代码之家  ›  专栏  ›  技术社区  ›  DAC

需要使用证书文件运行Spring restTemplate的帮助-无法找到请求目标的有效证书路径

resttemplate ssl spring java
  •  2
  • DAC  · 技术社区  · 6 年前

    我正在寻找一些帮助来解决以下问题,其中我试图使用jks通过restTemplate从java进行rest调用。我环顾四周,弄不明白为什么这不起作用。

    所以从我的服务器上我有一个crt和密钥文件以及密码。如果我对服务器进行以下curl调用,一切正常,它会检索我需要的信息。 

    curl --key example.key --cert example.crt:certpassword --digest --user user:password https://myhost/user?id={url_encoded_id}

    当我试图通过Spring从java运行此程序时,我创建了jks文件,如下所示: 

    keytool -import -file example.crt -alias exampleCA -keystore truststore.jks

openssl pkcs12 -export -in example.crt -inkey example.key -certfile example.crt -name "examplecert" -out keystore.p12

keytool -importkeystore -srckeystore keystore.p12 -srcstoretype pkcs12 -destkeystore keystore.jks -deststoretype JKS

    然后,我编写了以下java代码来使用jks: 

    HttpHeaders httpHeaders = new HttpHeaders();
httpHeaders.add("Authorization", basicAuthValueForUser);
httpHeaders.setContentType(MediaType.APPLICATION_JSON);

String keystore = "<path>\\keystore.jks";
String truststore = "<path>\\truststore.jks";
String certPassPhrase = "certpassword";

SSLContext sslContext = SSLContextBuilder
        .create()
        .loadKeyMaterial(ResourceUtils.getFile(keystore), certPassPhrase.toCharArray(), certPassPhrase.toCharArray())
        .loadTrustMaterial(ResourceUtils.getFile(truststore), certPassPhrase.toCharArray())
        .build();

HttpClient client = HttpClients.custom()
        .setSSLContext(sslContext)
        .build();

HttpComponentsClientHttpRequestFactory factory =
        new HttpComponentsClientHttpRequestFactory(client);

RestTemplate restTemplate = new RestTemplate(factory);

ResponseEntity<String> exchange = restTemplate.exchange("https://myhost/user?id={url_encoded_id}",
        HttpMethod.GET, new HttpEntity<>("", httpHeaders), String.class);

    当我尝试运行此操作时,会出现以下错误: 

    Exception in thread "main" org.springframework.web.client.ResourceAccessException: I/O error on GET request for "https://myhost/user": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:666)
    at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:613)
    at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:531)
    at eid.test.restTest.main(restTest.java:49)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)
    at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)
    at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141)
    at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353)
    at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)
    at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)
    at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)
    at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)
    at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)
    at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55)
    at org.springframework.http.client.HttpComponentsClientHttpRequest.executeInternal(HttpComponentsClientHttpRequest.java:89)
    at org.springframework.http.client.AbstractBufferingClientHttpRequest.executeInternal(AbstractBufferingClientHttpRequest.java:48)
    at org.springframework.http.client.AbstractClientHttpRequest.execute(AbstractClientHttpRequest.java:53)
    at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:652)
    ... 3 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
    ... 26 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
    ... 32 more

    任何帮助都将不胜感激!!

    2 回复  |  直到 6 年前
        1
  •  1
  •   DAC    6 年前

    经过更多的测试和研究,我的truststore丢失了一个完成链所需的证书。

    我必须打开浏览器,转到 https://myhost ,从服务器下载证书(crt)文件并将其添加到我的信任库。在这之后,错误被清除了,我可以打电话了。

        2
  •  0
  •   Harish Vutukuri    5 年前
    1. 从浏览器下载站点的证书(.cer)。
    2. 将文件放在$JAVA\u HOME\JAVA\jdk-11.0.3\lib\security中
    3. 使用以下命令安装证书: 
    keytool -import -noprompt -trustcacerts -alias <alias_name> -file  <filename.cer> -keystore $JAVA_HOME\Java\jdk-11.0.3\lib\security\cacerts -storepass changeit

    注: 代替 <alias_name> <filename.cer> 根据您的需要。

    1. 检查是否从列表中安装了证书。 
    keytool -list -keystore $JAVA_HOME\jdk-11.0.3\lib\security\cacerts
    推荐文章
    singh  ·  未配置oracle ssl安装程序
    2 年前
    Itamar Cohen  ·  谷歌管理的SSL证书不起作用
    2 年前
    Owen  ·  正在检索旧TLS证书的节点
    2 年前
    Nicole Demera  ·  ASP。NET Core 6如何使用。设置https的pem链文件
    2 年前
    Ludo Stroetenga  ·  在Indy 10中实现完美的前向保密?
    2 年前
    Tugrul Gokce  ·  如何在ElasticSearch(Apache Nifi控制器服务)上访问密钥库密码信任库密码
    2 年前
    Amarjargal Amaraa  ·  如何将nginx中的ssl配置为jsk文件
    2 年前
    Frozendawn  ·  节点。js elasticsearch证书链中的自签名证书
    2 年前
    VirtualWolf  ·  如何使用节点。js的TLSSocket连接(并重新连接)到服务器?
    2 年前
    SScotti  ·  用于Docker构建的NGINX repo、用于TLS的配置等
    2 年前
    关于   移动版
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号