Java在请求某些不受信任的https网站时会报:PKIX path building failed

解决方法一:使用keytool手动导入证书,为JRE环境导入信任证书

参考:http://www.cnblogs.com/wanghaixing/p/5630070.html

方法二:使用代码下载证书保存

参考:https://blog.csdn.net/frankcheng5143/article/details/52164939

方法三:服务器不信任我们自己创建的证书,所以在代码中忽略证书信任问题。

参考:http://mengyang.iteye.com/blog/575671

最后注意:检查eclipse/myeclipse的JDK或JRE,是否为你导入证书的JRE。

注意:myeclipse是自带JDK的,JDK中自带JRE,而我们通过命令导入的jre是系统环境变量下path的jre。

两者很可能不是同一个,要改myeclipse的配置。(具体操作很简单,windows-->preferences-->搜索jre)

方法二代码实现

功能:把目标host证书保存到jre/lib/security/jssecacerts文件,亲测有效

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.security.*;
import javax.net.ssl.*;
import java.security.cert.*;
import org.junit.Test; public class certUtils {
private int port = 443;
private char[] passphrase="changeit".toCharArray(); /**
* @param host 例:www.80s.tw
* @param port https默认为443端口
* @param passphrase keyStore密码
*/
public void installCert(String host, int port, char[] passphrase) {
//文件分隔符
char SEP = File.separatorChar;
//获取jre/lib/security目录
File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP
+ "security");
//新建文件jre/lib/security/jssecacerts,向文件输出时文件才真正创建
File file = new File(dir, "jssecacerts");
//jssecacerts文件不存在时,获取jre/lib/security/cacerts文件索引
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
System.out.println("Loading KeyStore " + file + "...");
try {
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf
.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] { tm }, null);
SSLSocketFactory factory = context.getSocketFactory(); //与目标主机进行连接
System.out.println("Opening connection to " + host + ":" + port);
try {
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setSoTimeout(10000);
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println("No errors, certificate is already trusted");
} catch (Exception e) {
e.printStackTrace();
} X509Certificate[] chain = tm.chain;
if (chain == null) {
return;
} BufferedReader reader = new BufferedReader(new InputStreamReader(
System.in));
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
sha1.update(cert.getEncoded());
md5.update(cert.getEncoded());
}
// 默认证书链第一个
int index = 0;
X509Certificate cert = chain[index];
String alias = host + "-" + (index + 1);
ks.setCertificateEntry(alias, cert); // keyStore保存到文件jssecacerts
File jssecacerts = new File(dir, "jssecacerts");
OutputStream out = new FileOutputStream(jssecacerts);
ks.store(out, passphrase);
out.close(); System.out.println("-----打印cert-----");
System.out.println(cert);
} catch (Exception e) {
e.printStackTrace();
}
} private final char[] HEXDIGITS = "0123456789abcdef".toCharArray(); private String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
} private class SavingTrustManager implements X509TrustManager { private final X509TrustManager tm;
private X509Certificate[] chain; SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
} public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
} public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
} public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}

  

查看证书

keytool -list -v -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit  
这条命令是在JDK安装的密钥库中,查找别名是aurora的证书,密钥库口令是changeit。

删除证书

keytool -delete -alias aurora -keystore "C:/Program Files/Java/jdk1.7.0_03/jre/lib/security/cacerts" -storepass changeit
删除别名是aurora的证书。

方法三代码实现

  只要在创建connection之前调用两个方法:

  由于有网友这么说:这样做是放弃了证书的认证,那你们用https还有什么意义呢?就好像搭建了一个https的server,最后在认证失败的时候放弃认证,直接选择信任,那么这个https的server就沦落为一个http的server了,而且性能要比http差

  在下就没有测试,请自行测试。

trustAllHttpsCertificates();
HttpsURLConnection.setDefaultHostnameVerifier(hv);

  

HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
System.out.println("Warning: URL Host: " + urlHostName + " vs. "
+ session.getPeerHost());
return true;
}
}; private static void trustAllHttpsCertificates() throws Exception {
javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
javax.net.ssl.TrustManager tm = new miTM();
trustAllCerts[0] = tm;
javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext
.getInstance("SSL");
sc.init(null, trustAllCerts, null);
javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc
.getSocketFactory());
} static class miTM implements javax.net.ssl.TrustManager,
javax.net.ssl.X509TrustManager {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
} public boolean isServerTrusted(
java.security.cert.X509Certificate[] certs) {
return true;
} public boolean isClientTrusted(
java.security.cert.X509Certificate[] certs) {
return true;
} public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType)
throws java.security.cert.CertificateException {
return;
} public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType)
throws java.security.cert.CertificateException {
return;
}
}

  

解决PKIX path building failed的问题的更多相关文章

  1. 从头解决PKIX path building failed

    从头解决PKIX path building failed的问题 本篇涉及到PKIX path building failed的原因和解决办法(包括暂时解决和长效解决的方法),也包括HTTP和HTTP ...

