Java在请求某些不受信任的https网站时会报:PKIX path building failed

解决方法一:使用keytool手动导入证书,为JRE环境导入信任证书

参考:http://www.cnblogs.com/wanghaixing/p/5630070.html

方法二:使用代码下载证书保存

参考:https://blog.csdn.net/frankcheng5143/article/details/52164939

方法三:服务器不信任我们自己创建的证书,所以在代码中忽略证书信任问题。

参考:http://mengyang.iteye.com/blog/575671

最后注意:检查eclipse/myeclipse的JDK或JRE,是否为你导入证书的JRE。

注意:myeclipse是自带JDK的,JDK中自带JRE,而我们通过命令导入的jre是系统环境变量下path的jre。

两者很可能不是同一个,要改myeclipse的配置。(具体操作很简单,windows-->preferences-->搜索jre)

方法二代码实现

功能:把目标host证书保存到jre/lib/security/jssecacerts文件,亲测有效

import java.io.BufferedReader;

import java.io.File;

import java.io.FileInputStream;

import java.io.FileNotFoundException;

import java.io.FileOutputStream;

import java.io.IOException;

import java.io.InputStream;

import java.io.InputStreamReader;

import java.io.OutputStream;

import java.security.*;

import javax.net.ssl.*;

import java.security.cert.*;

import org.junit.Test;

public class certUtils {

	private int port = 443;

	private char[] passphrase="changeit".toCharArray();

	/**

	 * @param host 例:www.80s.tw

	 * @param port	https默认为443端口

	 * @param passphrase keyStore密码

	 */

	public void installCert(String host, int port, char[] passphrase) {

		//文件分隔符

		char SEP = File.separatorChar;

		//获取jre/lib/security目录

		File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP

				+ "security");

		//新建文件jre/lib/security/jssecacerts,向文件输出时文件才真正创建

		File file = new File(dir, "jssecacerts");

		//jssecacerts文件不存在时,获取jre/lib/security/cacerts文件索引

		if (file.isFile() == false) {

			file = new File(dir, "cacerts");

		}

		System.out.println("Loading KeyStore " + file + "...");

		try {

			InputStream in = new FileInputStream(file);

			KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

			ks.load(in, passphrase);

			in.close();

			SSLContext context = SSLContext.getInstance("TLS");

			TrustManagerFactory tmf = TrustManagerFactory

					.getInstance(TrustManagerFactory.getDefaultAlgorithm());

			tmf.init(ks);

			X509TrustManager defaultTrustManager = (X509TrustManager) tmf

					.getTrustManagers()[0];

			SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);

			context.init(null, new TrustManager[] { tm }, null);

			SSLSocketFactory factory = context.getSocketFactory();

			//与目标主机进行连接

			System.out.println("Opening connection to " + host + ":" + port);

			try {

				SSLSocket socket = (SSLSocket) factory.createSocket(host, port);

				socket.setSoTimeout(10000);

				System.out.println("Starting SSL handshake...");

				socket.startHandshake();

				socket.close();

				System.out.println("No errors, certificate is already trusted");

			} catch (Exception e) {

				e.printStackTrace();

			}

			X509Certificate[] chain = tm.chain;

			if (chain == null) {

				return;

			}

			BufferedReader reader = new BufferedReader(new InputStreamReader(

					System.in));

			MessageDigest sha1 = MessageDigest.getInstance("SHA1");

			MessageDigest md5 = MessageDigest.getInstance("MD5");

			for (int i = 0; i < chain.length; i++) {

				X509Certificate cert = chain[i];

				sha1.update(cert.getEncoded());

				md5.update(cert.getEncoded());

			}

			// 默认证书链第一个

			int index = 0;

			X509Certificate cert = chain[index];

			String alias = host + "-" + (index + 1);

			ks.setCertificateEntry(alias, cert);

			// keyStore保存到文件jssecacerts

			File jssecacerts = new File(dir, "jssecacerts");

			OutputStream out = new FileOutputStream(jssecacerts);

			ks.store(out, passphrase);

			out.close();

			System.out.println("-----打印cert-----");

			System.out.println(cert);

		} catch (Exception e) {

			e.printStackTrace();

		}

	}

	private final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

	private String toHexString(byte[] bytes) {

		StringBuilder sb = new StringBuilder(bytes.length * 3);

		for (int b : bytes) {

			b &= 0xff;

			sb.append(HEXDIGITS[b >> 4]);

			sb.append(HEXDIGITS[b & 15]);

			sb.append(' ');

		}

		return sb.toString();

	}

	private class SavingTrustManager implements X509TrustManager {

		private final X509TrustManager tm;

		private X509Certificate[] chain;

		SavingTrustManager(X509TrustManager tm) {

			this.tm = tm;

		}

		public X509Certificate[] getAcceptedIssuers() {

			throw new UnsupportedOperationException();

		}

		public void checkClientTrusted(X509Certificate[] chain, String authType)

				throws CertificateException {

			throw new UnsupportedOperationException();

		}

		public void checkServerTrusted(X509Certificate[] chain, String authType)

				throws CertificateException {

			this.chain = chain;

			tm.checkServerTrusted(chain, authType);

		}

	}

}

  

查看证书

keytool -list -v -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit  
这条命令是在JDK安装的密钥库中,查找别名是aurora的证书,密钥库口令是changeit。

删除证书

keytool -delete -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit

删除别名是aurora的证书。

方法三代码实现

  只要在创建connection之前调用两个方法:

  由于有网友这么说:这样做是放弃了证书的认证,那你们用https还有什么意义呢?就好像搭建了一个https的server,最后在认证失败的时候放弃认证,直接选择信任,那么这个https的server就沦落为一个http的server了,而且性能要比http差

  在下就没有测试,请自行测试。

trustAllHttpsCertificates();

