java后端访问https证书的问题及解决

目录

java后端通过https获取图片报错如下安装证书，解决然后又报错解决

java后端通过https获取图片

1.   public static void main(String[] args) {
2.     try {
3.       BufferedImage image = ImageIO.read(new URL("https://10.128.33.56:6202/object/download?pool=s_alarm&id=2dfa47ccaa56ca64c66078588977532e,360,b43e").openStream());
4.       //输出流
5.       ByteArrayOutputStream stream = new ByteArrayOutputStream();
6.       ImageIO.write(image, "jpg", stream);
7.       String str = Base64.encodeBase64String(stream.toByteArray()).replaceAll(" ", "+").replaceAll("\r|\n", "");
8.       System.out.println(str);
9.     } catch (Exception e) {
10.      log.error("获取图片异常",e);
11.     }
12.   }

复制代码

报错如下

因为没有安装证书

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderEception: unable to find valid certification path to requested target
    at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java:150)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1476)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:174)
    at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Handshaker.java:168)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:846)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:106)
    at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.java:495)
    at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshaker.java:433)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:815)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1025)
    at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1038)
    at InstallCert.main(InstallCert.java:63)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:221)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:145)
    at sun.security.validator.Validator.validate(Validator.java:203)
    at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:172)
    at InstallCert$SavingTrustManager.checkServerTrusted(InstallCert.java:158)
    at com.sun.net.ssl.internal.ssl.JsseX509TrustManager.checkServerTrusted(SSLContextImpl.java:320)
    at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:839)
    ... 7 more

安装证书，解决

1.浏览器访问此地址，点击证书

2.下载证书

3.将证书复制到jdk目录
D:\program\Java\jdk1.8.0_271\jre\lib\security 下面

安装证书：keytool -import -alias abc -keystore cacerts -file img_https.cer -storepass changeit删除证书：keytool -delete -keystore cacerts -file img_https.cer -storepass changeit

安装完成。

然后又报错

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No subject alternative names matching IP address 10.128.33.56 found
    at sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
    at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
    at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
    at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
    at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
    at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
    at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279)
    at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:587)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:268)
    at java.net.URL.openStream(URL.java:1067)
    at cn.cloudwalk.util.ImageUtils.main(ImageUtils.java:73)
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.128.33.56 found
    at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:173)
    at sun.security.util.HostnameChecker.match(HostnameChecker.java:99)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:441)
    at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:422)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:228)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128)
    at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
    ... 18 common frames omitted

解决

类中加入下面代码，静态块中，程序启动就运行;
测试发现，用下面代码禁用SSL验证，不用导入证书也可正常运行。

1. static {
2.         disableSslVerification();
3.     }
5.     private static void disableSslVerification() {
6.         try
7.         {
8.             // Create a trust manager that does not validate certificate chains
9.             TrustManager[] trustAllCerts = new TrustManager[] {new X509TrustManager() {
10.                 @Override
11.                 public java.security.cert.X509Certificate[] getAcceptedIssuers() {
12.                     return null;
13.                 }
14.                 @Override
15.                 public void checkClientTrusted(X509Certificate[] certs, String authType) {
16.                 }
17.                 @Override
18.                 public void checkServerTrusted(X509Certificate[] certs, String authType) {
19.                 }
20.             }
21.             };
23.             // Install the all-trusting trust manager
24.             SSLContext sc = SSLContext.getInstance("SSL");
25.             sc.init(null, trustAllCerts, new java.security.SecureRandom());
26.             HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
28.             // Create all-trusting host name verifier
29.             HostnameVerifier allHostsValid = new HostnameVerifier() {
30.                 @Override
31.                 public boolean verify(String hostname, SSLSession session) {
32.                     return true;
33.                 }
34.             };
36.             // Install the all-trusting host verifier
37.             HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
38.         } catch (NoSuchAlgorithmException e) {
39.             e.printStackTrace();
40.         } catch (KeyManagementException e) {
41.             e.printStackTrace();
42.         }
43.     }

复制代码

这样就可以正常访问到https的资源了。
以上为个人经验，希望能给大家一个参考，也希望大家多多支持中国红客联盟。