SunCertPathBuilderException异常

异常信息

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:328)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:322)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1614)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:396)
	at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:355)
	at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:142)
	at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:323)
	at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:381)
	at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:237)
	at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185)
	at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89)
	at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111)
	at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:83)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:108)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:56)
	at com.github.wxpay.sdk.WXPayRequest.requestOnce(WXPayRequest.java:108)
	at com.github.wxpay.sdk.WXPayRequest.request(WXPayRequest.java:127)
	at com.github.wxpay.sdk.WXPayRequest.requestWithoutCert(WXPayRequest.java:232)
	at com.github.wxpay.sdk.WXPay.requestWithoutCert(WXPay.java:158)
	at com.github.wxpay.sdk.WXPay.unifiedOrder(WXPay.java:364)
	at com.github.wxpay.sdk.WXPay.unifiedOrder(WXPay.java:340)
	at com.itheima.test.PayTest.main(PayTest.java:22)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397)
	at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:302)
	at sun.security.validator.Validator.validate(Validator.java:262)
	at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
	at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
	at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
	... 27 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
	at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:392)
	... 33 more

异常原因

jdk的安全认证异常

解决方法

创建InstallCert.java文件,复制写入以下代码

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

public class InstallCert {

    public static void main(String[] args) throws Exception {
        String host;
        int port;
        char[] passphrase;
        if ((args.length == 1) || (args.length == 2)) {
            String[] c = args[0].split(":");
            host = c[0];
            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
            String p = (args.length == 1) ? "changeit" : args[1];
            passphrase = p.toCharArray();
        } else {
            System.out
                    .println("Usage: java InstallCert <host>[:port] [passphrase]");
            return;
        }

        File file = new File("jssecacerts");
        if (file.isFile() == false) {
            char SEP = File.separatorChar;
            File dir = new File(System.getProperty("java.home") + SEP + "lib"
                    + SEP + "security");
            file = new File(dir, "jssecacerts");
            if (file.isFile() == false) {
                file = new File(dir, "cacerts");
            }
        }
        System.out.println("Loading KeyStore " + file + "...");
        InputStream in = new FileInputStream(file);
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(in, passphrase);
        in.close();

        SSLContext context = SSLContext.getInstance("TLS");
        TrustManagerFactory tmf = TrustManagerFactory
                .getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
        X509TrustManager defaultTrustManager = (X509TrustManager) tmf
                .getTrustManagers()[0];
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
        context.init(null, new TrustManager[] { tm }, null);
        SSLSocketFactory factory = context.getSocketFactory();

        System.out
                .println("Opening connection to " + host + ":" + port + "...");
        SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
        socket.setSoTimeout(10000);
        try {
            System.out.println("Starting SSL handshake...");
            socket.startHandshake();
            socket.close();
            System.out.println();
            System.out.println("No errors, certificate is already trusted");
        } catch (SSLException e) {
            System.out.println();
            e.printStackTrace(System.out);
        }

        X509Certificate[] chain = tm.chain;
        if (chain == null) {
            System.out.println("Could not obtain server certificate chain");
            return;
        }

        BufferedReader reader = new BufferedReader(new InputStreamReader(
                System.in));

        System.out.println();
        System.out.println("Server sent " + chain.length + " certificate(s):");
        System.out.println();
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
        MessageDigest md5 = MessageDigest.getInstance("MD5");
        for (int i = 0; i < chain.length; i++) {
            X509Certificate cert = chain[i];
            System.out.println(" " + (i + 1) + " Subject "
                    + cert.getSubjectDN());
            System.out.println("   Issuer  " + cert.getIssuerDN());
            sha1.update(cert.getEncoded());
            System.out.println("   sha1    " + toHexString(sha1.digest()));
            md5.update(cert.getEncoded());
            System.out.println("   md5     " + toHexString(md5.digest()));
            System.out.println();
        }

