JDK8 -> JDK10: PKIX路径构建失败: SunCertPathBuilderException:无法找到被请求目标的有效证书路径

Question

问题

• 我有一个SpringBoot应用程序，它使用一个名为Launchdarkly的应用程序，它使用okhttp
• 我正在从JRE 8迁移到JRE 10，对其他资源的调用工作正常，但是在使用okhttp进行的调用中失败

编辑：这可能发生在任何具有类似于我们应用程序使用的证书链的应用程序中。

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

异常

错误发生在线程中..。

config-server_1  | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource-[] ["okhttp-eventsource-stream-[]-0" {}] Connection problem.
config-server_1  | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
config-server_1  |  at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]
config-server_1  |  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]
config-server_1  |  at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.processInputRecord(SSLSocketImpl.java:1137) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1074) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1402) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1429) ~[?:?]
config-server_1  |  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413) ~[?:?]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:281) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:251) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.RealConnection.connect(RealConnection.java:151) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:195) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]
config-server_1  |  at com.launchdarkly.shaded.okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121) ~[launchdarkly-client-2.3.2.jar!/:2.3.2]

设置

• 使用jlink和选择模块构建一个小的JRE
  • 在https://dev.to/gimlet2/dockerizing-java-10-spring-boot-app-3b4c上使用Docker安装
  • 当前的应用程序运行在JRE8上的码头(相同的基本图像)

​

• 我只有JAVA_HOME .不确定我们还需要什么

Java 10版本详细信息

使用上述方法安装

root@e0776fd790e7:/runtime# ls -la /etc/ssl/certs/java/cacerts
-rw-r--r-- 1 root root 177280 Oct 29 16:29 /etc/ssl/certs/java/cacerts
root@e0776fd790e7:/runtime# java -version
openjdk version "10" 2018-03-20
OpenJDK Runtime Environment 18.3 (build 10+46)
OpenJDK 64-Bit Server VM 18.3 (build 10+46, mixed mode)

密钥存储设置

java 10密钥库可以看到它。

root@17000659d1ec:/runtime# keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

正如在https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates中描述的那样

尝试

• 我想知道你有没有什么可以帮的
  • 来自Unable to find valid certification path to requested target - error even after cert imported

​

• 尝试从java 8到java 10调用仙人掌。
• **Tried to symlink or copy cacerts from JRE dir to** **`/etc/ssl/certs/java/cacerts`** WORKS! ALONG WITH COPYING FROM JDK 8
• 尝试设置-Djavax.net.ssl.trustStore=/opt/jdk-minimal/jre/lib/security/cacerts

编辑:见“我的答案”

Answer 1

从JDK 8迁移到JDK 10的解决方案

• 证书实际上是不同的，
  • JDK 10有80，JDK 8有151

​

• JDK 10最近添加了certs
  • https://dzone.com/articles/openjdk-10-now-includes-root-ca-certificates
  • http://openjdk.java.net/jeps/319

​

JDK 10

root@c339504909345:/opt/jdk-minimal/jre/lib/security #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 80 entries

JDK 8

root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts #  keytool -cacerts -list
Enter keystore password:
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 151 entries

修复步骤

我没有检查哪个证书链不受信任，但是服务器的URL证书是有效的.来自JDK 10的cacerts有一个链，到今天为止已经断了。我可以断言，因为来自bin.tar.gz的下载是在全新的Docker中安装的。

• 我删除了JDK 10证书，并将其替换为JDK 8。
• 由于我正在构建Docker，所以我可以使用多阶段构建快速完成这一任务
  • 我正在构建一个使用jlink作为/opt/jdk/bin/jlink \ --module-path /opt/jdk/jmods...的最小JRE

​

这是不同的路径和命令的顺序..。

# Java 8
COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts

# Java 10
RUN rm -f /opt/jdk-minimal/jre/lib/security/cacerts
RUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts