linux添加证书（解决——linux javax.net.ssl.SSLHandshakeException:sun.security.validator.validatorexception: PKIX path building failed:sun.security.provider.certparexception....）

情况说明：

　　链接远程ad域，使用证书链接，证书生成后，本地测试可以练接，

　　于是运行服务，在服务中调用代码，后端报错（错误信息如上）。

　　经搜索后发现，该问题是当你在进⾏https请求时，JDK中不存在三⽅服务的信任证书，导致出现错误javax.net.ssl.SSLHandshakeException：sun.security.validator.ValidatorException：PKIX路径构建失败导致。

解决方法：

　　第一种：获取根证书安装证书到你的JRE的Java cacerts中（安装证书到$JAVA_HOME/JRE/lib⽬录/ cacerts中）。

1、进入到java 的安装目：cd $JAVA_HOME/jre/lib/security
2、执行导入命令(  命令中 证书文件名：xxx，证书路径： /usr/local/xxx.crt ；
keytool -import -alias xxx -keystore cacerts -file /usr/local/xxx.crt -trustcacerts


3、导入时会提示输入口令，默认口令 changeit

4、提示是否信任此证书? 输入y

5、会提示证书已添加到密钥库中

　　第二种：忽略SSL证书的校验。这⾥因为很多情况没有证书，所以采⽤第⼆种⽅案，在你的代码中进⾏忽略SSL证书校验。

　　该方法需要添加代码，如下为使用实例（标黄部分为添加项）：

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.net.HttpURLConnection;
import java.net.URL;
 
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
 
import org.apache.log4j.Logger;
import org.htmlparser.util.ParserException;
 
import com.xwtech.parser.GetRequestHtmlParser;
import com.xwtech.pojo.ExtendCandidate;
/*
 * GET请求类
 */
public class GetRequest {
    private String url = "https://b2b.10086.cn/b2b/main/viewNoticeContent.html?noticeBean.id=";
    private Logger logger;
    public GetRequest() {
        logger = Logger.getLogger(GetRequest.class);
    }
    private static void trustAllHttpsCertificates() throws Exception {
        javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
        javax.net.ssl.TrustManager tm = new miTM();
        trustAllCerts[0] = tm;
        javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, null);
        javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    }
    public void getData(String id) {
        this.url = url + id;
        BufferedReader in = null;
        HttpURLConnection conn = null;
        String result = "";
        try {
　　　　　　　　//该部分必须在获取connection前调用
            trustAllHttpsCertificates();
            HostnameVerifier hv = new HostnameVerifier() {
                public boolean verify(String urlHostName, SSLSession session) {
                    logger.info("Warning: URL Host: " + urlHostName + " vs. " + session.getPeerHost());
                    return true;
                }
            };
            HttpsURLConnection.setDefaultHostnameVerifier(hv);
            conn = (HttpURLConnection)new URL(url).openConnection();
            // 发送GET请求必须设置如下两行
            conn.setDoInput(true);
            conn.setRequestMethod("GET");
            // flush输出流的缓冲
            in = new BufferedReader(new InputStreamReader(conn.getInputStream()));
            String line;
            while ((line = in.readLine()) != null) {
                result += line;
            }
        } catch (Exception e) {
            logger.error("发送 GET 请求出现异常！\t请求ID:"+id+"\n"+e.getMessage()+"\n");
        } finally {// 使用finally块来关闭输出流、输入流
            try {
                if (in != null) {
                    in.close();
                }
            } catch (IOException ex) {
                logger.error("关闭数据流出错了！\n"+ex.getMessage()+"\n");
            }
        }
        // 获得相应结果result,可以直接处理......
         
    }
    static class miTM implements javax.net.ssl.TrustManager, javax.net.ssl.X509TrustManager {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }
 
        public boolean isServerTrusted(java.security.cert.X509Certificate[] certs) {
            return true;
        }
 
        public boolean isClientTrusted(java.security.cert.X509Certificate[] certs) {
            return true;
        }
 
        public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }
 
        public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }
    }
}

附：

　　证书其他操作：

1 查看单个证书（命令中 xxx 为证书导入时的别名）
 
keytool -list -keystore cacerts | grep xxx
 
2 查看所有证书
 
keytool -list -keystore cacerts
 
3 删除某个证书
 
keytool -delete -alias xxx -keystore cacerts

参考：

https://blog.csdn.net/qq_21765377/article/details/103521889

https://segmentfault.com/a/1190000018591607