Java在请求某些不受信任的https网站时会报:PKIX path building failed

解决方法一:使用keytool手动导入证书,为JRE环境导入信任证书

参考:http://www.cnblogs.com/wanghaixing/p/5630070.html

方法二:使用代码下载证书保存

参考:https://blog.csdn.net/frankcheng5143/article/details/52164939

方法三:服务器不信任我们自己创建的证书,所以在代码中忽略证书信任问题。

参考:http://mengyang.iteye.com/blog/575671

最后注意:检查eclipse/myeclipse的JDK或JRE,是否为你导入证书的JRE。

注意:myeclipse是自带JDK的,JDK中自带JRE,而我们通过命令导入的jre是系统环境变量下path的jre。

两者很可能不是同一个,要改myeclipse的配置。(具体操作很简单,windows-->preferences-->搜索jre)

方法二代码实现

功能:把目标host证书保存到jre/lib/security/jssecacerts文件,亲测有效

import java.io.BufferedReader;

import java.io.File;

import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.FileOutputStream;

import java.io.IOException;

import java.io.InputStream;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.security.*;

import javax.net.ssl.*;

import java.security.cert.*;

import org.junit.Test;

public class certUtils {

	private int port = 443;

	private char[] passphrase="changeit".toCharArray();

	/**

	 * @param host 例:www.80s.tw

	 * @param port	https默认为443端口

	 * @param passphrase keyStore密码

	 */

	public void installCert(String host, int port, char[] passphrase) {

		//文件分隔符

		char SEP = File.separatorChar;

		//获取jre/lib/security目录

		File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP

				+ "security");

		//新建文件jre/lib/security/jssecacerts,向文件输出时文件才真正创建

		File file = new File(dir, "jssecacerts");

		//jssecacerts文件不存在时,获取jre/lib/security/cacerts文件索引

		if (file.isFile() == false) {

			file = new File(dir, "cacerts");

		}

		System.out.println("Loading KeyStore " + file + "...");

		try {

			InputStream in = new FileInputStream(file);

			KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

			ks.load(in, passphrase);

			in.close();

			SSLContext context = SSLContext.getInstance("TLS");

			TrustManagerFactory tmf = TrustManagerFactory

					.getInstance(TrustManagerFactory.getDefaultAlgorithm());

			tmf.init(ks);

			X509TrustManager defaultTrustManager = (X509TrustManager) tmf

					.getTrustManagers()[0];

			SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);

			context.init(null, new TrustManager[] { tm }, null);

			SSLSocketFactory factory = context.getSocketFactory();

			//与目标主机进行连接

			System.out.println("Opening connection to " + host + ":" + port);

			try {

				SSLSocket socket = (SSLSocket) factory.createSocket(host, port);

				socket.setSoTimeout(10000);

				System.out.println("Starting SSL handshake...");

				socket.startHandshake();

				socket.close();

				System.out.println("No errors, certificate is already trusted");

			} catch (Exception e) {

				e.printStackTrace();

			}

			X509Certificate[] chain = tm.chain;

			if (chain == null) {

				return;

			}

			BufferedReader reader = new BufferedReader(new InputStreamReader(

					System.in));

			MessageDigest sha1 = MessageDigest.getInstance("SHA1");

			MessageDigest md5 = MessageDigest.getInstance("MD5");

			for (int i = 0; i < chain.length; i++) {

				X509Certificate cert = chain[i];

				sha1.update(cert.getEncoded());

				md5.update(cert.getEncoded());

			}

			// 默认证书链第一个

			int index = 0;

			X509Certificate cert = chain[index];

			String alias = host + "-" + (index + 1);

			ks.setCertificateEntry(alias, cert);

			// keyStore保存到文件jssecacerts

			File jssecacerts = new File(dir, "jssecacerts");

			OutputStream out = new FileOutputStream(jssecacerts);

			ks.store(out, passphrase);

			out.close();

			System.out.println("-----打印cert-----");

			System.out.println(cert);

		} catch (Exception e) {

			e.printStackTrace();

		}

	}

	private final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

	private String toHexString(byte[] bytes) {

		StringBuilder sb = new StringBuilder(bytes.length * 3);

		for (int b : bytes) {

			b &= 0xff;

			sb.append(HEXDIGITS[b >> 4]);

			sb.append(HEXDIGITS[b & 15]);

			sb.append(' ');

		}

		return sb.toString();

	}

	private class SavingTrustManager implements X509TrustManager {

		private final X509TrustManager tm;

		private X509Certificate[] chain;

		SavingTrustManager(X509TrustManager tm) {

			this.tm = tm;

		}

		public X509Certificate[] getAcceptedIssuers() {

			throw new UnsupportedOperationException();

		}

		public void checkClientTrusted(X509Certificate[] chain, String authType)

				throws CertificateException {

			throw new UnsupportedOperationException();

		}

		public void checkServerTrusted(X509Certificate[] chain, String authType)

				throws CertificateException {

			this.chain = chain;

			tm.checkServerTrusted(chain, authType);

		}

	}

}

  

查看证书

keytool -list -v -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit  
这条命令是在JDK安装的密钥库中,查找别名是aurora的证书,密钥库口令是changeit。

删除证书

keytool -delete -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit

删除别名是aurora的证书。

方法三代码实现

  只要在创建connection之前调用两个方法:

  由于有网友这么说:这样做是放弃了证书的认证,那你们用https还有什么意义呢?就好像搭建了一个https的server,最后在认证失败的时候放弃认证,直接选择信任,那么这个https的server就沦落为一个http的server了,而且性能要比http差

  在下就没有测试,请自行测试。

trustAllHttpsCertificates();

HttpsURLConnection.setDefaultHostnameVerifier(hv);

