5

我正在尝试通过需要证书的服务器连接到 url。我已经将我的客户端身份验证证书导入到 {JAVA_HOME}/jre/bin/security/cacerts 并且我已经将它放在 Jboss/bin 和 jboss/server/conf/ 的密钥库中,然后我重新启动了我的服务器,它仍然给我以下错误。

Caused by: java.io.IOException: Could not transmit message
    at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:265)
    at org.jboss.ws.core.client.SOAPProtocolConnectionHTTP.invoke(SOAPProtocolConnectionHTTP.java:71)
    at org.jboss.ws.core.CommonClient.invoke(CommonClient.java:340)
    at org.jboss.ws.core.jaxws.client.ClientImpl.invoke(ClientImpl.java:290)
    ... 40 more
Caused by: org.jboss.remoting.CannotConnectException: Can not connect http client invoker after 1 attempt(s)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:249)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.transport(HTTPClientInvoker.java:161)
    at org.jboss.remoting.MicroRemoteClientInvoker.invoke(MicroRemoteClientInvoker.java:165)
    at org.jboss.remoting.Client.invoke(Client.java:1724)
    at org.jboss.remoting.Client.invoke(Client.java:629)
    at org.jboss.ws.core.client.HTTPRemotingConnection.invoke(HTTPRemotingConnection.java:243)
    ... 43 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1611)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:187)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:181)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1035)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:124)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:516)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:454)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:884)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1112)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1139)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1123)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:434)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:166)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:904)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:230)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.getOutputStream(HTTPClientInvoker.java:1214)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.useHttpURLConnection(HTTPClientInvoker.java:334)
    at org.jboss.remoting.transport.http.HTTPClientInvoker.makeInvocation(HTTPClientInvoker.java:231)
    ... 48 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:294)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:200)
    at sun.security.validator.Validator.validate(Validator.java:218)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1014)
    ... 62 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:289)
    ... 68 more

我想问我能做些什么来解决它?我是否需要在 server.xml 中为该证书添加另一个:

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150"
   scheme="https" secure="false" strategy="ms" address="${jboss.bind.address}"
   keystoreFile="${jboss.server.home.dir}/conf/.keystore"
   keystorePass="changeit" sslProtocol="TLS"
   truststoreFile="/usr/lib/jvm/java-6-sun-1.6.0.10/jre/lib/security/cacerts"
   truststorePass="*****"
   SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
   acceptAnyCert="true" clientAuth="want" />

还是我犯了其他错误?

4

4 回答 4

8

我知道您说您已经导入了证书,但请查看这些步骤,看看您是否在某处遗漏了一步:

以下是如何导入证书以修复以下错误的总体摘要:

尝试执行请求时出错。javax.net.ssl.SSLHandshakeException:sun.security.validator.ValidatorException:PKIX 路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:无法找到请求目标的有效证书路径

如何导入证书

  1. 在浏览器中转到 URL,单击 HTTPS 证书链(URL 地址旁边的小锁符号)以导出证书
    • 单击“更多信息”>“安全”>“显示证书”>“详细信息”>“导出..”。
    • 另存为.der
    • 对您需要导入的任何证书重复此操作
  2. 找到$JAVA_HOME/jre/lib/security/cacerts
  3. 使用以下命令将所有 *.der 文件导入 cacerts 文件:

    sudo keytool -import -alias mysitestaging -keystore $JAVA_HOME/jre/lib/security/cacerts -file staging.der
    sudo keytool -import -alias mysiteprod -keystore  $JAVA_HOME/jre/lib/security/cacerts -file prod.der
    sudo keytool -import -alias mysitedev -keystore  $JAVA_HOME/jre/lib/security/cacerts -file dev.der
    
  4. 默认密钥库密码是“changeit”

  5. 您可以查看使用显示证书指纹的此命令所做的更改。

    keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
    
  6. 如果这不能解决问题,请尝试将这些 java 选项添加为参数:

    -Djavax.net.ssl.trustStore="$JAVA_HOME/jre/lib/security/cacerts"
    -Djavax.net.ssl.trustStorePassword="changeit"
    
于 2016-10-18T18:20:58.710 回答
0

对于 SSL Web 服务配置,我们必须执行以下步骤:

1) 将 CA 证书插入到密钥库中,您可以将其放入 JVM 或将其放入 jre 安全目录,或者您可以导入到 jre 默认密钥库。

2)将带有密钥的身份验证证书导入密钥库(可能是java密钥库或另一个)。密钥库也可以是 jks,不仅是 pkcs12。我已经测试过了,jks 也很好用。

3) 告诉 JVM 你需要那个密钥库——当我们启动 Jboss 时。它可以是这样的(在我的情况下它看起来像这样):

> "-Dprogram.name=JBossTools: JBoss 4.0 CLONE OF ESS SERVER" -server
> -Xms256m -Xmx512m -XX:MaxPermSize=256m -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 "-Djava.endorsed.dirs=..\jboss-4.0.2\lib\endorsed"
> "-Djavax.net.ssl.keyStore=../Java/jdk1.6.0_45/jre/lib/security/cacerts"
> "-Djavax.net.ssl.keyStorePassword=changeit"

证书也可以是 der 编码或 base 64。这意味着您可能需要使用开放 SSL 等转换证书。另一个问题是有时转换可能会导致问题,因此您可以使用这样的脚本进行更简单灵活的转换。

于 2014-06-10T16:10:23.177 回答
0

由于禁用了 TLSv1.2 协议,我遇到了这个问题。我通过在 VM 参数中添加 TLSv1.2 解决了这个问题。以下是启用协议的步骤

您需要在 vm 参数中添加这一行 -->-Dhttps.protocols=TLSv1.1,TLSv1.2

转到eclipse中的服务器选项卡>>双击wildfly>>打开启动配置>>最后粘贴到vm参数中。

于 2018-07-23T08:02:01.653 回答
-2

如果是客户端证书,那么你需要把它放在你的信任库中;如果它是服务器证书,那么它将进入您的密钥库。此外,如果您的证书有中间 CA 证书,您也需要添加它们。

于 2014-06-10T06:01:26.983 回答