        System.out
                .println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
        String line = reader.readLine().trim();
        int k;
        try {
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
        } catch (NumberFormatException e) {
            System.out.println("KeyStore not changed");
            return;
        }

        X509Certificate cert = chain[k];
        String alias = host + "-" + (k + 1);
        ks.setCertificateEntry(alias, cert);

        OutputStream out = new FileOutputStream("jssecacerts");
        ks.store(out, passphrase);
        out.close();

        System.out.println();
        System.out.println(cert);
        System.out.println();
        System.out
                .println("Added certificate to keystore 'jssecacerts' using alias '"
                        + alias + "'");
    }

    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

    private static String toHexString(byte[] bytes) {
        StringBuilder sb = new StringBuilder(bytes.length * 3);
        for (int b : bytes) {
            b &= 0xff;
            sb.append(HEXDIGITS[b >> 4]);
            sb.append(HEXDIGITS[b & 15]);
            sb.append(' ');
        }
        return sb.toString();
    }

    private static class SavingTrustManager implements X509TrustManager {

        private final X509TrustManager tm;
        private X509Certificate[] chain;

        SavingTrustManager(X509TrustManager tm) {
            this.tm = tm;
        }

        public X509Certificate[] getAcceptedIssuers() {
            throw new UnsupportedOperationException();
        }

        public void checkClientTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            throw new UnsupportedOperationException();
        }

        public void checkServerTrusted(X509Certificate[] chain, String authType)
                throws CertificateException {
            this.chain = chain;
            tm.checkServerTrusted(chain, authType);
        }
    }
}

添加参数配置(我是在测试微信支付时出现的异常，所以把微信支付的接口链接api.mch.weixin.qq.com写入)

编译运行InstallCert.java，获得jssecacerts文件

控制台的打印如下，无须在意异常

Loading KeyStore E:\develop\java\jdk_1.8\jre\lib\security\jssecacerts...
Opening connection to api.mch.weixin.qq.com:443...
Starting SSL handshake...

javax.net.ssl.SSLException: java.lang.UnsupportedOperationException
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1964)
	at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1921)
	at sun.security.ssl.SSLSocketImpl.handleException(SSLSocketImpl.java:1904)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1420)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)
	at com.github.wxpay.sdk.InstallCert.main(InstallCert.java:72)
Caused by: java.lang.UnsupportedOperationException
	at com.github.wxpay.sdk.InstallCert$SavingTrustManager.getAcceptedIssuers(InstallCert.java:157)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkAlgorithmConstraints(SSLContextImpl.java:1105)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1051)
	at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:993)
	at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1596)
	at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1052)
	at sun.security.ssl.Handshaker.process_record(Handshaker.java:987)
	at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)
	at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)
	at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)
	... 2 more

Server sent 1 certificate(s):

 1 Subject CN=payapp.weixin.qq.com, OU=R&D, O=Shenzhen Tencent Computer Systems Company Limited, L=Shenzhen, ST=Guangdong, C=CN
   Issuer  CN=GlobalSign Root CA, C=EN
   sha1    3c 48 1d d5 75 d1 85 ad d7 49 04 a5 e6 4c 19 1a 52 7c 2c 66 
   md5     57 65 58 ce 3a 63 97 ae 56 d6 b9 1f 7f 95 e5 22 

Enter certificate to add to trusted keystore or 'q' to quit: [1]

