“无法找到请求目标的有效认证路径"，但浏览器说没问题

quot;unable to find valid certification path to requested targetquot;, but browser says it#39;s OK(“无法找到请求目标的有效认证路径，但浏览器说没问题)

问题描述

我正在开发一个 Java 应用程序，它连接到 https://ut.eurodw.eu/<上公开的 SOAP 服务/a>(欧洲数据仓库的测试环境).我正在使用我的开发机器，最近使用 Windows 8.1 重新格式化.今天，我尝试从我的程序中通过 SOAP 向他们发送创建请求并收到此错误:

I'm developing a Java application that connects to SOAP services exposed at https://ut.eurodw.eu/ (test environment for European Datawarehouse). I'm working on my development machine, recently reformatted with Windows 8.1. Today, I tried to send them a creation request via SOAP from my program and got this error:

Caused by: javax.xml.ws.WebServiceException: Could not send Message.
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:146)
    at com.sun.proxy.$Proxy110.createDeal(Unknown Source)
    at it.csttech.edwin.services.spring.EdwinServiceImpl.createDeal(EdwinServiceImpl.java:102)
    at it.csttech.edwin.consumercredit.data.managers.spring.DealManagerImpl.createEdCode(DealManagerImpl.java:319)
    ... 77 more
Caused by: javax.net.ssl.SSLHandshakeException: SSLHandshakeException invoking https://ut.eurodw.eu/edservices/2.2/DealService.svc: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
    at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57)
    at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
    at java.lang.reflect.Constructor.newInstance(Constructor.java:526)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.mapException(HTTPConduit.java:1339)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1323)
    at org.apache.cxf.transport.AbstractConduit.close(AbstractConduit.java:56)
    at org.apache.cxf.transport.http.HTTPConduit.close(HTTPConduit.java:628)
    at org.apache.cxf.interceptor.MessageSenderInterceptor$MessageSenderEndingInterceptor.handleMessage(MessageSenderInterceptor.java:62)
    at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
    at org.apache.cxf.endpoint.ClientImpl.doInvoke(ClientImpl.java:565)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:474)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:377)
    at org.apache.cxf.endpoint.ClientImpl.invoke(ClientImpl.java:330)
    at org.apache.cxf.frontend.ClientProxy.invokeSync(ClientProxy.java:96)
    at org.apache.cxf.jaxws.JaxWsClientProxy.invoke(JaxWsClientProxy.java:135)
    ... 80 more
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:270)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1341)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:153)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1312)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1339)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1323)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:1091)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(HttpsURLConnectionImpl.java:250)
    at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.setupWrappedStream(URLConnectionHTTPConduit.java:174)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.handleHeadersTrustCaching(HTTPConduit.java:1283)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.onFirstWrite(HTTPConduit.java:1239)
    at org.apache.cxf.transport.http.URLConnectionHTTPConduit$URLConnectionWrappedOutputStream.onFirstWrite(URLConnectionHTTPConduit.java:201)
    at org.apache.cxf.io.AbstractWrappedOutputStream.write(AbstractWrappedOutputStream.java:47)
    at org.apache.cxf.io.AbstractThresholdOutputStream.write(AbstractThresholdOutputStream.java:69)
    at org.apache.cxf.transport.http.HTTPConduit$WrappedOutputStream.close(HTTPConduit.java:1296)
    ... 90 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1323)
    ... 108 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)
    ... 114 more

点击我上面的链接可以看到，这不是自签名证书，而是由 GoDaddy 公共 CA 发布，我的 Firefox 浏览器可以识别.我的 Java 版本是 1.7.0_60-b19.修改代码以允许不安全的 SSL 连接将是一个坏主意.

As you can see by clicking my above link, that's no self-signed certificate, but released by GoDaddy public CA, recognized by my Firefox browser. My Java version is 1.7.0_60-b19. It will be a bad idea to modify the code in order to allow insecure SSL connections.

我想确保 eurodw 的证书在信任库中.我该如何检查?以及如何导入新证书?

I'd like instead to ensure that eurodw's certificate is in the trust store. How do I check that? And how do I possibly import a new certificate?

PS 我目前无法在部署最终应用程序的服务器上进行测试:我只能使用我自己的 Tomcat 安装.

PS I cannot currently test on the server where the final application is deployed: I can only use my own Tomcat installation.

推荐答案

不同的证书可以在以下keystore中找到:

The different certificates can be found in the following keystore :

%JAVA_HOME%/jre/lib/security/cacerts

%JAVA_HOME%/jre/lib/security/cacerts

如果您想列出受信任的证书:

If you want to list the trusted certificates :

keytool -list -keystore %JAVA_HOME%/jre/lib/security/cacerts

密码是可选的.

如果要添加条目:

首先，导出要导入的证书，假设它是 c:cert.crt.最好的方法是使用firefox，右键点击URL中的锁图，点击几下，就有了导出功能.

First, export the certificate to import, let's say it will be c:cert.crt. The best way to do it is using firefox, right-click on the lock picture in the URL, and after a few clicks, you have an export feature.

然后输入:

keytool -import -alias my-cert -file c:cert.crt -keystore %JAVA_HOME%/jre/lib/security/cacerts

默认密码为:changeit

别名是用户定义的标签，明智地选择它，记住如果有一天你需要它，它是什么.

The alias is a user-defined label, choose it wisely, to remember if you need it one day, what it was.

有了这一切，您应该能够信任证书并让一切恢复正常.

With all this, you should be able to trust the certificate and have everything working again.

这篇关于“无法找到请求目标的有效认证路径"，但浏览器说没问题的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持编程学习网！