.png)
java 인증서 키 스토어에 letsencrypt 설치 (PKIX path building failed 오류에 대한 해결책 2 차)
2022-10-04 last update
9 minutes reading letsencrypt 자바 cacerts배경
요 전날 다음 오류를 해결하는 방법으로,
[エラーメッセージ]sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[エラー概要]class javax.net.ssl.SSLHandshakeException
[エラー発生箇所]
Alerts.java[192] sun.security.ssl.Alerts.getSSLException
SSLSocketImpl.java[1949] sun.security.ssl.SSLSocketImpl.fatal
Handshaker.java[302] sun.security.ssl.Handshaker.fatalSE
Handshaker.java[296] sun.security.ssl.Handshaker.fatalSE
ClientHandshaker.java[1509] sun.security.ssl.ClientHandshaker.serverCertificate
다음 기사를 썼습니다.
PKIX path building failed 오류를 해결합니다. JVM의 신뢰할 수 있는 호스트로 API 서버 측 TLS 인증서 가져오기
이 방법으로 API 요청의 오류를 해결할 수 있지만, 잘 생각하면 상대방의 인증서가 만료될 때마다 재설치가 필요할 것입니다.
거기서, 근본 대응으로서 대본인 LetsEncrypt의 증명서를 인스톨 하는 방법을 조사한 곳이었습니다. 사세하게 기재해 주고 있습니다.
SSL error: How to import the Let's Encrypt certificates in the Java truststore - Tutorials & Examples / Solutions - openHAB Community
또한 위에서 설명한 절차를 쉘 스크립트로 하여 Github에서 공개해 주시는 분도 계셨습니다. 이번에는 이것을 사용합니다.
인스타일-첸크립트인-jdk. sh
실행 방법
스크립트 다운로드
Github에서 복제합니다. 나중에 알기 쉽게 디렉토리 이름도 지정합니다.
$ git clone https://gist.github.com/109b0f1a90156f6c933a50fe40aa777e.git install_letsencrypt_to_java_cacerts
$ cd install_letsencrypt_to_java_cacerts
Java 홈 디렉토리 확인
인증서를 설치할 Java 홈 디렉토리의 위치를 확인하십시오.
echo $JAVA_HOME 라든지 which java 라든지 locate cacerts 라든지.
키 스토어 파일 백업
실패한 경우를 고려하여, 만약을 위해, 키스토어 파일(cacerts)을 백업합니다.
파일 Java 홈 디렉토리 아래의 /jre/lib/security/cacerts 에 있습니다.
실행
$ sudo ./install-letsencrypt-in-jdk.sh <JAVAホームディレクトリ eg./usr/java/latest>
실행 결과
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/letsencryptauthorityx1.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1425 (1.4K) [application/x-x509-ca-cert]
Saving to: ‘letsencryptauthorityx1.der’
letsencryptauthorityx1.der 100%[=========================================================================>] 1.39K --.-KB/s in 0s
2019-06-29 10:28:00 (247 MB/s) - ‘letsencryptauthorityx1.der’ saved [1425/1425]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/letsencryptauthorityx2.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1425 (1.4K) [application/x-x509-ca-cert]
Saving to: ‘letsencryptauthorityx2.der’
letsencryptauthorityx2.der 100%[=========================================================================>] 1.39K --.-KB/s in 0s
2019-06-29 10:28:00 (255 MB/s) - ‘letsencryptauthorityx2.der’ saved [1425/1425]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1196 (1.2K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x1-cross-signed.der’
lets-encrypt-x1-cross-signed.der 100%[=========================================================================>] 1.17K --.-KB/s in 0s
2019-06-29 10:28:00 (136 MB/s) - ‘lets-encrypt-x1-cross-signed.der’ saved [1196/1196]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1196 (1.2K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x2-cross-signed.der’
lets-encrypt-x2-cross-signed.der 100%[=========================================================================>] 1.17K --.-KB/s in 0s
2019-06-29 10:28:00 (217 MB/s) - ‘lets-encrypt-x2-cross-signed.der’ saved [1196/1196]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1174 (1.1K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x3-cross-signed.der’
lets-encrypt-x3-cross-signed.der 100%[=========================================================================>] 1.15K --.-KB/s in 0s
2019-06-29 10:28:00 (215 MB/s) - ‘lets-encrypt-x3-cross-signed.der’ saved [1174/1174]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1174 (1.1K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x4-cross-signed.der’
lets-encrypt-x4-cross-signed.der 100%[=========================================================================>] 1.15K --.-KB/s in 0s
2019-06-29 10:28:00 (220 MB/s) - ‘lets-encrypt-x4-cross-signed.der’ saved [1174/1174]
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
이 스크립트는 여러 번 실행된다고 가정하고 키 저장소에서 설치된 인증서를 제거하는 프로세스도 구현됩니다. 이 때문에 처음 런타임에는 인증서가 없으므로 다음 오류가 발생하지만 문제가 없습니다.
