我正在尝试调试为什么javamail客户机不能成功地连接到邮件服务器来转发消息。我安装了sslpoke来查看ssl连接的情况,因为javamail客户机嵌入了一个重要的web应用程序(idempiere)。
这似乎与用于建立连接的java密钥库有关。但我不知道这有什么问题。
本地密钥库的内容包括:
JAVA_VERSION="11" keytool -list -v -keystore /opt/idempiere/idempiere-server/jettyhome/etc/keystore
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 1 entry
Alias name: accounting-2
Creation date: Dec 14, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 1
Certificate[1]:
Owner: DC=ca, DC=harte-lyne, C=CA, ST=Ontario, L=Hamilton, O=Harte & Lyne Limited, OU=Networked Data Services, CN=accounting.harte-lyne.ca
Issuer: DC=ca, DC=harte-lyne, C=CA, ST=Ontario, L=Hamilton, O=Harte & Lyne Limited, OU=Networked Data Services, CN=CA_HLL_ISSUER_2016
Serial number: 20160054
Valid from: Fri Jul 31 20:00:00 EDT 2020 until: Sun Aug 31 19:59:59 EDT 2025
Certificate fingerprints:
SHA1: 20:C4:82:9B:55:08:6C:6B:6D:C3:85:7C:52:5A:87:27:11:48:E9:B6
SHA256: 98:26:68:02:9D:80:BD:34:B6:FD:93:A1:77:90:C1:5F:1D:75:1C:A7:1D:1B:BF:17:D6:B0:D7:83:78:2E:4E:23
Signature algorithm name: SHA512withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
# 1: ObjectId: 2.16.840.1.113730.1.4 Criticality=false
0000: 16 35 68 74 74 70 3A 2F 2F 63 61 2E 68 61 72 74 .5http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63 61 2F 43 41 5F 48 4C 4C e-lyne.ca/CA_HLL
0020: 5F 49 53 53 55 45 52 5F 32 30 31 36 2F 63 72 6C _ISSUER_2016/crl
0030: 2D 76 31 2E 63 72 6C -v1.crl
# 2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
[
accessMethod: caIssuers
accessLocation: URIName: http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/ca.crt
]
]
# 3: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: FD C6 20 77 C5 AA E8 34 43 99 C4 3D 5B 65 9A 3C .. w...4C..=[e.<
0010: 2D 14 8E AF -...
]
[L=Hamilton, DC=ca, DC=harte-lyne, C=CA, OU=Networked Data Services, O=Harte & Lyne Limited, ST=Ontario, CN=CA_HLL_ROOT_2016]
SerialNumber: [ 02]
]
# 4: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
[DistributionPoint:
[URIName: http://ca.harte-lyne.ca/CA_HLL_ISSUER_2016/crl-v2.crl]
]]
# 5: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
[CertificatePolicyId: [1.3.6.1.4.1.44880.100.10.10.3.1]
[PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.1
qualifier: 0000: 16 1B 68 74 74 70 3A 2F 2F 63 61 2E 68 61 72 74 ..http://ca.hart
0010: 65 2D 6C 79 6E 65 2E 63 61 2F 43 50 53 e-lyne.ca/CPS
], PolicyQualifierInfo: [
qualifierID: 1.3.6.1.5.5.7.2.2
qualifier: 0000: 30 34 1A 32 4C 69 6D 69 74 65 64 20 4C 69 61 62 04.2Limited Liab
0010: 69 6C 69 74 79 2C 20 73 65 65 20 68 74 74 70 3A ility, see http:
0020: 2F 2F 63 61 2E 68 61 72 74 65 2D 6C 79 6E 65 2E //ca.harte-lyne.
