Java在请求某些不受信任的https网站时会报:PKIX path building failed

解决方法一:使用keytool手动导入证书,为JRE环境导入信任证书

参考:http://www.cnblogs.com/wanghaixing/p/5630070.html

方法二:使用代码下载证书保存

参考:https://blog.csdn.net/frankcheng5143/article/details/52164939

方法三:服务器不信任我们自己创建的证书,所以在代码中忽略证书信任问题。

参考:http://mengyang.iteye.com/blog/575671

最后注意:检查eclipse/myeclipse的JDK或JRE,是否为你导入证书的JRE。

注意:myeclipse是自带JDK的,JDK中自带JRE,而我们通过命令导入的jre是系统环境变量下path的jre。

两者很可能不是同一个,要改myeclipse的配置。(具体操作很简单,windows-->preferences-->搜索jre)

方法二代码实现

功能:把目标host证书保存到jre/lib/security/jssecacerts文件,亲测有效

import java.io.BufferedReader;

import java.io.File;

import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.FileOutputStream;

import java.io.IOException;

import java.io.InputStream;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.security.*;

import javax.net.ssl.*;

import java.security.cert.*;

import org.junit.Test;

public class certUtils {

	private int port = 443;

	private char[] passphrase="changeit".toCharArray();

	/**

	 * @param host 例:www.80s.tw

	 * @param port	https默认为443端口

	 * @param passphrase keyStore密码

	 */

	public void installCert(String host, int port, char[] passphrase) {

		//文件分隔符

		char SEP = File.separatorChar;

		//获取jre/lib/security目录

		File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP

				+ "security");

		//新建文件jre/lib/security/jssecacerts,向文件输出时文件才真正创建

		File file = new File(dir, "jssecacerts");

		//jssecacerts文件不存在时,获取jre/lib/security/cacerts文件索引

		if (file.isFile() == false) {

			file = new File(dir, "cacerts");

		}

		System.out.println("Loading KeyStore " + file + "...");

		try {

			InputStream in = new FileInputStream(file);

			KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

			ks.load(in, passphrase);

			in.close();

			SSLContext context = SSLContext.getInstance("TLS");

			TrustManagerFactory tmf = TrustManagerFactory

					.getInstance(TrustManagerFactory.getDefaultAlgorithm());

			tmf.init(ks);

			X509TrustManager defaultTrustManager = (X509TrustManager) tmf

					.getTrustManagers()[0];

			SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);

			context.init(null, new TrustManager[] { tm }, null);

			SSLSocketFactory factory = context.getSocketFactory();

			//与目标主机进行连接

			System.out.println("Opening connection to " + host + ":" + port);

			try {

				SSLSocket socket = (SSLSocket) factory.createSocket(host, port);

				socket.setSoTimeout(10000);

				System.out.println("Starting SSL handshake...");

				socket.startHandshake();

				socket.close();

				System.out.println("No errors, certificate is already trusted");

			} catch (Exception e) {

				e.printStackTrace();

			}

			X509Certificate[] chain = tm.chain;

			if (chain == null) {

				return;

			}

			BufferedReader reader = new BufferedReader(new InputStreamReader(

					System.in));

			MessageDigest sha1 = MessageDigest.getInstance("SHA1");

			MessageDigest md5 = MessageDigest.getInstance("MD5");

			for (int i = 0; i < chain.length; i++) {

				X509Certificate cert = chain[i];

				sha1.update(cert.getEncoded());

				md5.update(cert.getEncoded());

			}

			// 默认证书链第一个

			int index = 0;

			X509Certificate cert = chain[index];

			String alias = host + "-" + (index + 1);

			ks.setCertificateEntry(alias, cert);

			// keyStore保存到文件jssecacerts

			File jssecacerts = new File(dir, "jssecacerts");

			OutputStream out = new FileOutputStream(jssecacerts);

			ks.store(out, passphrase);

			out.close();

			System.out.println("-----打印cert-----");

			System.out.println(cert);

		} catch (Exception e) {

			e.printStackTrace();

		}

	}

	private final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

	private String toHexString(byte[] bytes) {

		StringBuilder sb = new StringBuilder(bytes.length * 3);

		for (int b : bytes) {

			b &= 0xff;

			sb.append(HEXDIGITS[b >> 4]);

			sb.append(HEXDIGITS[b & 15]);

			sb.append(' ');

		}

		return sb.toString();

	}

	private class SavingTrustManager implements X509TrustManager {

		private final X509TrustManager tm;

		private X509Certificate[] chain;

		SavingTrustManager(X509TrustManager tm) {

			this.tm = tm;

		}

		public X509Certificate[] getAcceptedIssuers() {

			throw new UnsupportedOperationException();

		}

		public void checkClientTrusted(X509Certificate[] chain, String authType)

				throws CertificateException {

			throw new UnsupportedOperationException();

		}

		public void checkServerTrusted(X509Certificate[] chain, String authType)

				throws CertificateException {

			this.chain = chain;

			tm.checkServerTrusted(chain, authType);

		}

	}

}

  

查看证书

keytool -list -v -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit  
这条命令是在JDK安装的密钥库中,查找别名是aurora的证书,密钥库口令是changeit。

删除证书

keytool -delete -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit

删除别名是aurora的证书。

方法三代码实现

  只要在创建connection之前调用两个方法:

  由于有网友这么说:这样做是放弃了证书的认证,那你们用https还有什么意义呢?就好像搭建了一个https的server,最后在认证失败的时候放弃认证,直接选择信任,那么这个https的server就沦落为一个http的server了,而且性能要比http差