  2. 解决PKIX path building failed

    起因 上周在生产环境部署时,把安全证书加到k8s-ingress中时发现报该错误 解决 找网上解决方案,因为这种问题相对比较少见,也没百度,直接谷歌,找到解决方案如下:https://stackove ...

  3. 解决 java 使用ssl过程中出现"PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

    今天,封装HttpClient使用ssl时报一下错误: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorExc ...

  4. 解决PKIX(PKIX path building failed) 问题 unable to find valid certification path to requested target

    最近在写java的一个服务,需要给远程服务器发送post请求,认证方式为Basic Authentication,在请求过程中出现了 PKIX path building failed: sun.se ...

  5. 抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法

    抓取https网页时,报错sun.security.validator.ValidatorException: PKIX path building failed 解决办法 原因是https证书问题, ...

  6. 解决CAS单点登录出现PKIX path building failed的问题

    在一次调试中,出现了这个错误: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExceptio ...

  7. 解决 sun.security.validator.ValidatorException: PKIX path building failed

    今天用java HttpClients写爬虫在访问某Https站点报如下错误: sun.security.validator.ValidatorException: PKIX path buildin ...

  8. jsoup访问页面: PKIX path building failed

    在用jsoup访问页面时报错javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX p ...

  9. 异常信息:javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed

    上周五遇到一个问题,工程本地编译运行正常,打包本地tomcat运行也正常.部署到测试环境报错: 2017-05-05 09:38:11.645 ERROR [HttpPoolClientsUtil.j ...

随机推荐

  1. 【java工具类】下载文件

    FileUtil.java /** * 下载文件 * @param file; * @param response */ public static void downloadFile(File fi ...

  2. NOIP游(GUNCU)记

    小学奥数不会做 状压DP打不出 一脸懵逼 本来抱着一个拿省一的心态去考的,结果DAY1刚开始就爆炸了. T1居然想了半个小时多没思路,然后打了个表,可能是应为太紧张了吧,居然打了表之后还没有看出规律来 ...

  3. 记一次创建svc代理失败

    在看尚硅谷的k8s视频中,学到ingress代理的时候,由于之前按照视频安装了V1.15.1,后面环境又出了问题,重新安装了 16.1的,为这次失败埋下了伏笔. 教案中的yaml apiVersion ...

  4. (62)通信协议之一protobuf

     Protobuf协议特点分析 KingKa.吴永聪 1.protobuf是什么? protobuf(Google Protocol Buffers)是Google提供的一个具有高效的协议数据交换格式 ...

  5. 关于MySQL 中 EXISTS 的用法

    在MySQL中 EXISTS 和 IN 的用法有什么关系和区别呢? 假定数据库中有两个表 分别为 表 a 和表 b create table a ( a_id int, a_name varchar( ...

  6. Centos7系统备份与恢复教程

    原文地址:https://www.cnblogs.com/fang888/p/8473485.html Centos系统备份与恢复教程 tar: 特点 1.保留权限 2.适合备份整个目录 3.可以选择 ...

  7. Mysql 数据库锁表的原因和解决方法

    摘自: https://www.csdn.net/gather_2f/MtTaIgxsMTM5NC1ibG9n.html 锁表的原因:当多个连接(数据库连接)同时对一个表的数据进行更新操作,那么速度将 ...

  8. Mysql基本管理知识

    数据库的启动 [root@node80 ~]# /etc/init.d/mysqld start #mysqld是从安装包拷贝的mysql.server Starting MySQL. SUCCESS ...

  9. npm link的作用

    语法: 1. 在一个包目录下npm link (把当前的包目录软连接到global folder里面,把二进制文件也软连接到global的bin里面  这个prefix可以用npm config ls ...

  10. SELECT-OPTIONS对象

    1. SELECT-OPTIONS基本语法及定义 SELECT-OPTIONS通常用于参照一数据库字为建立数据输入域,其定义对象命名长度不能超过8位,其产生的屏幕对象最大输入长度为18位,语法如下: ...