SSLPeerUnverifiedException:peer未经过身份验证
再一次,SSLPeerUnverified的沉闷问题,但我没有使用自签名证书。
我尝试使用https连接到主机。该主机具有正确的证书,Firefox和HttpsUrlConnection都没有任何问题。
但是尝试使用HttpClient进行连接时,我得到了可怕的异常。
Yet again, the dreary Problem of SSLPeerUnverified, but I'm not using self signed certificates. I try to connect to a host using https. This host has a correct certificate, neither Firefox nor HttpsUrlConnection has any problems with it. However trying to connect using HttpClient, I get the dreaded exception.
任何线索?或者提示哪里看得更近?
Any clues? Or tip where to look closer?
谢谢!
编辑:调试输出
main,处理异常:
main, handling exception:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
主要,getSession()中的IOException:
main, IOException in getSession():
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
您似乎需要将证书导入JVM正在使用的可信密钥库中。如果您在应用程序中没有使用不同的可信密钥库,那么这将是cacerts。
It seems that you need to import the certificate into the trusted keystore your JVM is using. If you are not using a different trusted keystore in your application this will be "cacerts".
您可以按照如何修复'SSLPeerUnverifiedException:peer not authenticated'Groovy / Java中的异常。
短版本:
-
运行使用以下命令替换
$ ADDRESS
,减去https://:
Run the following command, replace
$ADDRESS
with the URL, minus the "https://":
echo -n | openssl s_client -connect $ADDRESS:443 | \
sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/$ADDRESS.cert
运行以下命令,替换 $ ALIAS
密钥的短名称, $ ADDRESS
,上面带有证书名称, $ PATH
在您的JRE中包含cacerts的路径。
Run the following command, replace $ALIAS
a short name for the key, $ADDRESS
with the cert name from above, $PATH
with the path to cacerts in your JRE.
sudo keytool -importcert -alias "$ALIAS" -file /tmp/$ADDRESS.cert \
-keystore $PATH/cacerts -storepass changeit