二十七蝶涩、CA認(rèn)證的證書為什么還需要手動(dòng)導(dǎo)入?

1. 背景

昨天有商家運(yùn)維提示商家證書更新絮识,需要我方手動(dòng)導(dǎo)入更新绿聘。可通過(guò)訪問(wèn)該URL發(fā)現(xiàn)該地址的https證書是經(jīng)過(guò)CA認(rèn)證的次舌,非自簽名的熄攘,如下圖。


image.png

講道理而言垃它,經(jīng)過(guò)CA認(rèn)證的證書鲜屏,會(huì)在SSL握手時(shí)獲取證書鏈來(lái)驗(yàn)證證書有效性烹看,但是我方調(diào)用商家URL時(shí)卻出現(xiàn)如下錯(cuò)誤:

com.jd.edi.utils.exception.runtime.ProcessorRunningException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at com.jd.lsb.edi.flow.camel.processor.exception.ExceptionProcessor.process(ExceptionProcessor.java:66)
  at org.apache.camel.processor.DelegateSyncProcessor.process(DelegateSyncProcessor.java:63)
  at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:201)
  at org.apache.camel.processor.Pipeline.process(Pipeline.java:138)
  at org.apache.camel.processor.Pipeline.process(Pipeline.java:101)
  at org.apache.camel.processor.FatalFallbackErrorHandler.process(FatalFallbackErrorHandler.java:82)
  at org.apache.camel.processor.RedeliveryErrorHandler.deliverToFailureProcessor(RedeliveryErrorHandler.java:1063)
  at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:474)
  at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:201)
  at org.apache.camel.processor.Pipeline.process(Pipeline.java:138)
  at org.apache.camel.processor.Pipeline.process(Pipeline.java:101)
  at org.apache.camel.processor.CamelInternalProcessor.process(CamelInternalProcessor.java:201)
  at org.apache.camel.processor.DelegateAsyncProcessor.process(DelegateAsyncProcessor.java:97)
  at com.jd.lsb.edi.component.jsf.utils.RouteHandler.invoke(RouteHandler.java:46)
  at com.sun.proxy.$Proxy111.handle(Unknown Source)
  at sun.reflect.GeneratedMethodAccessor1025.invoke(Unknown Source)
  at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
  at java.lang.reflect.Method.invoke(Method.java:497)
  at com.jd.jsf.gd.filter.ProviderInvokeFilter.reflectInvoke(ProviderInvokeFilter.java:140)
  at com.jd.jsf.gd.filter.ProviderInvokeFilter.invoke(ProviderInvokeFilter.java:100)
  at com.jd.jsf.gd.filter.ProviderSecurityFilter.invoke(ProviderSecurityFilter.java:42)
  at com.jd.jsf.gd.filter.ProviderConcurrentsFilter.invoke(ProviderConcurrentsFilter.java:62)
  at com.jd.jsf.gd.filter.ProviderTimeoutFilter.invoke(ProviderTimeoutFilter.java:39)
  at com.jd.jsf.gd.filter.ProviderMethodCheckFilter.invoke(ProviderMethodCheckFilter.java:78)
  at com.jd.jsf.gd.filter.ProviderInvokeLimitFilter.invoke(ProviderInvokeLimitFilter.java:56)
  at com.jd.jsf.gd.filter.ProviderHttpGWFilter.invoke(ProviderHttpGWFilter.java:47)
  at com.jd.jsf.gd.filter.ProviderGenericFilter.invoke(ProviderGenericFilter.java:118)
  at com.jd.jsf.gd.filter.ProviderContextFilter.invoke(ProviderContextFilter.java:81)
  at com.jd.jsf.gd.filter.ExceptionFilter.invoke(ExceptionFilter.java:44)
  at com.jd.jsf.gd.filter.SystemTimeCheckFilter.invoke(SystemTimeCheckFilter.java:79)
  at com.jd.jsf.gd.filter.FilterChain.invoke(FilterChain.java:281)
  at com.jd.jsf.gd.server.ProviderProxyInvoker.invoke(ProviderProxyInvoker.java:66)
  at com.jd.jsf.gd.server.JSFTask.doRun(JSFTask.java:129)
  at com.jd.jsf.gd.server.BaseTask.run(BaseTask.java:29)
  at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
  at java.util.concurrent.FutureTask.run(FutureTask.java:266)
  at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
  at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
  at java.lang.Thread.run(Thread.java:745)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
  at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
  at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1497)
  at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
  at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
  at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
  at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
  at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
  at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
  at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
  at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
  at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:359)
  at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
  at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
  at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
  at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
  at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
  at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
  at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
  at org.apache.camel.component.http4.HttpProducer.executeMethod(HttpProducer.java:334)
  at org.apache.camel.component.http4.HttpProducer.process(HttpProducer.java:193)
  at org.apache.camel.util.AsyncProcessorConverterHelper$ProcessorToAsyncProcessorBridge.process(AsyncProcessorConverterHelper.java:61)
  at org.apache.camel.processor.SendProcessor.process(SendProcessor.java:148)
  at org.apache.camel.processor.RedeliveryErrorHandler.process(RedeliveryErrorHandler.java:548)
  ... 31 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
  at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
  at sun.security.validator.Validator.validate(Validator.java:260)
  at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
  at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
  at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105)
  at com.jd.lsb.edi.service.http.common.ssl.SSLTrustManager.checkServerTrusted(SSLTrustManager.java:54)
  at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922)
  at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1479)
  ... 55 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145)
  at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
  at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
  at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
  ... 63 more

