解决SSLHandshakeException后的Java SSLPeerUnverifiedException
我知道这是一个非常常见的问题,但我在我的案例中描述了上下文。我编写了两个SpringBoot2应用程序,并为它们启用了SSL 应用程序1(客户端) 应用程序2(服务器) 然后我将服务器和之前使用keytool生成的证书添加到我的cacerts文件中解决SSLHandshakeException后的Java SSLPeerUnverifiedException,java,spring-boot,ssl,Java,Spring Boot,Ssl,我知道这是一个非常常见的问题,但我在我的案例中描述了上下文。我编写了两个SpringBoot2应用程序,并为它们启用了SSL 应用程序1(客户端) 应用程序2(服务器) 然后我将服务器和之前使用keytool生成的证书添加到我的cacerts文件中 keytool -importcert -file "/location/to/certificate/sb2-certificate.crt" -alias sb2-tomcat -keystore "..\Java\jdk1.8.0_144\jr
keytool -importcert -file "/location/to/certificate/sb2-certificate.crt" -alias sb2-tomcat -keystore "..\Java\jdk1.8.0_144\jre\lib\security\cacerts"
在将证书添加到cacerts之前,我收到了错误SSLHandshakeException,然后是SSLPeerUnverifiedException:
的证书与任何主题备选名称不匹配:[]
我将VM调试SSL验证添加到应用程序:
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=sb2 localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 19498524521301636375327327139235173526668786372574406255907014987664589119007638945302942180083083468997649347515867541667611070267889924617455941875034864650882365195859818334626078471052990327324008622169936539527600386062109638418865197602800058208022394134272787963653612703516681008660079675388888751349158494609089577725407479205584351969790650358305405827665951625886311271743251834381456253493048705893397141460667986714587381315951028909854600446234964732273252958312484308184937316978935692640456235515324828950495838104784778023273184639045008690240699649911570081674849785949521722117188840210828574141181
public exponent: 65537
Validity: [From: Thu Jul 19 14:33:31 CEST 2018,
To: Sun Jul 16 14:33:31 CEST 2028]
Issuer: CN=sb2 localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
SerialNumber: [ 52083aa1]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EB 73 69 B0 29 5A CA F7 4A 85 F4 64 AD 15 90 B4 .si.)Z..J..d....
0010: 92 88 0E 02 ....
]
]
我在谷歌上搜索了一整天,但我没有得到我所缺少的东西。我需要添加一些步骤吗
在使用密钥库资源管理器查看cacerts时,我看到所有条目名称都有
[jdk]
,但没有我的证书sb2 tomcat。您的证书有CN(CommonName)“sb2 localhost”
,但URL中请求的主机名是“localhost”
,不匹配。将您的证书更改为具有名称“localhost”
——在CN中,或者更好地在SubjectAlternativeNames扩展名aka SAN中,正如错误消息所示,Java更喜欢该扩展名。或者将您的URL更改为'sb2 localhost“
,这将很难,因为名称解析通常不允许空间。PS:如果服务器不要求客户端身份验证,则不需要客户端密钥库,因此如果您想实际使用客户端密钥库集server.ssl.client auth
是的,这就是问题所在。我更改了它并成功了。
keytool -importcert -file "/location/to/certificate/sb2-certificate.crt" -alias sb2-tomcat -keystore "..\Java\jdk1.8.0_144\jre\lib\security\cacerts"
***
Found trusted certificate:
[
[
Version: V3
Subject: CN=sb2 localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 19498524521301636375327327139235173526668786372574406255907014987664589119007638945302942180083083468997649347515867541667611070267889924617455941875034864650882365195859818334626078471052990327324008622169936539527600386062109638418865197602800058208022394134272787963653612703516681008660079675388888751349158494609089577725407479205584351969790650358305405827665951625886311271743251834381456253493048705893397141460667986714587381315951028909854600446234964732273252958312484308184937316978935692640456235515324828950495838104784778023273184639045008690240699649911570081674849785949521722117188840210828574141181
public exponent: 65537
Validity: [From: Thu Jul 19 14:33:31 CEST 2018,
To: Sun Jul 16 14:33:31 CEST 2028]
Issuer: CN=sb2 localhost, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown
SerialNumber: [ 52083aa1]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: EB 73 69 B0 29 5A CA F7 4A 85 F4 64 AD 15 90 B4 .si.)Z..J..d....
0010: 92 88 0E 02 ....
]
]