HttpsURLConnection.setDefaultHostnameVerifier(hv);

  

HostnameVerifier hv = new HostnameVerifier() {

        public boolean verify(String urlHostName, SSLSession session) {

            System.out.println("Warning: URL Host: " + urlHostName + " vs. "

                               + session.getPeerHost());

            return true;

        }

    };

	private static void trustAllHttpsCertificates() throws Exception {

		javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];

		javax.net.ssl.TrustManager tm = new miTM();

		trustAllCerts[0] = tm;

		javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext

				.getInstance("SSL");

		sc.init(null, trustAllCerts, null);

		javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc

				.getSocketFactory());

	}

	static class miTM implements javax.net.ssl.TrustManager,

			javax.net.ssl.X509TrustManager {

		public java.security.cert.X509Certificate[] getAcceptedIssuers() {

			return null;

		}

		public boolean isServerTrusted(

				java.security.cert.X509Certificate[] certs) {

			return true;

		}

		public boolean isClientTrusted(

				java.security.cert.X509Certificate[] certs) {

			return true;

		}

		public void checkServerTrusted(

				java.security.cert.X509Certificate[] certs, String authType)

				throws java.security.cert.CertificateException {

			return;

		}

		public void checkClientTrusted(

				java.security.cert.X509Certificate[] certs, String authType)

				throws java.security.cert.CertificateException {

			return;

		}

	}

  

解决PKIX path building failed的问题的更多相关文章

  1. 从头解决PKIX path building failed

    从头解决PKIX path building failed的问题 本篇涉及到PKIX path building failed的原因和解决办法(包括暂时解决和长效解决的方法),也包括HTTP和HTTP ...

  2. 解决PKIX path building failed

    起因 上周在生产环境部署时,把安全证书加到k8s-ingress中时发现报该错误 解决 找网上解决方案,因为这种问题相对比较少见,也没百度,直接谷歌,找到解决方案如下:https://stackove ...

  3. 解决 java 使用ssl过程中出现"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

    今天,封装HttpClient使用ssl时报一下错误: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExc ...

  4. 解决PKIX(PKIX path building failed) 问题 unable to find valid certification path to requested target

    最近在写java的一个服务,需要给远程服务器发送post请求,认证方式为Basic Authentication,在请求过程中出现了 PKIX path building failed: sun.se ...

  5. 抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法

    抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法 原因是https证书问题, ...

  6. 解决CAS单点登录出现PKIX path building failed的问题

    在一次调试中,出现了这个错误: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExceptio ...

  7. 解决 sun.security.validator.ValidatorException: PKIX path building failed

    今天用java HttpClients写爬虫在访问某Https站点报如下错误: sun.security.validator.ValidatorException: PKIX path buildin ...

  8. jsoup访问页面: PKIX path building failed

    在用jsoup访问页面时报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX p ...

  9. 异常信息:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

    上周五遇到一个问题,工程本地编译运行正常,打包本地tomcat运行也正常.部署到测试环境报错: 2017-05-05 09:38:11.645 ERROR [HttpPoolClientsUtil.j ...

随机推荐

  1. Codeforces 912D Fishs ( 贪心 && 概率期望 && 优先队列 )

    题意 : 给出一个 N * M 的网格,然后给你 K 条鱼给你放置,现有规格为 r * r 的渔网,问你如果渔网随意放置去捕捞小鱼的情况下,捕到的最大期望值是多少? 分析 :  有一个很直观的想法就是 ...

  2. springboot(三).springboot用最简单的方式整合mybatis

     Springboot整合mybatis 在众多的orm框架中,我使用最多的,最习惯的,也是目前使用最广泛的就是mybatis,接下来我们就去将springboot整合mybatis 对于spring ...

  3. 3.并发编程-ReentrantLock 细节说明

    并发编程-ReentrantLock 细节说明 ---title: 并发编程-ReentrantLock 细节说明date: 2018-07-05 09:06:57categories: - 并发编程 ...

  4. 关于option标签的selected属性

    当item的dict_id和custSource一样,那么当前的item的name就被选中并显示在页面 如果直接写selected="selected",就等于直接回显这个集合中最 ...

  5. Oracle JET 使用RequireJS第三方工具或库引入

    在 Oracle JET 应用程序中使用 RequireJS 添加第三方工具或库. 步骤: 1.如果使用工具框架脚手架,需要一下操作. a.使用 npm 安装你需要的库. npm install my ...

  6. jQuery file upload cropper的流程

    https://tkvw.github.io/jQuery-File-Upload/basic-plus-editor.html 最开始初始化jquery.ui.widget.js中的factory( ...

  7. LeetCode_1116.打印零与奇偶数(多线程)

    LeetCode_1116 LeetCode-1116.打印零与奇偶数 假设有这么一个类: class ZeroEvenOdd { public ZeroEvenOdd(int n) { ... } ...

  8. JWT原理和使用

    jwt JSON Web Tokens,是一种开发的行业标准RFC 7519,用于安全的表示双方之间的声明.目前,jwt广泛的用在系统的用户认证方面,特别是前后端分离项目. 1.jwt认证流程 在项目 ...

  9. 阶段3 1.Mybatis_05.使用Mybatis完成CRUD_3 Mybatis的CRUD-修改和删除操作

    增加更新操作 更新用户的配置 测试类 删除的操作 这里的parpameterType值可以是:Integer.INTEGER.int.java.lang.Integer 讲到typeAliases标签 ...

  10. 【MM系列】SAP MM模块-查看移动平均价的历史记录

    公众号:SAP Technical 本文作者:matinal 原文出处:http://www.cnblogs.com/SAPmatinal/ 原文链接:[MM系列]SAP MM模块-查看移动平均价的历 ...