Java在请求某些不受信任的https网站时会报:PKIX path building failed

解决方法一:使用keytool手动导入证书,为JRE环境导入信任证书

参考:http://www.cnblogs.com/wanghaixing/p/5630070.html

方法二:使用代码下载证书保存

参考:https://blog.csdn.net/frankcheng5143/article/details/52164939

方法三:服务器不信任我们自己创建的证书,所以在代码中忽略证书信任问题。

参考:http://mengyang.iteye.com/blog/575671

最后注意:检查eclipse/myeclipse的JDK或JRE,是否为你导入证书的JRE。

注意:myeclipse是自带JDK的,JDK中自带JRE,而我们通过命令导入的jre是系统环境变量下path的jre。

两者很可能不是同一个,要改myeclipse的配置。(具体操作很简单,windows-->preferences-->搜索jre)

方法二代码实现

功能:把目标host证书保存到jre/lib/security/jssecacerts文件,亲测有效

import java.io.BufferedReader;

import java.io.File;

import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.FileOutputStream;

import java.io.IOException;

import java.io.InputStream;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.security.*;

import javax.net.ssl.*;

import java.security.cert.*;

import org.junit.Test;

public class certUtils {

	private int port = 443;

	private char[] passphrase="changeit".toCharArray();

	/**

	 * @param host 例:www.80s.tw

	 * @param port	https默认为443端口

	 * @param passphrase keyStore密码

	 */

	public void installCert(String host, int port, char[] passphrase) {

		//文件分隔符

		char SEP = File.separatorChar;

		//获取jre/lib/security目录

		File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP

				+ "security");

		//新建文件jre/lib/security/jssecacerts,向文件输出时文件才真正创建

		File file = new File(dir, "jssecacerts");

		//jssecacerts文件不存在时,获取jre/lib/security/cacerts文件索引

		if (file.isFile() == false) {

			file = new File(dir, "cacerts");

		}

		System.out.println("Loading KeyStore " + file + "...");

		try {

			InputStream in = new FileInputStream(file);

			KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

			ks.load(in, passphrase);

			in.close();

			SSLContext context = SSLContext.getInstance("TLS");

			TrustManagerFactory tmf = TrustManagerFactory

					.getInstance(TrustManagerFactory.getDefaultAlgorithm());

			tmf.init(ks);

			X509TrustManager defaultTrustManager = (X509TrustManager) tmf

					.getTrustManagers()[0];

			SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);

			context.init(null, new TrustManager[] { tm }, null);

			SSLSocketFactory factory = context.getSocketFactory();

			//与目标主机进行连接

			System.out.println("Opening connection to " + host + ":" + port);

			try {

				SSLSocket socket = (SSLSocket) factory.createSocket(host, port);

				socket.setSoTimeout(10000);

				System.out.println("Starting SSL handshake...");

				socket.startHandshake();

				socket.close();

				System.out.println("No errors, certificate is already trusted");

			} catch (Exception e) {

				e.printStackTrace();

			}

			X509Certificate[] chain = tm.chain;

			if (chain == null) {

				return;

			}

			BufferedReader reader = new BufferedReader(new InputStreamReader(

					System.in));

			MessageDigest sha1 = MessageDigest.getInstance("SHA1");

			MessageDigest md5 = MessageDigest.getInstance("MD5");

			for (int i = 0; i < chain.length; i++) {

				X509Certificate cert = chain[i];

				sha1.update(cert.getEncoded());

				md5.update(cert.getEncoded());

			}

			// 默认证书链第一个

			int index = 0;

			X509Certificate cert = chain[index];

			String alias = host + "-" + (index + 1);

			ks.setCertificateEntry(alias, cert);

			// keyStore保存到文件jssecacerts

			File jssecacerts = new File(dir, "jssecacerts");

			OutputStream out = new FileOutputStream(jssecacerts);

			ks.store(out, passphrase);

			out.close();

			System.out.println("-----打印cert-----");

			System.out.println(cert);

		} catch (Exception e) {

			e.printStackTrace();

		}

	}

	private final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

	private String toHexString(byte[] bytes) {

		StringBuilder sb = new StringBuilder(bytes.length * 3);

		for (int b : bytes) {

			b &= 0xff;

			sb.append(HEXDIGITS[b >> 4]);

			sb.append(HEXDIGITS[b & 15]);

			sb.append(' ');

		}

		return sb.toString();

	}

	private class SavingTrustManager implements X509TrustManager {

		private final X509TrustManager tm;

		private X509Certificate[] chain;

		SavingTrustManager(X509TrustManager tm) {

			this.tm = tm;

		}

		public X509Certificate[] getAcceptedIssuers() {

			throw new UnsupportedOperationException();

		}

		public void checkClientTrusted(X509Certificate[] chain, String authType)

				throws CertificateException {

			throw new UnsupportedOperationException();

		}

		public void checkServerTrusted(X509Certificate[] chain, String authType)

				throws CertificateException {

			this.chain = chain;

			tm.checkServerTrusted(chain, authType);

		}

	}

}

  

查看证书

keytool -list -v -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit  
这条命令是在JDK安装的密钥库中,查找别名是aurora的证书,密钥库口令是changeit。

删除证书

keytool -delete -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit

删除别名是aurora的证书。

方法三代码实现

  只要在创建connection之前调用两个方法:

  由于有网友这么说:这样做是放弃了证书的认证,那你们用https还有什么意义呢?就好像搭建了一个https的server,最后在认证失败的时候放弃认证,直接选择信任,那么这个https的server就沦落为一个http的server了,而且性能要比http差

  在下就没有测试,请自行测试。

trustAllHttpsCertificates();

HttpsURLConnection.setDefaultHostnameVerifier(hv);