0030: 63 61 2F 43 50 53 ca/CPS
]] ]
]
# 6: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
serverAuth
clientAuth
emailProtection
]
# 7: ObjectId: 2.5.29.18 Criticality=false
IssuerAlternativeName [
RFC822Name: certificates@harte-lyne.ca
URIName: http://ca.harte-lyne.ca
]
# 8: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
DigitalSignature
Non_repudiation
Key_Encipherment
]
# 9: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
NetscapeCertType [
SSL client
SSL server
S/MIME
]
# 10: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
RFC822Name: certificates@example.com
DNSName: accounting.harte-lyne.ca
DNSName: accounting
DNSName: accounting.internal
DNSName: accounting.harte-lyne.ca
DNSName: accounting.internal.harte-lyne.ca
DNSName: accounting-1
DNSName: accounting-1.internal
DNSName: accounting-1.harte-lyne.ca
DNSName: accounting-1.internal.harte-lyne.ca
DNSName: accounting-2
DNSName: accounting-2.internal
DNSName: accounting-2.harte-lyne.ca
DNSName: accounting-2.internal.harte-lyne.ca
DNSName: ledgersmb
DNSName: ledgersmb.internal
DNSName: ledgersmb.harte-lyne.ca
DNSName: ledgersmb.internal.harte-lyne.ca
DNSName: localhost
DNSName: localhost.harte-lyne.ca
IPAddress: 216.185.71.87
IPAddress: 192.168.216.87
IPAddress: 192.168.216.88
IPAddress: 216.185.71.87
IPAddress: 216.185.71.88
IPAddress: 127.0.87.1
IPAddress: 127.0.88.1
IPAddress: 127.0.0.1
]
# 11: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 23 12 19 8F 6E CB 1D 21 C2 7F 59 03 C6 69 B6 FB #...n..!..Y..i..
0010: 41 99 B5 89 A...
]
]
*******************************************
*******************************************
这是从包含以下内容的pkcs12文件创建的:
openssl pkcs12 -in accounting-2.p12 | grep subject
Enter Import Password:
subject=CN = accounting.harte-lyne.ca, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
subject=CN = CA_ISSUER_2016, OU = Networked Data Services, O = Harte & Lyne Limited, L = Hamilton, ST = Ontario, C = CA, DC = harte-lyne, DC = ca
subject=CN = CA_HLL_ROOT_2016, ST = Ontario, O = Harte & Lyne Limited, OU = Networked Data Services, C = CA, DC = harte-lyne, DC = ca, L = Hamilton
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
使用:
JAVA_VERSION="11" keytool -importkeystore -srckeystore accounting-2.p12 -destkeystore accounting-2.keystore -srcstoretype pkcs12 -alias accounting-2
cp -p accounting-2.keystore /opt/idempiere/idempiere-server/jettyhome/etc/keystore
我连接到的服务使用ca\ U issuer\ 2016颁发的证书,并引用包含该颁发者及其根证书的ca\ U捆绑包。
但是,当我使用sslpoke连接到此服务器以测试密钥库的有效性时,我得到以下结果:
JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore SSLPoke 192.168.216.32 465
javax.net.ssl|DEBUG|01|main|2020-12-18 09:42:33.441 EST|SSLCipher.java:438|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|DEBUG|01|main|2020-12-18 09:42:33.607 EST|SSLCipher.java:1840|KeyLimit read side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|01|main|2020-12-18 09:42:33.611 EST|SSLCipher.java:1994|KeyLimit write side: algorithm = AES/GCM/NOPADDING:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|WARNING|01|main|2020-12-18 09:42:33.660 EST|SSLSocketImpl.java:1550|handling exception (
"throwable" : {
java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
结果发现 java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
此错误是由于密钥库受密码保护而未提供密码造成的。
提供密码后,错误会发生变化:
export pw=keystore\u密码
JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore -Djavax.net.ssl.trustStorePassword=$PW -Djavax.net.ssl.keyStorePassword=$PW SSLPoke google.ca 443
JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore -Djavax.net.ssl.trustStorePassword=$PW -Djavax.net.ssl.keyStorePassword=$PW SSLPoke google.ca 443javax.net.ssl|DEBUG|01|main|2020-12-18 10:13:45.561 EST|SSLCipher.java:438|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|ERROR|01|main|2020-12-18 10:13:45.904 EST|TransportContext.java:318|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
我不知道怎么解释这个。这个消息是否意味着我正在使用的密钥库中缺少google证书链?或者这是否意味着本地密钥库不包含本地主机的证书?