  

HostnameVerifier hv = new HostnameVerifier() {

        public boolean verify(String urlHostName, SSLSession session) {

            System.out.println("Warning: URL Host: " + urlHostName + " vs. "

                               + session.getPeerHost());

            return true;

        }

    };

	private static void trustAllHttpsCertificates() throws Exception {

		javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];

		javax.net.ssl.TrustManager tm = new miTM();

		trustAllCerts[0] = tm;

		javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext

				.getInstance("SSL");

		sc.init(null, trustAllCerts, null);

		javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc

				.getSocketFactory());

	}

	static class miTM implements javax.net.ssl.TrustManager,

			javax.net.ssl.X509TrustManager {

		public java.security.cert.X509Certificate[] getAcceptedIssuers() {

			return null;

		}

		public boolean isServerTrusted(

				java.security.cert.X509Certificate[] certs) {

			return true;

		}

		public boolean isClientTrusted(

				java.security.cert.X509Certificate[] certs) {

			return true;

		}

		public void checkServerTrusted(

				java.security.cert.X509Certificate[] certs, String authType)

				throws java.security.cert.CertificateException {

			return;

		}

		public void checkClientTrusted(

				java.security.cert.X509Certificate[] certs, String authType)

				throws java.security.cert.CertificateException {

			return;

		}

	}

  

解决PKIX path building failed的问题的更多相关文章

  1. 从头解决PKIX path building failed

    从头解决PKIX path building failed的问题 本篇涉及到PKIX path building failed的原因和解决办法(包括暂时解决和长效解决的方法),也包括HTTP和HTTP ...

  2. 解决PKIX path building failed

    起因 上周在生产环境部署时,把安全证书加到k8s-ingress中时发现报该错误 解决 找网上解决方案,因为这种问题相对比较少见,也没百度,直接谷歌,找到解决方案如下:https://stackove ...

  3. 解决 java 使用ssl过程中出现"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

    今天,封装HttpClient使用ssl时报一下错误: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExc ...

  4. 解决PKIX(PKIX path building failed) 问题 unable to find valid certification path to requested target

    最近在写java的一个服务,需要给远程服务器发送post请求,认证方式为Basic Authentication,在请求过程中出现了 PKIX path building failed: sun.se ...

  5. 抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法

    抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法 原因是https证书问题, ...

  6. 解决CAS单点登录出现PKIX path building failed的问题

    在一次调试中,出现了这个错误: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExceptio ...

  7. 解决 sun.security.validator.ValidatorException: PKIX path building failed

    今天用java HttpClients写爬虫在访问某Https站点报如下错误: sun.security.validator.ValidatorException: PKIX path buildin ...

  8. jsoup访问页面: PKIX path building failed

    在用jsoup访问页面时报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX p ...

  9. 异常信息:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

    上周五遇到一个问题,工程本地编译运行正常,打包本地tomcat运行也正常.部署到测试环境报错: 2017-05-05 09:38:11.645 ERROR [HttpPoolClientsUtil.j ...

随机推荐

  1. noip模拟题 Market

    题面描述: 数据范围: Solution: 我们发现\(v\)很小,但是\(M\)很大,考虑转化一下一般的背包 我们用\(f[v]\)来表示拿到价值为\(v\)的物品需要付出的最少代价,特别的,当\( ...

  2. 'utf-8' codec can't decode byte 0xd0 in position 0问题

    今天利用pd.read_csv(url)从网络上读取数据时出现了如下错误: 'utf-8' codec can't decode byte 0xd0 in position 0 问题原因:网络上的这个 ...

  3. java开发需掌握技能1

    1.熟练掌握Java基础.语法规范.集合框架等,基础语法.Java关键字.内部类.泛型.集合类使用场景2.Java io/nio框架体系.文本文件.二进制文件读写.nio.buffer机制3.Jsp. ...

  4. 高级软件测试技术-任务进度-Day02

    任务进度11-14 使用工具 Jira 小组成员 华同学.郭同学.穆同学.沈同学.覃同学.刘同学 任务进度 在经过了昨天的基本任务分配之后,今天大家就开始了各自的内容,以下是大家任务的进度情况汇总. ...

  5. leetcode-easy-array-66 .plus one

    mycode 主要在计算商和余数的时候一定要用还没更新的商和余数哦 class Solution(object): def plusOne(self, digits): ""&qu ...

  6. zay大爷的神仙题目 D1T1-大美江湖

    在前几天的时候,千古神犇zay(吊打zhx那个)出了一套神仙题目,所以我得来分析分析QWQ 先补个网易云链接QWQ 毕竟是T1嘛,还算是比较简单的,那道题,读完题目就发现是个中等模拟(猪国杀算大模拟的 ...

  7. eclipse 4.32 安装 gradle

    更新网址  http://dist.springsource.com/release/TOOLS/gradle

  8. docker英语

    demotevt. 使降级:使降职 promotevt. 促进:提升:推销:发扬 swarmn. 一大群:蜂群:人群:一大群小型天体同时在空中出现 worker 工人manager 经理swarm 人 ...

  9. Navicat Premium Mac 12 破解方法-亲测成功

    参照这2篇文档,破解成功了.操作步骤写的很清楚,不再缀述,只记录一下自己破解过程中,认为要注意的点.以免以后再多花时间熟悉重新熟悉操作步骤 Mac安装Navicat(破解版) Navicat Prem ...

  10. 吃着火锅唱着歌学会Docker

    第一篇:Docker概述 第二篇:Docker之版本与安装 第三篇:Docker之镜像 第四篇:Docker之容器 第五篇:Dcoker之容器与镜像 第六篇:Docker之网络管理 第七篇:Docke ...