搜索
搜索

JDK8-> JDK10:PKIX路径构建失败:SunCertPathBuilderException:无法找到到请求目标的有效证书路径

Marcello de Sales 发表于 Java
118
Marcello de Sales:

问题

  • 我有一个使用名为的应用程序的SpringBoot应用程序Launchdarkly,该应用程序利用了okhttp
  • 我正在从JRE 8迁移到JRE 10,可以调用其他资源,但是使用进行的调用失败 okhttp

编辑:任何具有类似于我们的应用程序使用的证书链的应用程序都可能发生这种情况。

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

例外

错误发生在线程中... 

config-server_1  | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource-[] ["okhttp-eventsource-stream-[]-0" {}] Connection problem.
config-server_1  | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1  |  at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]

建立

Java 10版本详细信息

使用上面的方法安装

root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)

密钥库已设置

Java 10密钥库可以看到它

root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates所述

尝试次数

编辑:看到我的答案

Marcello de Sales:

从JDK 8迁移到JDK 10时的解决方案

JDK 10

root@c339504909345:/opt/jdk-minimal/jre/lib/security #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

JDK 8

root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 151 entries

解决步骤

我尚未检查哪个证书链不受信任,但是服务器的URL证书有效... cacerts从JDK 10开始,该链截至今天为止已断开。我可以断言,因为从https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz进行的下载已安装在全新的Docker Image中。

  • 我删除了JDK 10证书,并将其替换为JDK 8
  • 由于我正在构建Docker映像,因此可以使用多阶段构建来快速完成此操作
    • 我使用的是建立一个最小的JRE jlink/opt/jdk/bin/jlink \ --module-path /opt/jdk/jmods...

因此,这是命令的不同路径和顺序...

# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts

本文收集自互联网,转载请注明来源。

如有侵权,请联系 [email protected] 删除。

编辑于
0

我来说两句

0 条评论
登录 后参与评论

相关文章

TOP 榜单

  1. 1

    Linux的官方Adobe Flash存储库是否已过时?

  2. 2

    如何使用HttpClient的在使用SSL证书,无论多么“糟糕”是

  3. 3

    错误:“ javac”未被识别为内部或外部命令,

  4. 4

    在 Python 2.7 中。如何从文件中读取特定文本并分配给变量

  5. 5

    Modbus Python施耐德PM5300

  6. 6

    为什么Object.hashCode()不遵循Java代码约定

  7. 7

    如何检查字符串输入的格式

  8. 8

    检查嵌套列表中的长度是否相同

  9. 9

    错误TS2365:运算符'!=='无法应用于类型'“(”'和'“)”'

  10. 10

    如何自动选择正确的键盘布局?-仅具有一个键盘布局

  11. 11

    如何正确比较 scala.xml 节点?

  12. 12

    在令牌内联程序集错误之前预期为 ')'

  13. 13

    如何在JavaScript中获取数组的第n个元素?

  14. 14

    如何将sklearn.naive_bayes与(多个)分类功能一起使用?

  15. 15

    ValueError:尝试同时迭代两个列表时,解包的值太多(预期为 2)

  16. 16

    如何监视应用程序而不是单个进程的CPU使用率?

  17. 17

    解决类Koin的实例时出错

  18. 18

    ES5的代理替代

  19. 19

    有什么解决方案可以将android设备用作Cast Receiver?

  20. 20

    VBA 自动化错误:-2147221080 (800401a8)

  21. 21

    套接字无法检测到断开连接

热门标签

归档