unable to find valid certification path to requested target
https://blog.csdn.net/write_down/article/details/79114573
1. 知识预备
要理解本文,需要掌握以下知识:
https基本原理,包括证书分发和密钥协商等 [1];
http代理和https代理的基本原理 [2];
常用的本地http代理工具,如Fiddler, BurpSuite;
懂Java语言,了解HttpClient的基本功能和API [3]。
2. 问题描述与分析
使用httpclient写程序访问https页面,中间需要通过本地的http/https代理,如下所示:
Java程序(基于httpclient) <——-> 代理工具 (如Fiddler) <———> Web服务器
当运行Java程序后,程序出现异常,提示:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
从错误提示可以看到是无法验证网站的证书,找不到证书验证链。为了解决问题,将代理工具生成的证书作为可信根证书导入系统证书库,但是问题依然存在。在阅读了资料之后才恍然大悟,原来Java的证书验证系统是独立于操作系统和浏览器的,而是使用JRE中证书库,所有必须把代理工具的证书加入到JRE的证书库中。
解决方案
1.先导出目标网站的证书
https://blog.csdn.net/c5113620/article/details/80384660
https://jmeter-plugins.org/ 导出的证书是jmeter-pluginsorg.crt
2.切换到C:\Program Files\Java\jre1.8.0_151\bin目录
.\keytool.exe -import -alias JMeter -keystore ..\lib\security\cacerts -file "C:\Windows\System32\jmeter-pluginsorg.crt"
如果提示输入口令,java默认口令是changeit,最后输入y信任此证书。
3.还是相同目录下
C:\Program Files\Java\jre1.8.0_151\bin> .\keytool.exe -list -keystore ..\lib\security\cacerts -alias JMeter
Enter keystore password:
JMeter, Feb 27, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 58:EF:9D:99:03:E7:3E:F0:19:6A:24:26:5E:6A:18:B1:B5:44:66:88
扩展阅读
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html?jn9ed3e997=3
- Delete a certificate from a Java Keytool keystore
keytool -delete -alias mydomain -keystore keystore.jks
https://blog.csdn.net/duan19056/article/details/21025349
导入
keytool -import -keystore "C:\Program Files (x86)\Java\jre6\lib\security\cacerts" -storepass changeit
删除
keytool -delete -alias emailcert -keystore "C:\Program Files (x86)\Java\jre6\lib\security\cacerts" -storepass changeit
查看
C:\Program Files\Java\jre1.8.0_151\bin> .\keytool.exe -list -keystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -storepass changeit -alias JMeter
JMeter, Feb 27, 2019, trustedCertEntry,
Certificate fingerprint (SHA1): 58:EF:9D:99:03:E7:3E:F0:19:6A:24:26:5E:6A:18:B1:B5:44:66:88
重命名
C:\Program Files\Java\jre1.8.0_151\bin> .\keytool.exe -changealias -alias JMeter -destalias -keystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -storepass changeit -v
Illegal option: C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts
keytool -changealias [OPTION]...
Changes an entry's alias
Options:
-alias <alias> alias name of the entry to process
-destalias <destalias> destination alias
-keypass <arg> key password
-keystore <keystore> keystore name
-storepass <arg> keystore password
-storetype <storetype> keystore type
-providername <providername> provider name
-providerclass <providerclass> provider class name
-providerarg <arg> provider argument
-providerpath <pathlist> provider classpath
-v verbose output
-protected password through protected mechanism
Use "keytool -help" for all available commands
.\keytool.exe -changealias -alias JMeter4 -destalias JMeter -keystore "C:\Program Files\Java\jre1.8.0_151\lib\security\cacerts" -storepass changeit
https://stackoverflow.com/questions/21076179/pkix-path-building-failed-and-unable-to-find-valid-certification-path-to-requ?answertab=votes#tab-top
-
Go to URL in your firefox browser, click on HTTPS certificate chain (next to URL address). Click
"more info" > "security" > "show certificate" > "details" > "export..". Pickup the name and choose file type example.cer. Now you have file with keystore and you have to add it to your JVM -
Determine location of cacerts files, eg.
C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts. -
Next import the
example.cerfile into cacerts in command line:
keytool -import -alias example -keystore C:\Program Files (x86)\Java\jre1.6.0_22\lib\security\cacerts -file example.cer
You will be asked for password which default is changeit
Restart your JVM/PC.
source: http://magicmonster.com/kb/prg/java/ssl/pkix_path_building_failed.html