如果我将目标更改为一个服务,该服务的证书由与客户端相同的颁发者和根ca颁发,则会出现相同的错误:
JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/opt/idempiere/idempiere-server/jettyhome/etc/keystore -Djavax.net.ssl.trustStorePassword=$PW -Djavax.net.ssl.keyStorePassword=$PW SSLPoke webmail.harte-lyne.ca 443
javax.net.ssl|DEBUG|01|main|2020-12-18 10:18:23.532 EST|SSLCipher.java:438|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|ERROR|01|main|2020-12-18 10:18:23.889 EST|TransportContext.java:318|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
在keystore中需要为工作连接提供什么?我使用openssl s\ U客户端和我们自己的证书连接到我们的内部服务没有问题。
进一步的测试有些改变。我决定将中间证书和根证书手动添加到密钥库的副本中。然后,错误发生了变化:
java\u version=“11”keytool-import-trustcacerts-file/usr/local/etc/pki/tls/certs/ca\u hll\u issuer\u 2016.crt-别名'hartelyneissuer2016[hll]'-密钥库/root/ca\u certs\u accounting-2.keystore输入密钥库密码:
所有者:dc=ca,dc=harte lyne,c=ca,st=ontario,l=hamilton,o=harte&lyne limited,ou=networked data services,cn=ca\U issuer\U 2016。信任此证书[否]:是证书已添加到密钥库
ava\u version=“11”密钥工具-导入-信任证书-文件/usr/local/etc/pki/tls/certs/ca\u hll\u root\u 2016.crt-别名'hartelyneroot2016[hll]'-密钥库/root/ca\u certs\u accounting-2.keystore输入密钥库密码:
所有者:l=hamilton,dc=ca,dc=harte lyne,c=ca,ou=networked data services,o=harte&lyne limited,st=ontario,cn=ca\hll\U root\U 2016。信任此证书[否]:是证书已添加到密钥库
现在sslpoke给出了以下错误:
JAVA_VERSION="11" java -Djavax.net.debug=ssl -Djavax.net.ssl.trustStore=/root/ca_certs_accounting-2.keystore -Djavax.net.ssl.trustStorePassword=$PW -Djavax.net.ssl.keyStorePassword=$PW SSLPoke webmail.harte-lyne.ca 443
javax.net.ssl|DEBUG|01|main|2020-12-18 10:33:08.306 EST|SSLCipher.java:438|jdk.tls.keyLimits: entry = AES/GCM/NoPadding KeyUpdate 2^37. AES/GCM/NOPADDING:KEYUPDATE = 137438953472
javax.net.ssl|ERROR|01|main|2020-12-18 10:33:08.626 EST|TransportContext.java:318|Fatal (CERTIFICATE_UNKNOWN): PKIX path validation failed: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors (
"throwable" : {
根据java上的ssl异常:path不与前面错误的任何信任锚点链接, unable to find valid certification path to requested target
,这是因为keytool一次只导入一个证书,而与pkcs12文件中提供的证书链的长度无关。因此,添加缺少的中间证书和根证书将消除该问题,并导致 Path does not chain with any of the trust anchors
错误。
现在的问题是:如何建立私有ca根证书作为java可以接受的信任锚?
我之前已经将根证书和中间证书添加到java\u home中的cacerts文件的副本中:
keytool -keystore /usr/local/openjdk11/lib/security/cacerts -storepass changeit -list | grep hll
hartelyneissuer2016 [hll], Dec 14, 2020, trustedCertEntry,
hartelyneroot2016 [hll], Dec 14, 2020, trustedCertEntry,
但这并没有,也仍然没有,移除 Path does not chain with any of the trust anchors
错误。为什么不?
暂无答案!
目前还没有任何答案,快来回答吧!