最終,導(dǎo)入商家證書后解決洛史。

2. 定位問(wèn)題

1)對(duì)比地址:https://sg.godaddy.com/(兩者都使用 了相同的CA證書鏈)
image.png
2)對(duì)比結(jié)果
  • HttpClient可正常訪問(wèn):https://sg.godaddy.com/
  • 通過(guò)Debug發(fā)現(xiàn):正常訪問(wèn)時(shí)惯殊,SSL握手時(shí)HttpClient會(huì)收到一個(gè)證書鏈;而訪問(wèn)失敗時(shí)也殖,只收到了server的證書土思。
  • 測(cè)試把中間的證書導(dǎo)入cert中后可正常訪問(wèn)。
class T12CertificateConsumer {
        @Override
        public void consume(ConnectionContext context, ByteBuffer message) throws IOException {
            忆嗜。己儒。。
            // 此處訪問(wèn)正常時(shí)會(huì)接受到證書鏈捆毫,相反失敗的情況是只收到了server一個(gè)證書
            T12CertificateMessage cm = new T12CertificateMessage(hc, message);
            
        }
}
image.png

3.結(jié)論

即便是經(jīng)過(guò)CA認(rèn)證的證書闪湾,如果Server端沒(méi)有把證書關(guān)聯(lián)起來(lái)在SSL握手時(shí)一并返回,也會(huì)導(dǎo)致https訪問(wèn)異常绩卤。

4. 后續(xù)

跟商家技術(shù)反饋后途样,他們調(diào)整了證書,經(jīng)測(cè)試不導(dǎo)入證書也可以正常訪問(wèn)濒憋。

其他何暇、瀏覽器可正常訪問(wèn)的猜測(cè)

