JDK8 -> JDK10：PKIX 路径构建失败：

问题

我有一个使用名为的应用程序的 SpringBoot 应用程序Launchdarkly，它利用okhttp

我正在从 JRE 8 迁移到 JRE 10，对其他资源的调用工作，但使用调用失败 okhttp

编辑：任何具有类似于我们应用程序使用的证书链的应用程序都可能发生这种情况。

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

例外

错误发生在线程中...

config-server_1 | 2018-11-10T21:25:19,147 67327 | DEBUG | okhttp-eventsource-[] ["okhttp-eventsource-stream-[]-0" {}] Connection problem.

config-server_1 | javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

config-server_1 | at sun.security.ssl.Alerts.getSSLException(Alerts.java:198) ~[?:?]

config-server_1 | at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1974) ~[?:?]

config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:345) ~[?:?]

config-server_1 | at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:339) ~[?:?]

config-server_1 | at sun.security.ssl.ClientHandshaker.checkServerCerts(ClientHandshaker.java:1968) ~[?:?]

config-server_1 | at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1777) ~[?:?]

config-server_1 | at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:264) ~[?:?]

config-server_1 | at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1098) ~[?:?]

config-server_1 | at sun.security.ssl.Handshaker.processRecord(Handshaker.java:1026) ~[?:?]

从 JDK 8 迁移到 JDK 10 时的解决方案证书真的不一样JDK 10 有 80 个，而 JDK 8 有 151 个JDK 10 最近添加了 certshttps://dzone.com/articles/openjdk-10-now-includes-root-ca-certificateshttp://openjdk.java.net/jeps/319JDK 10root@c339504909345:/opt/jdk-minimal/jre/lib/security #  keytool -cacerts -listEnter keystore password:Keystore type: JKSKeystore provider: SUNYour keystore contains 80 entriesJDK 8root@c39596768075:/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts #  keytool -cacerts -listEnter keystore password:Keystore type: JKSKeystore provider: SUNYour keystore contains 151 entries修复步骤我没有检查哪个证书链不受信任，但服务器的 URL 证书是有效的......cacerts来自 JDK 10 的链截至今天已损坏。我可以断言，因为来自https://download.java.net/java/GA/jdk10/10/binaries/openjdk-10_linux-x64_bin.tar.gz的下载被安装在一个全新的 Docker 映像中。我删除了 JDK 10 证书并将其替换为 JDK 8由于我正在构建 Docker 映像，因此我可以使用多阶段构建快速完成此操作我正在使用jlinkas构建一个最小的 JRE/opt/jdk/bin/jlink \--module-path /opt/jdk/jmods...所以，这是不同的路径和命令的顺序......# Java 8COPY --from=marcellodesales-springboot-builder-jdk8 /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts /etc/ssl/certs/java/cacerts# Java 10RUN rm -f /opt/jdk-minimal/jre/lib/security/cacertsRUN ln -s /etc/ssl/certs/java/cacerts /opt/jdk-minimal/jre/lib/security/cacerts

JDK8 -> JDK10：PKIX 路径构建失败：

问题

例外

设置

1回答