时间戳

首页 > 解决方案 > 使用 feignclient 访问 HTTPS url 时的证书路径问题

java - 使用 feignclient 访问 HTTPS url 时的证书路径问题

问题描述

我正在使用已导入 C:\Program Files\Java\jre1.8.0_131\lib\security\cacerts 路径的测试证书。我正在尝试连接到 https 服务。它总是抛出 javax.net.ssl.SSLHandshakeException。

main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

用于导入证书的命令。

"C:\Program Files\Java\jdk1.8.0_45\bin\keytool" -importcert -file rdm.cer -keystore keystore.jks -alias "Alias"

我正在运行我的应用程序处于调试模式,并且可以在日志中看到证书。

keyStore is : 
keyStore type is : jks
keyStore provider is : 
init keystore
init keymanager of type SunX509
trigger seeding of SecureRandom
done seeding SecureRandom
Allow unsafe renegotiation: true
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
main, setSoTimeout(60000) called
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1
Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 for TLSv1.1
Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 for TLSv1.1
%% No cached client session
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1534747347 bytes = { 250, 16, 199, 57, 237, 133, 35, 35, 48, 125, 248, 24, 106, 46, 233, 69, 242, 51, 136, 208, 88, 167, 211, 251, 132, 111, 150, 122 }
Session ID:  {}
Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]
Compression Methods:  { 0 }
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA256withDSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA
***
main, WRITE: TLSv1.2 Handshake, length = 161
2018-08-20 12:16:43.235 INFO net.spy.memcached.MemcachedConnection:  Reconnecting {QA sa=/172.16.1.17:11211, #Rops=0, #Wops=0, #iq=0, topRop=null, topWop=null, toWrite=0, interested=0}
main, READ: TLSv1.2 Handshake, length = 49
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 332696558 bytes = { 234, 168, 242, 200, 28, 74, 219, 81, 9, 44, 216, 43, 86, 174, 243, 47, 83, 112, 137, 143, 32, 28, 204, 137, 90, 230, 22, 102 }
Session ID:  {}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
%% Initialized:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
** TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
main, READ: TLSv1.2 Handshake, length = 1187
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN="172.16.3.36,172.16.3.14,172.16.3.15,172.16.3.16", OU=zyme, O=e2open, L=bang, ST=kar, C=in
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 26288587705731226064818589753048659979933979082172398103539291536912116521328191702059505704719623504721452502199723894343473609066181185614682405611327909976414972978300257092694722905977040348285234525233439913517871748456818332434069363143692175499636832151739752955128469125424596932231527684381772140595739308268376798999407602138623191596953297082016223422803203234361208107188586515320842725758206878522616967977338852131061599530993608016215602407912297789913642666962272021519422352667626917854730093008794105038362026941940240849225769346355205424246109492330994413354658193612922036023098171781577539564277
  public exponent: 65537
  Validity: [From: Wed Jan 31 17:41:25 IST 2018,
               To: Tue Oct 27 17:41:25 IST 2020]
  Issuer: CN="172.16.3.36,172.16.3.14,172.16.3.15,172.16.3.16"
  SerialNumber: [    b633459b 3d582f5f]

Certificate Extensions: 5
[1]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 49 15 62 A2 0A 45 B3 B5   0B 3E 38 87 7C E5 EF 50  I.b..E...>8....P
0010: 41 70 0B DD                                        Ap..
]
[CN="172.16.3.36,172.16.3.14,172.16.3.15,172.16.3.16"]
SerialNumber: [    e6131d8f aeda7271]
]

[2]: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[3]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[4]: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
  Data_Encipherment
]