瀏覽器會(huì)自動(dòng)從OU里下載間接證書鏈,如下圖凛驮。


image.png

image.png

參考

  1. https://stackoverflow.com/questions/12778012/java-sslsocket-how-to-send-full-server-cert-chain
  2. https://stackoverflow.com/questions/9299133/why-doesnt-java-send-the-client-certificate-during-ssl-handshake/9300727#9300727
最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 人面猴
    序言:七十年代末裆站,一起剝皮案震驚了整個(gè)濱河市,隨后出現(xiàn)的幾起案子黔夭,更是在濱河造成了極大的恐慌宏胯,老刑警劉巖,帶你破解...
    沈念sama閱讀 218,546評(píng)論 6 507
  • 死咒
    序言:濱河連續(xù)發(fā)生了三起死亡事件纠修,死亡現(xiàn)場(chǎng)離奇詭異胳嘲,居然都是意外死亡,警方通過(guò)查閱死者的電腦和手機(jī)扣草,發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 93,224評(píng)論 3 395
  • 救了他兩次的神仙讓他今天三更去死
    文/潘曉璐 我一進(jìn)店門了牛,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái),“玉大人辰妙,你說(shuō)我怎么就攤上這事鹰祸。” “怎么了密浑?”我有些...
    開(kāi)封第一講書人閱讀 164,911評(píng)論 0 354
  • 道士緝兇錄:失蹤的賣姜人
    文/不壞的土叔 我叫張陵蛙婴,是天一觀的道長(zhǎng)。 經(jīng)常有香客問(wèn)我尔破,道長(zhǎng)街图,這世上最難降的妖魔是什么浇衬? 我笑而不...
    開(kāi)封第一講書人閱讀 58,737評(píng)論 1 294
  • ?港島之戀(遺憾婚禮)
    正文 為了忘掉前任,我火速辦了婚禮餐济,結(jié)果婚禮上耘擂,老公的妹妹穿的比我還像新娘。我一直安慰自己絮姆,他們只是感情好醉冤,可當(dāng)我...
    茶點(diǎn)故事閱讀 67,753評(píng)論 6 392
  • 惡毒庶女頂嫁案:這布局不是一般人想出來(lái)的
    文/花漫 我一把揭開(kāi)白布。 她就那樣靜靜地躺著篙悯,像睡著了一般蚁阳。 火紅的嫁衣襯著肌膚如雪。 梳的紋絲不亂的頭發(fā)上鸽照,一...
    開(kāi)封第一講書人閱讀 51,598評(píng)論 1 305
  • 城市分裂傳說(shuō)
    那天螺捐,我揣著相機(jī)與錄音,去河邊找鬼矮燎。 笑死归粉,一個(gè)胖子當(dāng)著我的面吹牛,可吹牛的內(nèi)容都是我干的漏峰。 我是一名探鬼主播,決...
    沈念sama閱讀 40,338評(píng)論 3 418
  • 雙鴛鴦連環(huán)套:你想象不到人心有多黑
    文/蒼蘭香墨 我猛地睜開(kāi)眼届榄,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼浅乔!你這毒婦竟也來(lái)了?” 一聲冷哼從身側(cè)響起铝条,我...
    開(kāi)封第一講書人閱讀 39,249評(píng)論 0 276
  • 萬(wàn)榮殺人案實(shí)錄
    序言:老撾萬(wàn)榮一對(duì)情侶失蹤靖苇,失蹤者是張志新(化名)和其女友劉穎,沒(méi)想到半個(gè)月后班缰,有當(dāng)?shù)厝嗽跇?shù)林里發(fā)現(xiàn)了一具尸體贤壁,經(jīng)...
    沈念sama閱讀 45,696評(píng)論 1 314
  • ?護(hù)林員之死
    正文 獨(dú)居荒郊野嶺守林人離奇死亡,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 37,888評(píng)論 3 336
  • ?白月光啟示錄
    正文 我和宋清朗相戀三年埠忘,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了脾拆。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
    茶點(diǎn)故事閱讀 40,013評(píng)論 1 348
  • 活死人
    序言:一個(gè)原本活蹦亂跳的男人離奇死亡莹妒,死狀恐怖名船,靈堂內(nèi)的尸體忽然破棺而出,到底是詐尸還是另有隱情旨怠,我是刑警寧澤渠驼,帶...
    沈念sama閱讀 35,731評(píng)論 5 346
  • ?日本核電站爆炸內(nèi)幕
    正文 年R本政府宣布,位于F島的核電站鉴腻,受9級(jí)特大地震影響迷扇,放射性物質(zhì)發(fā)生泄漏百揭。R本人自食惡果不足惜,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 41,348評(píng)論 3 330
  • 男人毒藥:我在死后第九天來(lái)索命
    文/蒙蒙 一蜓席、第九天 我趴在偏房一處隱蔽的房頂上張望器一。 院中可真熱鬧,春花似錦瓮床、人聲如沸盹舞。這莊子的主人今日做“春日...
    開(kāi)封第一講書人閱讀 31,929評(píng)論 0 22
  • 一樁弒父案隘庄,背后竟有這般陰謀
    文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)踢步。三九已至,卻和暖如春丑掺,著一層夾襖步出監(jiān)牢的瞬間获印,已是汗流浹背。 一陣腳步聲響...
    開(kāi)封第一講書人閱讀 33,048評(píng)論 1 270
  • 情欲美人皮
    我被黑心中介騙來(lái)泰國(guó)打工街州, 沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留兼丰,地道東北人。 一個(gè)月前我還...
    沈念sama閱讀 48,203評(píng)論 3 370
  • 代替公主和親
    正文 我出身青樓唆缴,卻偏偏與公主長(zhǎng)得像鳍征,于是被迫代替她去往敵國(guó)和親。 傳聞我的和親對(duì)象是個(gè)殘疾皇子面徽,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 44,960評(píng)論 2 355