close

今天發現一支原本跑得好好的程式出現錯誤:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:174)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1747)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:241)
   at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:235)
   at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1209)
   at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:135)
   at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:593)
   at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:529)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:943)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1188)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1215)
   at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1199)
   at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275)
   at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254)
   at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123)
   at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)
   at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)
   at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)
   at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)
   at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)
   at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)
   at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)
   at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
   at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)
   at org.test.myProgram.run(myProgram.java:127)
   at org.test.myProgram.main(myProgram.java:49)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:323)
   at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:217)
   at sun.security.validator.Validator.validate(Validator.java:218)
   at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:126)
   at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:209)
   at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:249)
   at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1188)
   ... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
   at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:174)
   at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:238)
   at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:318)
   ... 27 more
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

程式的功能是透過 Java 走 HTTPS 到某個網站抓資料,想來想去就是最近跟台網買了新憑證。網路上說是因為不信任憑證的關係,但我們東看西看看不出 Apache 上頭憑證有什麼可以設定的,有的文章說可以透過設定把憑證匯進 keystore,有的文章說是調整程式設定讓它信任憑證內容。

嘗試調整程式,把原本的這行:

CloseableHttpClient httpclient = HttpClients.createDefault(); 

換成這樣:

CloseableHttpClient httpclient = HttpClients.custom()
            .setSSLSocketFactory(connectionFactory)
            .setDefaultCookieStore(cookieStore)
            .build();

 

換完以後出現新的問題,錯誤訊息是:

Caused by: javax.net.ssl.SSLException: java.lang.RuntimeException: Could not generate DH keypair

參考 "Could not generate DH keypair on SSL",原來是 Java 7 之前只支援 1024 bits 的 DH (Diffie-Hellman) 參數,但是現在新的憑證用的是 2048 bits 的參數,所以只要改用 Java 8 跑就沒問題了。

 

結論:

  1. 出現錯誤訊息 "PKIX path building failed":改程式,讓程式可以接受目前接到的憑證。
  2. 出現錯誤訊息 "Could not generate DH keypair":升級 Java 到 Java 8 或更新版本。
arrow
arrow
    全站熱搜

    小攻城師 發表在 痞客邦 留言(1) 人氣()

    E-mail轉寄