[5]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: kubernetes
  DNSName: kubernetes.default
  DNSName: kubernetes.default.svc
  DNSName: kubernetes.default.svc.cluster
  DNSName: kubernetes.default.svc.cluster.local
  IPAddress: 172.16.3.36
  IPAddress: 10.254.0.1
  IPAddress: 172.16.3.16
  IPAddress: 172.16.3.15
  IPAddress: 172.16.3.14
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 52 1D EC 32 97 48 89 7C   42 81 24 01 BB 0A 16 52  R..2.H..B.$....R
0010: 17 6C 87 15 BE 99 AC E3   6A CC 82 F2 7E 71 0B 99  .l......j....q..
0020: D9 86 64 4A 89 D7 97 8F   14 B3 CB 77 0B F3 51 F7  ..dJ.......w..Q.
0030: 32 B0 5D 09 FC E7 D5 29   F7 E7 2A 3F 3F 22 DF C7  2.]....)..*??"..
0040: 83 27 00 06 55 A5 97 59   E8 0A B5 AD 2B 1C 18 0C  .'..U..Y....+...
0050: 2B F5 FD 6E 19 3D F2 87   7D 5A 68 E2 1D 87 69 D2  +..n.=...Zh...i.
0060: 8D A6 1D F4 4A 24 5A 84   A3 97 DA 8B D1 B0 16 ED  ....J$Z.........
0070: D6 E9 74 12 4D BA B3 CA   DD 89 F7 6C 4F 7F 0F A2  ..t.M......lO...
0080: B4 DF 84 04 CD 60 59 33   05 FF D6 34 D0 5C 22 42  .....`Y3...4.\"B
0090: 99 F2 95 6F 2B 58 0A 6A   08 28 54 BC E2 17 EC E4  ...o+X.j.(T.....
00A0: 87 8D 8C 6F 6E 84 96 72   B2 02 0B C8 2C ED 8F AB  ...on..r....,...
00B0: 86 7A EF 9D 2B AD B7 A6   EF A4 61 FE 9D 2D 60 2B  .z..+.....a..-`+
00C0: 01 B0 8C B2 53 6A 91 C2   67 F9 EE 7C E2 EE 36 3F  ....Sj..g.....6?
00D0: E6 1A C5 8B 56 1C BB 46   F5 86 79 6A C2 E3 17 48  ....V..F..yj...H
00E0: 23 73 E7 C6 8F DA 36 4D   15 28 B3 64 3B 20 E0 AB  #s....6M.(.d; ..
00F0: AA DE AC C9 FD 14 E8 5A   DD 0D 66 F1 39 1A 78 BF  .......Z..f.9.x.

]
***
%% Invalidated:  [Session-1, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256]
main, SEND TLSv1.2 ALERT:  fatal, description = certificate_unknown
main, WRITE: TLSv1.2 Alert, length = 2
main, called closeSocket()
main, handling exception: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
main, called close()
main, called closeInternal(true)

我正在使用带有 spring-boot 的 feignclient 直接连接到服务

@Override
    public void run(String... args) throws Exception {
        System.setProperty( "sun.security.ssl.allowUnsafeRenegotiation", "true" );
        MasterDataSearchResponseDto dto = dataApiProxy.searchDataRepository("zymecustomer", "soumya", "CDT", "NA", 3l);
        logger.debug(dto.toString());

    }

FeignClient 实现

@FeignClient(name = "dataApiProxy", url = "https://172.16.3.36:8081/api/v1/proxy/namespaces/")
public interface DataApiProxy {

    @RequestMapping(value="/api/masters/{masterId}", method=RequestMethod.PUT)
    MasterDataSearchResponseDto searchDataRepository(@RequestParam("tid") String tid, @RequestParam("uid") String uid,
            @RequestParam("tz") String timeZone, @RequestParam("source") String source,
            @PathVariable("masterId") final Long masterId,
            );

}

由于这是测试证书,我添加 sun.security.ssl.allowUnsafeRenegotiation = true 以禁用重新协商。我仍然遇到异常。我怀疑我在导入证书时遗漏了一些东西。

标签: javaspring-bootsslspring-cloud-feign

解决方案

推荐阅读