【问题标题】:JDK8 -> JDK10: PKIX path building failed: SunCertPathBuilderException: unable to find valid certification path to requested targetJDK8 -> JDK10:PKIX 路径构建失败:SunCertPathBuilderException:无法找到请求目标的有效认证路径
【发布时间】:2019-04-14 05:50:43
【问题描述】:

问题

  • 我有一个 SpringBoot 应用程序,它使用了一个名为 Launchdarkly 的应用程序,它使用了 okhttp
  • 我正在从 JRE 8 迁移到 JRE 10,对其他资源的调用正常,但使用 okhttp 进行的调用失败

编辑:任何具有类似于我们应用所用证书链的应用都可能发生这种情况。

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

异常

错误发生在线程中...

config-server_1  | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource-[] ["okhttp-eventsource-stream-[]-0" {}] Connection problem.
config-server_1  | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1  |  at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]

设置

Java 10 版本详情

使用上述方法安装

root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)

密钥库已设置

java 10 keystore 可以看到

root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates所述

尝试

编辑:查看我的答案

【问题讨论】:

  • 我会避免使用 Java 10,因为它使用 eol。 Java 11 的迁移难度也不应该太大。
  • @PeterLawrey 是的,绝对是......在我们走向它的同时保持这个记录......!

标签: java ssl ssl-certificate okhttp


【解决方案1】:

从 JDK 8 迁移到 JDK 10 时的解决方案

JDK 10

root@c339504909345:/opt/jdk-minimal/jre/lib/security #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

JDK 8

root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 151 entries

修复步骤

我还没有检查哪个证书链不受信任,但服务器的 URL 证书是有效的...... JDK 10 中的 cacerts 有一个从今天开始损坏的链。我可以断言,因为来自https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz 的下载被安装在一个全新的 Docker 映像中。

  • 我删除了 JDK 10 证书并将其替换为 JDK 8
  • 由于我正在构建 Docker 映像,因此我可以使用多阶段构建快速完成此操作
    • 我正在使用jlink 作为/opt/jdk/bin/jlink \ --module-path /opt/jdk/jmods... 构建一个最小的JRE

所以,这里是不同的路径和命令的顺序...

# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts

【讨论】:

    猜你喜欢
    • 2020-03-25
    • 2021-04-14
    • 1970-01-01
    • 2011-05-03
    • 2020-11-25
    • 2020-11-24
    • 1970-01-01
    • 2013-02-03
    相关资源
    最近更新 更多