求目标的有效证书路径”一个私人的 CMS。
文中还给了具体的解决方案。
解决方案
下载代码:http://blogs.sun.com/andreas/resource/InstallCert.java
竟然 404!
在其他地方找到了其他小伙伴贡献的代码,源码如下:
import java.io.BufferedReader;import java.io.File;import java.io.FileInputStream;import java.io.FileOutputStream;import java.io.InputStream;import java.io.InputStreamReader;import java.io.OutputStream;import java.security.KeyStore;import java.security.MessageDigest;import java.security.cert.CertificateException;import java.security.cert.X509Certificate;import javax.net.ssl.SSLContext;import javax.net.ssl.SSLException;import javax.net.ssl.SSLSocket;import javax.net.ssl.SSLSocketFactory;import javax.net.ssl.TrustManager;import javax.net.ssl.TrustManagerFactory;import javax.net.ssl.X509TrustManager;public class InstallCert { public static void main(String<> args) throws Exception { String host; int port; char<> passphrase; if ((args.length == 1) || (args.length == 2)) { String<> c = args<0>.split(":"); host = c<0>; port = (c.length == 1) ? 443 : Integer.parseInt(c<1>); String p = (args.length == 1) ? "changeit" : args<1>; passphrase = p.toCharArray(); } else { System.out .println("Usage: java InstallCert <host><:port> "); return; } File file = new File("jssecacerts"); if (file.isFile() == false) { char SEP = File.separatorChar; File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security"); file = new File(dir, "jssecacerts"); if (file.isFile() == false) { file = new File(dir, "cacerts"); } } System.out.println("Loading KeyStore " + file + "..."); InputStream in = new FileInputStream(file); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(in, passphrase); in.close(); SSLContext context = SSLContext.getInstance("TLS"); TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); X509TrustManager defaultTrustManager = (X509TrustManager) tmf .getTrustManagers()<0>; SavingTrustManager tm = new SavingTrustManager(defaultTrustManager); context.init(null, new TrustManager<> { tm }, null); SSLSocketFactory factory = context.getSocketFactory(); System.out .println("Opening connection to " + host + ":" + port + "..."); SSLSocket socket = (SSLSocket) factory.createSocket(host, port); socket.setSoTimeout(10000); try { System.out.println("Starting SSL handshake..."); socket.startHandshake(); socket.close(); System.out.println(); System.out.println("No errors, certificate is already trusted"); } catch (SSLException e) { System.out.println(); e.printStackTrace(System.out); } X509Certificate<> chain = tm.chain; if (chain == null) { System.out.println("Could not obtain server certificate chain"); return; } BufferedReader reader = new BufferedReader(new InputStreamReader( System.in)); System.out.println(); System.out.println("Server sent " + chain.length + " certificate(s):"); System.out.println(); MessageDigest sha1 = MessageDigest.getInstance("SHA1"); MessageDigest md5 = MessageDigest.getInstance("MD5"); for (int i = 0; i < chain.length; i++) { X509Certificate cert = chain; System.out.println(" " + (i + 1) + " Subject " + cert.getSubjectDN()); System.out.println(" Issuer " + cert.getIssuerDN()); sha1.update(cert.getEncoded()); System.out.println(" sha1 " + toHexString(sha1.digest())); md5.update(cert.getEncoded()); System.out.println(" md5 " + toHexString(md5.digest())); System.out.println(); } System.out .println("Enter certificate to add to trusted keystore or 'q' to quit: <1>"); String line = reader.readLine().trim(); int k; try { k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1; } catch (NumberFormatException e) { System.out.println("KeyStore not changed"); return; } X509Certificate cert = chain; String alias = host + "-" + (k + 1); ks.setCertificateEntry(alias, cert); OutputStream out = new FileOutputStream("jssecacerts"); ks.store(out, passphrase); out.close(); System.out.println(); System.out.println(cert); System.out.println(); System.out .println("Added certificate to keystore 'jssecacerts' using alias '" + alias + "'"); } private static final char<> HEXDIGITS = "0123456789abcdef".toCharArray(); private static String toHexString(byte<> bytes) { StringBuilder sb = new StringBuilder(bytes.length * 3); for (int b : bytes) { b &= 0xff; sb.append(HEXDIGITS); sb.append(HEXDIGITS); sb.append(' '); } return sb.toString(); } private static class SavingTrustManager implements X509TrustManager { private final X509TrustManager tm; private X509Certificate<> chain; SavingTrustManager(X509TrustManager tm) { this.tm = tm; } @Override public X509Certificate<> getAcceptedIssuers() { throw new UnsupportedOperationException(); } @Override public void checkClientTrusted(X509Certificate<> chain, String authType) throws CertificateException { throw new UnsupportedOperationException(); } @Override public void checkServerTrusted(X509Certificate<> chain, String authType) throws CertificateException { this.chain = chain; tm.checkServerTrusted(chain, authType); } }} 第一步:将源码复制到 txt 文本,并修改后缀名为.java(名字为InstallCert.java)
第二步:将InstallCert.java 文件复制到报错服务器任意目录(/user/local)
第三步:编译InstallCert.java
$ cd /usr/local$ javac InstallCert.java$ java InstallCert hostname hostname 是具体的域名,例如 www.xxx.com
Opening connection to www.xxx.com:443...Starting SSL handshake...javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:............. 2 Subject CN=Certificate Shack, O=example.com, C=US Issuer CN=Certificate Shack, O=example.com, C=US sha1 fb 58 a7 03 c4 4e 3b 0e e3 2c 40 2f 87 64 13 4d df e1 a1 a6 md5 72 a0 95 43 7e 41 88 18 ae 2f 6d 98 01 2c 89 68 Enter certificate to add to trusted keystore or 'q' to quit: <1> 根据提示输入“1” 回车,在当前目录会生成一个名字为“jssecacerts”的证书文件。
第四步:将证书放到$JAVA_HOME/jre/lib/security目录下
第五步:重启web服务
因为是静态加载,所以要重新启动你的Web Server,证书才能生效。
总结
网上有小伙伴说过段时间就不能用了,小编这里先在线上试试,如果有问题评论区告知大家。