Java PKIX路径验证失败:路径未使用代理与任何信任锚链接
已经提出了这个问题,但答案是设置allow all TrustManager,或者导入CA证书,或者没有答案 这是我的环境:Java PKIX路径验证失败:路径未使用代理与任何信任锚链接,java,ssl,https,proxy,Java,Ssl,Https,Proxy,已经提出了这个问题,但答案是设置allow all TrustManager,或者导入CA证书,或者没有答案 这是我的环境: PC | Enterprise Proxy which intercepts HTTPS traffic and uses self-signed certificate | Internet 我的测试程序是: public class Main { public static void main (String[] args) throws Exceptio
PC
|
Enterprise Proxy which intercepts HTTPS traffic and uses self-signed certificate
|
Internet
我的测试程序是:
public class Main {
public static void main (String[] args) throws Exception {
if (args.length < 1) {
System.err.println("First argument must be an URL");
return;
}
System.out.println("Testing: " + args[0]); connection = (HttpURLConnection) new URL(args[0]).openConnection();
System.out.println("Response code: " + connection.getResponseCode());
}
}
所以我用Chrome去了https://www.google.com
,按F12打开安全性查看证书
:
因此,据我所知,企业代理为www.google.ch
颁发了证书,因此需要信任。因此,我显示根证书(proxywg
),并将其导出到名为proxywg.cer
的文件中,作为Base-64-encoded X.509(.cer)
:
然后,我将把它导入我的JRE的cacerts
:
keytool -import -alias proxywg -keystore D:\development\programs\java\jdk1.8.0_112\jre\lib\security\cacerts -file E:\proxywg.cer -storepass changeit
我的程序的下一次测试给出:
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
因此,现在是另一个错误,告诉我我已将证书导入正确的cacerts
文件。但是为什么它不起作用呢?使用-Djavax.net.debug=ssl启动提供了以下信息(我选择了我认为相关的部分):
为什么证书路径“不与任何信任锚链接”?我错过什么了吗
最后,我试图让Gradle能够访问互联网。我跟随你的帖子解决了完全相同的问题;Java不喜欢我们的企业代理向我访问的internet站点颁发的自签名证书
除了一件事之外,我做的每件事几乎都和你一样。
除了您也指定的所有其他参数外,我还为keytool命令指定了-trustcacerts选项
希望有帮助。可能是proxywg
正在为google.ch
动态生成证书,当您指向从浏览器恢复的JVM时,情况就不同了。尝试在cacerts中导入proxywg
的根证书,而不是最终证书。这意味着您信任代理是的,代理就是这样做的。据我所知,proxywg
没有根证书,但它是根证书,也是我导入的根证书(请参阅:“因此,我显示根证书(proxywg)并将其导出到名为proxywg.cer
)的文件中)。这就是我希望它成为“信任锚”的原因“.读得太快了,我以为你导入了最终证书。可能是浏览器未显示的缺少的中间层?读取。proxywg
的CA证书是否具有适当的密钥用法?它应该包含certSign
和basicConstraints{CA=True这与我无关,但你的解决方案听起来是正确的:)没有测试,我会接受这个答案。也许有人可以确认。
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
adding as trusted cert:
Subject: CN=proxywg, OU=..., O=..., L=..., ST=..., C=...
Issuer: CN=proxywg, OU=..., O=..., L=..., ST=..., C=...
Algorithm: RSA; Serial number: 0x1
Valid from Thu Jan 29 10:00:00 CET 2015 until Sat Jan 29 11:00:00 CET 2028
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=www.google.com, O=Google Inc, L=Mountain View, ST=California, C=US
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: ...
public exponent: 65537
Validity: [From: Fri Jul 21 09:12:49 CEST 2017,
To: Sat Jul 21 09:12:49 CEST 2018]
Issuer: CN=proxywg, OU=..., O=..., L=..., ST=..., C=...
SerialNumber: [ b87ea686 bf2723dc b9044d34 b2ae1a28 a4c187bb]
Certificate Extensions: 6
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
[CN=proxywg, OU=..., O=..., L=..., ST=..., C=...]
SerialNumber: [ 00]
]
[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:false
PathLen: undefined
]
[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
]
[4]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Key_Encipherment
]
[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
DNSName: www.google.com
]
[6]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 33 3A FE FD 3E 79 7A 67 2E 44 0F F1 DB DF EC FB 3:..>yzg.D......
0010: FB C4 7E 08 ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: 3D 91 E5 EC B5 94 66 07 47 EC BC 74 48 C9 A1 8E =.....f.G..tH...
0010: 34 EB AE 8D 71 F1 9A F6 AE 6E 69 B8 77 FF 71 60 4...q....ni.w.q`
0020: 8B 97 73 25 14 72 8A FA 21 A7 77 C7 74 28 77 FA ..s%.r..!.w.t(w.
0030: C4 9A 96 B5 ED DA 96 4B 09 20 E7 A8 8D 6E 9A 1A .......K. ...n..
0040: 37 A6 2B AB A3 AE 9F 94 59 10 95 4C 0A 7B BB D8 7.+.....Y..L....
0050: 49 6D 72 1D B2 DA CD 97 4E 4F 28 22 24 7B 71 D5 Imr.....NO("$.q.
0060: 3E B7 92 6E D2 18 9B 29 4D 30 13 87 13 FE E3 15 >..n...)M0......
0070: D9 7F 25 33 D0 57 A3 AD 93 66 43 50 0B 95 F4 6B ..%3.W...fCP...k
0080: FB 54 0C 43 A9 76 05 1E 04 48 71 70 BA 38 29 EA .T.C.v...Hqp.8).
0090: D7 AF 46 09 18 FA DC D0 3A D1 3E C4 66 E2 DA 4F ..F.....:.>.f..O
00A0: 9B 52 DA 2C 17 06 A2 68 AD DE B9 E7 F3 15 6E 17 .R.,...h......n.
00B0: F4 C8 CE 94 EB 16 4C 18 A0 35 0C DE 62 6F 43 99 ......L..5..boC.
00C0: 53 B8 B6 23 9C 31 69 81 DC 20 91 1D A4 CE D0 8D S..#.1i.. ......
00D0: BA 85 B5 02 D4 B7 CA AE 58 C4 BB 8D 7B BA 52 9F ........X.....R.
00E0: 4E 35 59 ED 23 7A 35 02 61 C7 49 F6 2C 0F 4F A0 N5Y.#z5.a.I.,.O.
00F0: C3 26 9A D3 79 5B A4 25 86 5A 25 44 88 B2 C0 01 .&..y[.%.Z%D....
]
***
%% Invalidated: [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, SEND TLSv1.2 ALERT: fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors