Https PKIX

使用 Gradle 编译项目，在下载 jar 包时如果遇到 PKIX path building failed: sun.security.provider… 错误，则说明是 ssl 证书的问题，把证书加入到 JVM 的 $JAVA_HOME/jre/lib/security/cacerts 文件即可。

确定证书有问题的域名

> Could not resolve net.ltgt.gradle:gradle-errorprone-plugin:0.0.14.
   > Could not get resource 'https://maven.eveoh.nl/content/repositories/releases/net/ltgt/gradle/gradle-errorprone-plugin/0.0.14/gradle-errorprone-plugin-0.0.14.pom'.
      > Could not GET 'https://maven.eveoh.nl/content/repositories/releases/net/ltgt/gradle/gradle-errorprone-plugin/0.0.14/gradle-errorprone-plugin-0.0.14.pom'.
         > sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

> Could not resolve net.ltgt.gradle:gradle-errorprone-plugin:0.0.14.
   > Could not get resource 'https://plugins.gradle.org/m2/net/ltgt/gradle/gradle-errorprone-plugin/0.0.14/gradle-errorprone-plugin-0.0.14.pom'.
      > Could not GET 'https://plugins.gradle.org/m2/net/ltgt/gradle/gradle-errorprone-plugin/0.0.14/gradle-errorprone-plugin-0.0.14.pom'.
         > plugins.gradle.org

上面的异常，显示在获取 maven.eveoh.nl 下的资源时 ssl 证书有问题，可以使用 SSLPoke.class 来确定是否这个域名的 ssl 是否有问题: 执行 java SSLPoke maven.eveoh.nl 443，输出 Successfully connected 说明 ssl 证书没问题，如抛出下面的异常则 ssl 证书有问题:

sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    ...

确认证书有问题的域名后，下载这个域名的证书，导入到 cacerts 文件就可以了，可以使用下面的 2 种方式下载证书:

• 使用 openssl 下载证书
• 使用 Firefox 下载证书

使用 openssl 下载证书

1. 执行 openssl s_client -showcerts -connect maven.eveoh.nl:443 (域名和端口根据实际情况进行修改)

2. 输出:

   CONNECTED(00000005)
   depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
   verify return:1
   depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
   verify return:1
   depth=0 CN = eveoh.nl
   verify return:1
   ---
   Certificate chain
    0 s:/CN=eveoh.nl
      i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
   -----BEGIN CERTIFICATE-----
   MIIGkzCCBXugAwIBAgISA//ESDMD0/IsDv3NVGVcCnMKMA0GCSqGSIb3DQEBCwUA
   ...
   jKjosk5w1g==
   -----END CERTIFICATE-----
    1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
      i:/O=Digital Signature Trust Co./CN=DST Root CA X3
   -----BEGIN CERTIFICATE-----
   MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
   ...
   KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
   -----END CERTIFICATE-----

   subject (s:) 为申请证书的网站，issuer(i:) 为证书颁发者

3. 保存证书:

   -----BEGIN CERTIFICATE-----
   MIIGkzCCBXugAwIBAgISA//ESDMD0/IsDv3NVGVcCnMKMA0GCSqGSIb3DQEBCwUA
   ...
   jKjosk5w1g==
   -----END CERTIFICATE-----

   可能会有像上面这样格式的多个证书，我们只需要 eveoh.nl 的证书，因为 0 s:/CN=eveoh.nl，所以保存第一个为文本文件 need.crt

4. 导入证书:

   sudo keytool -importcert -keystore $JAVA_HOME/jre/lib/security/cacerts  -file need.crt -alias eveoh

5. 输入 cert 文件的密码，默认的都是 changeit

使用 Firefox 下载证书

1. 使用 Firefox 打开 https 的链接: https://repo1.maven.org

2. 点击地址栏中的小锁图标

3. 点击 Security Connection 右边的向右箭头

4. More Information > Security > View Certificate > Details > Export

5. 例如上面 cert 文件保存为 repo1.maven.org.crt

6. 打开终端，导入 cert 文件

   sudo keytool -importcert -keystore $JAVA_HOME/jre/lib/security/cacerts -file repo1.maven.org.crt -alias maven

   cacerts 文件的路径和 JRE/JDK 安装的路径有关

7. 输入 cert 文件的密码，默认的都是 changeit

8. 重启系统

删除证书

sudo keytool -delete -keystore $JAVA_HOME/jre/lib/security/cacerts -alias eveoh

显示证书

keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
输入密码 changeit

通过查找 Alias name: yourAlias 查看证书是否导入成功。