  在下就没有测试,请自行测试。

trustAllHttpsCertificates();

HttpsURLConnection.setDefaultHostnameVerifier(hv);

  

HostnameVerifier hv = new HostnameVerifier() {

        public boolean verify(String urlHostName, SSLSession session) {

            System.out.println("Warning: URL Host: " + urlHostName + " vs. "

                               + session.getPeerHost());

            return true;

        }

    };

	private static void trustAllHttpsCertificates() throws Exception {

		javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];

		javax.net.ssl.TrustManager tm = new miTM();

		trustAllCerts[0] = tm;

		javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext

				.getInstance("SSL");

		sc.init(null, trustAllCerts, null);

		javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc

				.getSocketFactory());

	}

	static class miTM implements javax.net.ssl.TrustManager,

			javax.net.ssl.X509TrustManager {

		public java.security.cert.X509Certificate[] getAcceptedIssuers() {

			return null;

		}

		public boolean isServerTrusted(

				java.security.cert.X509Certificate[] certs) {

			return true;

		}

		public boolean isClientTrusted(

				java.security.cert.X509Certificate[] certs) {

			return true;

		}

		public void checkServerTrusted(

				java.security.cert.X509Certificate[] certs, String authType)

				throws java.security.cert.CertificateException {

			return;

		}

		public void checkClientTrusted(

				java.security.cert.X509Certificate[] certs, String authType)

				throws java.security.cert.CertificateException {

			return;

		}

	}

  

解决PKIX path building failed的问题的更多相关文章

  1. 从头解决PKIX path building failed

    从头解决PKIX path building failed的问题 本篇涉及到PKIX path building failed的原因和解决办法(包括暂时解决和长效解决的方法),也包括HTTP和HTTP ...

  2. 解决PKIX path building failed

    起因 上周在生产环境部署时,把安全证书加到k8s-ingress中时发现报该错误 解决 找网上解决方案,因为这种问题相对比较少见,也没百度,直接谷歌,找到解决方案如下:https://stackove ...

  3. 解决 java 使用ssl过程中出现"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

    今天,封装HttpClient使用ssl时报一下错误: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExc ...

  4. 解决PKIX(PKIX path building failed) 问题 unable to find valid certification path to requested target

    最近在写java的一个服务,需要给远程服务器发送post请求,认证方式为Basic Authentication,在请求过程中出现了 PKIX path building failed: sun.se ...

  5. 抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法

    抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法 原因是https证书问题, ...

  6. 解决CAS单点登录出现PKIX path building failed的问题

    在一次调试中,出现了这个错误: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExceptio ...

  7. 解决 sun.security.validator.ValidatorException: PKIX path building failed

    今天用java HttpClients写爬虫在访问某Https站点报如下错误: sun.security.validator.ValidatorException: PKIX path buildin ...

  8. jsoup访问页面: PKIX path building failed

    在用jsoup访问页面时报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX p ...

  9. 异常信息:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

    上周五遇到一个问题,工程本地编译运行正常,打包本地tomcat运行也正常.部署到测试环境报错: 2017-05-05 09:38:11.645 ERROR [HttpPoolClientsUtil.j ...

随机推荐

  1. 把数据存储到 XML 文件

    通常,我们在数据库中存储数据.不过,如果希望数据的可移植性更强,我们可以把数据存储 XML 文件中. 创建并保存 XML 文件 如果数据要被传送到非 Windows 平台上的应用程序,那么把数据保存在 ...

  2. CDOJ 1073 线段树 单点更新+区间查询 水题

    H - 秋实大哥与线段树 Time Limit:1000MS     Memory Limit:65535KB     64bit IO Format:%lld & %llu Submit S ...

  3. ZooKeeper 原生API操作

    zookeeper客户端和服务器会话的建立是一个异步的过程,也就是说在程序中,程序方法在处理完客户端初始化后立即返回(即程序继续往下执行代码,这样,在大多数情况下并没有真正的构建好一个可用会话,在会话 ...

  4. [CF1101F]Trucks and Cities:分治优化决策单调性

    分析 好像是有一个叫这个名字的算法,链接. 令\(f[i][j][k]\)表示一辆每公里耗油量为\(1\)的货车从\(i\)到\(j\)中途加\(k\)次油最小的油箱容量.枚举所有的起点和中途加油的次 ...

  5. arguments详解——函数内命名参数之映射

    首先,arguments对象是所有(非箭头)函数中都可用的局部变量.你可以使用arguments对象在函数中引用函数的参数.此对象包含传递给函数的每个参数,第一个参数在索引0处. arguments对 ...

  6. python中加入中文注释报错处理

    python中加入中文注释,运行报错如下 解决方法: 在py文件的第一行加入   #coding:utf-8  即可

  7. 关于项目中的一些经验:封装activity、service的基类,封装数据对象

    经验一,将几个页面公用的数据,和方法进行封装,形成一个baseActivity的类: package com.ctbri.weather.control; import java.util.Array ...

  8. tp32-layuicms项目介绍

    项目结构:  项目截图: 登录页 文章列表 码云仓库:https://gitee.com/lim2018/tp32-layuicms

  9. 高级软件测试技术-任务进度-Day03

    任务进度11-15 使用工具 Jira 小组成员 华同学.郭同学.穆同学.沈同学.覃同学.刘同学 任务进度 经过了前两天的学习任务的安排,以下是大家的任务进度: 穆同学(任务1) 1.今天就接着昨天的 ...

  10. Java中class的声明

    在Java中下面Class的声明哪些是错误的?(A,B,C)   A:public abstract final class Test { abstract void method();} B:pub ...