Content Table

Https PKIX

使用 Gradle 编译项目,在下载 jar 包时如果遇到 PKIX path building failed: sun.security.provider… 错误,则说明是 ssl 证书的问题,把证书加入到 JVM 的 $JAVA_HOME/jre/lib/security/cacerts 文件即可。

确定证书有问题的域名

1
2
3
4
5
6
7
8
9
> Could not resolve net.ltgt.gradle:gradle-errorprone-plugin:0.0.14.
> Could not get resource 'https://maven.eveoh.nl/content/repositories/releases/net/ltgt/gradle/gradle-errorprone-plugin/0.0.14/gradle-errorprone-plugin-0.0.14.pom'.
> Could not GET 'https://maven.eveoh.nl/content/repositories/releases/net/ltgt/gradle/gradle-errorprone-plugin/0.0.14/gradle-errorprone-plugin-0.0.14.pom'.
> sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

> Could not resolve net.ltgt.gradle:gradle-errorprone-plugin:0.0.14.
> Could not get resource 'https://plugins.gradle.org/m2/net/ltgt/gradle/gradle-errorprone-plugin/0.0.14/gradle-errorprone-plugin-0.0.14.pom'.
> Could not GET 'https://plugins.gradle.org/m2/net/ltgt/gradle/gradle-errorprone-plugin/0.0.14/gradle-errorprone-plugin-0.0.14.pom'.
> plugins.gradle.org

上面的异常,显示在获取 maven.eveoh.nl 下的资源时 ssl 证书有问题,可以使用 SSLPoke.class 来确定是否这个域名的 ssl 是否有问题: 执行 java SSLPoke maven.eveoh.nl 443,输出 Successfully connected 说明 ssl 证书没问题,如抛出下面的异常则 ssl 证书有问题:

1
2
3
4
5
6
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
...

确认证书有问题的域名后,下载这个域名的证书,导入到 cacerts 文件就可以了,可以使用下面的 2 种方式下载证书:

  • 使用 openssl 下载证书
  • 使用 Firefox 下载证书

使用 openssl 下载证书

  1. 执行 openssl s_client -showcerts -connect maven.eveoh.nl:443 (域名和端口根据实际情况进行修改)

  2. 输出:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    CONNECTED(00000005)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = eveoh.nl
    verify return:1
    ---
    Certificate chain
    0 s:/CN=eveoh.nl
    i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    -----BEGIN CERTIFICATE-----
    MIIGkzCCBXugAwIBAgISA//ESDMD0/IsDv3NVGVcCnMKMA0GCSqGSIb3DQEBCwUA
    ...
    jKjosk5w1g==
    -----END CERTIFICATE-----
    1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    -----BEGIN CERTIFICATE-----
    MIIEkjCCA3qgAwIBAgIQCgFBQgAAAVOFc2oLheynCDANBgkqhkiG9w0BAQsFADA/
    ...
    KOqkqm57TH2H3eDJAkSnh6/DNFu0Qg==
    -----END CERTIFICATE-----

    subject (s:) 为申请证书的网站,issuer(i:) 为证书颁发者

  3. 保存证书:

    1
    2
    3
    4
    5
    -----BEGIN CERTIFICATE-----
    MIIGkzCCBXugAwIBAgISA//ESDMD0/IsDv3NVGVcCnMKMA0GCSqGSIb3DQEBCwUA
    ...
    jKjosk5w1g==
    -----END CERTIFICATE-----

    可能会有像上面这样格式的多个证书,我们只需要 eveoh.nl 的证书,因为 0 s:/CN=eveoh.nl,所以保存第一个为文本文件 need.crt

  4. 导入证书:

    1
    sudo keytool -importcert -keystore $JAVA_HOME/jre/lib/security/cacerts  -file need.crt -alias eveoh
  5. 输入 cert 文件的密码,默认的都是 changeit

使用 Firefox 下载证书

  1. 使用 Firefox 打开 https 的链接: https://repo1.maven.org

  2. 点击地址栏中的小锁图标

  3. 点击 Security Connection 右边的向右箭头

  4. More Information > Security > View Certificate > Details > Export

  5. 例如上面 cert 文件保存为 repo1.maven.org.crt

  6. 打开终端,导入 cert 文件

    1
    sudo keytool -importcert -keystore $JAVA_HOME/jre/lib/security/cacerts -file repo1.maven.org.crt -alias maven

    cacerts 文件的路径和 JRE/JDK 安装的路径有关

  7. 输入 cert 文件的密码,默认的都是 changeit

  8. 重启系统

删除证书

1
sudo keytool -delete -keystore $JAVA_HOME/jre/lib/security/cacerts -alias eveoh

显示证书

1
2
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
输入密码 changeit

通过查找 Alias name: yourAlias 查看证书是否导入成功。