  

HostnameVerifier hv = new HostnameVerifier() {

        public boolean verify(String urlHostName, SSLSession session) {

            System.out.println("Warning: URL Host: " + urlHostName + " vs. "

                               + session.getPeerHost());

            return true;

        }

    };

	private static void trustAllHttpsCertificates() throws Exception {

		javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];

		javax.net.ssl.TrustManager tm = new miTM();

		trustAllCerts[0] = tm;

		javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext

				.getInstance("SSL");

		sc.init(null, trustAllCerts, null);

		javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc

				.getSocketFactory());

	}

	static class miTM implements javax.net.ssl.TrustManager,

			javax.net.ssl.X509TrustManager {

		public java.security.cert.X509Certificate[] getAcceptedIssuers() {

			return null;

		}

		public boolean isServerTrusted(

				java.security.cert.X509Certificate[] certs) {

			return true;

		}

		public boolean isClientTrusted(

				java.security.cert.X509Certificate[] certs) {

			return true;

		}

		public void checkServerTrusted(

				java.security.cert.X509Certificate[] certs, String authType)

				throws java.security.cert.CertificateException {

			return;

		}

		public void checkClientTrusted(

				java.security.cert.X509Certificate[] certs, String authType)

				throws java.security.cert.CertificateException {

			return;

		}

	}

  

解决PKIX path building failed的问题的更多相关文章

  1. 从头解决PKIX path building failed

    从头解决PKIX path building failed的问题 本篇涉及到PKIX path building failed的原因和解决办法(包括暂时解决和长效解决的方法),也包括HTTP和HTTP ...

  2. 解决PKIX path building failed

    起因 上周在生产环境部署时,把安全证书加到k8s-ingress中时发现报该错误 解决 找网上解决方案,因为这种问题相对比较少见,也没百度,直接谷歌,找到解决方案如下:https://stackove ...

  3. 解决 java 使用ssl过程中出现"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

    今天,封装HttpClient使用ssl时报一下错误: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExc ...

  4. 解决PKIX(PKIX path building failed) 问题 unable to find valid certification path to requested target

    最近在写java的一个服务,需要给远程服务器发送post请求,认证方式为Basic Authentication,在请求过程中出现了 PKIX path building failed: sun.se ...

  5. 抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法

    抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法 原因是https证书问题, ...

  6. 解决CAS单点登录出现PKIX path building failed的问题

    在一次调试中,出现了这个错误: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExceptio ...

  7. 解决 sun.security.validator.ValidatorException: PKIX path building failed

    今天用java HttpClients写爬虫在访问某Https站点报如下错误: sun.security.validator.ValidatorException: PKIX path buildin ...

  8. jsoup访问页面: PKIX path building failed

    在用jsoup访问页面时报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX p ...

  9. 异常信息:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

    上周五遇到一个问题,工程本地编译运行正常,打包本地tomcat运行也正常.部署到测试环境报错: 2017-05-05 09:38:11.645 ERROR [HttpPoolClientsUtil.j ...

随机推荐

  1. C++ -- 类与成员

    一.初始化列表 1.是构造函数中一种成员的初始化方式   例如,class    类名 { 类名(参数列表):成员1(成员1),成员2(成员2)... {   } } 2.用此方法可以解决类中的成员与 ...

  2. BZOJ 5028 小z的加油站

    bzoj链接 Time limit 10000 ms Memory limit 262144 kB OS Linux 感想 树上动态gcd的第二题也好了. [x] BZOJ 2257 [JSOI200 ...

  3. Windows10 + VS2015 环境下对gdal2.0.1进行64bit编译小结

    这是官方给出的编译指导,但是在实践过程中有几点仍然需要特别注意. Tip 1:不要使用默认的"VS开发人员命令提示"工具,使用该工具会遭遇如下的错误: 正在创建库 gdal_i.l ...

  4. centos网卡配置NM_CONTROLLED=”yes” 慎用

    今天有1台服务器修改了 /etc/sysconfig/network-scripts/ifcfg-eth0 配置文件中的一个参数: NM_CONTROLLED=“yes” 修改成 NM_CONTROL ...

  5. jQuery-validate插件初级篇

    特别提示:本人博客部分有参考网络其他博客,但均是本人亲手编写过并验证通过.如发现博客有错误,请及时提出以免误导其他人,谢谢!欢迎转载,但记得标明文章出处:http://www.cnblogs.com/ ...

  6. Ubuntu 12.04输入密码登陆后又跳回到登录界面

    先找到这个文件: /home/user/.xsession-errors 打开这个文件.   这个文件记录了系统启动的日志,从这里你就可以看到启动的时候哪里出了问题. 对于我的来说,问题出在这里: & ...

  7. php中用生成的公钥、私钥进行加密解密

    $private_key = '-----BEGIN RSA PRIVATE KEY-----MIICXQIBAAKBgQDpoODVtnSztGyb//p+g/Ob36jb3jzWzS2qovOjp ...

  8. Html/CSS 示例演练 图书馆后台界面

    示例演练(html css javascript) --制作图书馆后台界面 1. 成品图

  9. hdu 6219 Empty Convex Polygons (凸包)

    给你n个点,求面积最大的凸多边形,使得这个凸多边形没有内点. 考虑求凸包的graham算法,需要找到左下角的点,再进行极角排序后按顺序扫点,所以先枚举左下角的点. 这个过程中,如果遇到内点,就需要把这 ...

  10. Unity Mathf And Transform Compent(一)

    Mathf类部分变量 辐射到度的转化函数,能够将弧度转化成度. Abs 能够求出绝对值 Atan 求出正切值x/y的弧度 Transform 组件中带有local 以父物体为坐标原点 global以世 ...