解決 『SunCertPathBuilderException:unable to find valid certification path to requested target』 問題
★ 問題
在 maven 編譯的時候,出現證書校驗錯誤,部分log如下:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
此問題通常是在訪問maven依賴庫的網站(https的)時,證書被替換了,然后導致的。
為什么證書會被替換?可能的原因是,代理服務器作為中間人,在https傳輸過程中,將服務器的證書替換了,然后就可以監聽https的流量了。通常,公司里會這么干。這里代理服務器利用了https協議的密鑰交換過程,可以參考這篇文章:掃盲 HTTPS 和 SSL/TLS 協議
解決此問題,有兩種方法。
★ 方法1:為maven添加屬性maven.wagon.http.ssl.insecure=true
在mvn命令后面加上-Dmaven.wagon.http.ssl.insecure=true。此屬性是讓maven忽略安全性,不再校驗服務器的證書(此時服務器的證書可能是被替換的)。
mvn -Dmaven.wagon.http.ssl.insecure=true package
★ 方法2:將證書添加到 cacerts 中
環境:Windows。
cacerts包含了很多CA證書,位置在Java的安裝目錄: 『Java\jdk1.8.0_65\jre\lib\security\cacerts』。
執行如下命令,將證書加到cacerts中:
keytool.exe -importcert -file <新證書> -keystore Java\jdk1.8.0_65\jre\lib\security\cacerts -storepass changeit
<新證書>可以是cer格式的,例如,xxx.cer。
執行此命令會提示你是否信任此證書,輸入yes,回車。然后證書就加入cacerts中了。部分log如下:
Trust this certificate? [no]: yes
Certificate was added to keystore
關於cacerts的說明
參考: https://www.ibm.com/support/knowledgecenter/SSYKE2_8.0.0/com.ibm.java.security.component.80.doc/security-component/keytoolDocs/cacertsfile.html
A certificates file named “cacerts” resides in the security properties directory, java.home\lib\security, where java.home is the runtime environment directory (the jre directory in the SDK or the top-level directory of the Java™ 2 Runtime Environment).
The “cacerts” file represents a system-wide keystore with CA certificates. System administrators can configure and manage that file using keytool, specifying “jks” as the keystore type. The “cacerts” keystore file ships with several root CA certificates. The initial password of the “cacerts” keystore file is “changeit”. System administrators should change that password and the default access permission of that file when installing the SDK.
★ 參考
https://stackoverflow.com/questions/30480086/how-to-integrate-ssl-certificates-to-the-cacerts-file-in-jre-security-folder