java JDK8>JDK10:PKIX路径生成失败:SunCertPathBuilderException:找不到请求目标的有效证书路径
问题
- 我有一个SpringBoot应用程序,使用一个名为
Launchdarkly
的应用程序,它利用okhttp
- 我正在从JRE 8迁移到JRE 10,对其他资源的调用可以工作,但在使用
okhttp
进行的调用中失败
编辑:这可能发生在任何具有与我们的应用程序使用的证书链类似的证书链的应用程序上
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
例外情况
错误发生在该线程中
config-server_1 | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource-[] ["okhttp-eventsource-stream-[]-0" {}] Connection problem.
config-server_1 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1 | at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1 | at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1 | at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
设置
- 使用
jlink
并选择模块来构建小型JRE- 使用Docker安装在https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c
- 当前应用程序在Docker中的JRE8上运行(相同的基本图像)
- 我只有
JAVA_HOME
集。。。不确定我们还需要什么
Java 10版本详细信息
使用上述方法安装
root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)
密钥库已设置
Java10密钥库可以看到它
root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 80 entries
如https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates所述
尝试
- 我想知道你能帮上什么忙
- 试图从java 8调用cacerts到java 10
Tried to symlink or copy cacerts from JRE dir to
/etc/ssl/certs/java/cacerts
WORKS! ALONG WITH COPYING FROM JDK 8- 已尝试设置
-Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts
编辑:查看我的答案
# 1 楼答案
从JDK 8迁移到JDK 10时的解决方案
certs
JDK 10
JDK 8
修复的步骤
我还没有检查哪个证书链不受信任,但服务器的URL证书是有效的。。。JDK 10中的
cacerts
有一条链从今天起就断了。我可以断言,因为从https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz下载的内容被安装在一个全新的Docker映像中jlink
作为/opt/jdk/bin/jlink \ module-path /opt/jdk/jmods...
构建一个最小的JRE下面是不同的路径和命令序列