再在控制台中输入1，回车；会在项目的同级目录中生成jssecacerts文件

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

[
[
  Version: V3
  Subject: CN=payapp.weixin.qq.com, OU=R&D, O=Shenzhen Tencent Computer Systems Company Limited, L=Shenzhen, ST=Guangdong, C=CN
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 22292414658341813310204545370335780346963523610925702040975392096735715822014546895565028591757290205441738724759956618045309515626283206456524177005296634823763028791967951164808617336599545530710050556432240905688637830966367820160946256812137263469519471842374838011636336543677759822519833872534556865167350884153830290970849905258920574859610913684593957324152579530385168334354731857241238492422240398387964524845237941132166677653863123371873989988259195347737697231663156731973382014819856692367299619159500304661109448241094010484376894808477239387049873980628013700171883656651608449386133845004036415540011
  public exponent: 65537
  Validity: [From: Tue Dec 31 08:00:00 CST 2019,
               To: Sat Feb 27 20:00:00 CST 2021]
  Issuer: CN=Secure Site CA G2, OU=www.digicert.com, O=DigiCert Inc, C=US
  SerialNumber: [    0b3fa860 4898e354 47c54caf 047a28ce]

Certificate Extensions: 10
[1]: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false
Extension unknown: DER encoded OCTET string =
0000: 04 81 F4 04 81 F1 00 EF   00 75 00 A4 B9 09 90 B4  .........u......
0010: 18 58 14 87 BB 13 A2 CC   67 70 0A 3C 35 98 04 F9  .X......gp.<5...
0020: 1B DF B8 E3 77 CD 0E C8   0D DC 10 00 00 01 6F 5A  ....w.........oZ
0030: D3 DA C9 00 00 04 03 00   46 30 44 02 20 26 9F E0  ........F0D. &..
0040: 6C E3 7E 40 1D 94 44 C6   9A BC 68 C5 B1 7E 41 F2  l..@..D...h...A.
0050: 7D 41 AF A4 DA 5C A5 5D   66 35 78 71 85 02 20 0F  .A...\.]f5xq.. .
0060: 18 AF 27 62 6E 93 55 2A   73 31 C1 31 2A F8 0F 33  ..'bn.U*s1.1*..3
0070: B0 34 CA 08 F5 36 F2 EC   6E 06 3A 68 0A B9 D7 00  .4...6..n.:h....
0080: 76 00 87 75 BF E7 59 7C   F8 8C 43 99 5F BD F3 6E  v..u..Y...C._..n
0090: FF 56 8D 47 56 36 FF 4A   B5 60 C1 B4 EA FF 5E A0  .V.GV6.J.`....^.
00A0: 83 0F 00 00 01 6F 5A D3   DB 8C 00 00 04 03 00 47  .....oZ........G
00B0: 30 45 02 20 5A B2 AB D6   40 4E 8F D7 E6 64 88 A3  0E. Z...@N...d..
00C0: 13 12 52 1F 40 53 43 D1   FE 6B 1D C1 64 96 3E 72  ..R.@SC..k..d.>r
00D0: 2B 1E 28 BE 02 21 00 FB   45 BF 56 3A 6C 49 05 3E  +.(..!..E.V:lI.>
00E0: 5B 75 42 2A 5A 43 BE 81   BB 12 DA B4 B5 5F 6C 7E  [uB*ZC......._l.
00F0: 2A B9 9E A4 99 76 57                               *....vW


[2]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
AuthorityInfoAccess [
  [
   accessMethod: ocsp
   accessLocation: URIName: http://ocsp.dcocsp.cn
, 
   accessMethod: caIssuers
   accessLocation: URIName: http://crl.digicert-cn.com/SecureSiteCAG2.crt
]
]

[3]: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: C4 11 7E 88 40 86 C2 41   BF 65 F3 1A E1 B4 53 40  ....@..A.e....S@
0010: A3 AB EC 7D                                        ....
]
]

[4]: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:false
  PathLen: undefined
]

[5]: ObjectId: 2.5.29.31 Criticality=false
CRLDistributionPoints [
  [DistributionPoint:
     [URIName: http://crl3.digicert.com/SecureSiteCAG2.crl]
, DistributionPoint:
     [URIName: http://crl4.digicert.com/SecureSiteCAG2.crl]
]]

[6]: ObjectId: 2.5.29.32 Criticality=false
CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.114412.1.1]
[PolicyQualifierInfo: [
  qualifierID: 1.3.6.1.5.5.7.2.1
  qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 64 69  ..https://www.di
0010: 67 69 63 65 72 74 2E 63   6F 6D 2F 43 50 53        gicert.com/CPS

]]  ]
  [CertificatePolicyId: [2.23.140.1.2.2]
[]  ]
]

[7]: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

[8]: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

[9]: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: wx.gtimg.com
  DNSName: payapp.weixin.qq.com
  DNSName: act.weixin.qq.com
  DNSName: pay.weops.qq.com
  DNSName: pay.weixin.qq.com
  DNSName: oz.weixin.qq.com
  DNSName: mch.weixin.qq.com
  DNSName: log.weixin.qq.com
  DNSName: za.pay.wechat.com
  DNSName: action.weixin.qq.com
  DNSName: apius.mch.weixin.qq.com
  DNSName: apitest.mch.weixin.qq.com
  DNSName: fraudhk.mch.weixin.qq.com
  DNSName: fraudus.mch.weixin.qq.com
  DNSName: apihk.mch.weixin.qq.com
  DNSName: api2.mch.weixin.qq.com
  DNSName: api.pay.weixin.qq.com
  DNSName: api.oz.weixin.qq.com
  DNSName: api.mch.weixin.qq.com
  DNSName: fraud.mch.weixin.qq.com
]

[10]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: F1 BB 10 FF 6C 98 B5 67   AE DB D3 C9 A8 35 DC FD  ....l..g.....5..
0010: 95 CF A4 E7                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: 7C E6 AC E3 0A 30 4B 27   4E E2 00 28 CD 31 78 33  .....0K'N..(.1x3
0010: 7F 17 49 19 47 8B 43 64   78 5F B4 19 9E 55 29 81  ..I.G.Cdx_...U).
0020: 46 CA 83 5F 1B CE C6 A0   66 3B 06 26 DF 13 18 08  F.._....f;.&....
0030: EC 7C C8 0A 7E E5 6F 70   16 FD 7C B1 EC 30 E8 10  ......op.....0..
0040: 66 92 46 A0 53 7C 8D 7C   52 B3 E5 29 6C 81 0F B2  f.F.S...R..)l...
0050: 26 ED 3D 69 37 1E BB 7B   1F 76 0E 82 59 09 67 1D  &.=i7....v..Y.g.
0060: 81 CD CB 88 10 98 31 92   4D 6D D3 55 6C 5A 27 A2  ......1.Mm.UlZ'.
0070: 48 9B 86 20 41 D3 FB A6   61 19 3E 64 8B ED 09 AF  H.. A...a.>d....
0080: 28 35 91 D4 95 2E 90 4B   3A 90 E0 FC 09 BE 32 CA  (5.....K:.....2.
0090: 97 B1 30 C6 02 2B BF CC   09 F4 16 04 16 92 C6 62  ..0..+.........b
00A0: D6 44 99 FF 20 20 CF 90   BC 5D C9 C5 2A 4C 19 BC  .D..  ...]..*L..
00B0: 8E 38 5E 94 03 00 AA 6D   50 04 12 3C 98 F1 01 05  .8^....mP..<....
00C0: 0A 94 22 E8 2B 5C 18 73   13 8F 75 D9 CC 8C 4B 3C  ..".+\.s..u...K<
00D0: 26 3E 7C AD 7A C1 68 FF   1E 0E 36 9B 7E 0E 74 3B  &>..z.h...6...t;
00E0: E5 A1 7F ED 6F D4 C2 1A   E6 34 0E E3 A9 6A BB A4  ....o....4...j..
00F0: 05 7F 62 C1 CE E5 33 32   8A 6D 21 72 AE B9 EA C6  ..b...32.m!r....

]

Added certificate to keystore 'jssecacerts' using alias 'api.mch.weixin.qq.com-1'

将生成的文件放置到项目所使用的jdk的 jre –> lib –> security目录下

重新启动程序即可