삭제 처리(전체 6개)
keytool -delete -alias isrgrootx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
첫회만 발생하는 에러(전체 6개)
keytool error: java.lang.Exception: Alias <isrgrootx1> does not exist
설치 확인
keytool을 사용하여 설치되었는지 확인합니다.
$ keytool -v -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep isrgrootx1
Enter keystore password: changeit ★入力してEnter★
Alias name: isrgrootx1 ★表示されればインストール成功★
재부팅
Github에도 나열되어 있지만 재부팅이 필요합니다.
동작 확인
API 요청이 오류가 되지 않는지 확인합니다.
이상입니다. 살아난다.
[エラーメッセージ]sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
[エラー概要]class javax.net.ssl.SSLHandshakeException
[エラー発生箇所]
Alerts.java[192] sun.security.ssl.Alerts.getSSLException
SSLSocketImpl.java[1949] sun.security.ssl.SSLSocketImpl.fatal
Handshaker.java[302] sun.security.ssl.Handshaker.fatalSE
Handshaker.java[296] sun.security.ssl.Handshaker.fatalSE
ClientHandshaker.java[1509] sun.security.ssl.ClientHandshaker.serverCertificate
스크립트 다운로드
Github에서 복제합니다. 나중에 알기 쉽게 디렉토리 이름도 지정합니다.
$ git clone https://gist.github.com/109b0f1a90156f6c933a50fe40aa777e.git install_letsencrypt_to_java_cacerts
$ cd install_letsencrypt_to_java_cacerts
Java 홈 디렉토리 확인
인증서를 설치할 Java 홈 디렉토리의 위치를 확인하십시오.
echo $JAVA_HOME 라든지 which java 라든지 locate cacerts 라든지.키 스토어 파일 백업
실패한 경우를 고려하여, 만약을 위해, 키스토어 파일(cacerts)을 백업합니다.
파일 Java 홈 디렉토리 아래의
/jre/lib/security/cacerts 에 있습니다.실행
$ sudo ./install-letsencrypt-in-jdk.sh <JAVAホームディレクトリ eg./usr/java/latest>
실행 결과
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/letsencryptauthorityx1.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1425 (1.4K) [application/x-x509-ca-cert]
Saving to: ‘letsencryptauthorityx1.der’
letsencryptauthorityx1.der 100%[=========================================================================>] 1.39K --.-KB/s in 0s
2019-06-29 10:28:00 (247 MB/s) - ‘letsencryptauthorityx1.der’ saved [1425/1425]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/letsencryptauthorityx2.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1425 (1.4K) [application/x-x509-ca-cert]
Saving to: ‘letsencryptauthorityx2.der’
letsencryptauthorityx2.der 100%[=========================================================================>] 1.39K --.-KB/s in 0s
2019-06-29 10:28:00 (255 MB/s) - ‘letsencryptauthorityx2.der’ saved [1425/1425]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/lets-encrypt-x1-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1196 (1.2K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x1-cross-signed.der’
lets-encrypt-x1-cross-signed.der 100%[=========================================================================>] 1.17K --.-KB/s in 0s
2019-06-29 10:28:00 (136 MB/s) - ‘lets-encrypt-x1-cross-signed.der’ saved [1196/1196]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/lets-encrypt-x2-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1196 (1.2K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x2-cross-signed.der’
lets-encrypt-x2-cross-signed.der 100%[=========================================================================>] 1.17K --.-KB/s in 0s
2019-06-29 10:28:00 (217 MB/s) - ‘lets-encrypt-x2-cross-signed.der’ saved [1196/1196]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:295::ce0, 2600:140b:a000:29b::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1174 (1.1K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x3-cross-signed.der’
lets-encrypt-x3-cross-signed.der 100%[=========================================================================>] 1.15K --.-KB/s in 0s
2019-06-29 10:28:00 (215 MB/s) - ‘lets-encrypt-x3-cross-signed.der’ saved [1174/1174]
--2019-06-29 10:28:00-- https://letsencrypt.org/certs/lets-encrypt-x4-cross-signed.der
Resolving letsencrypt.org (letsencrypt.org)... 184.26.113.203, 2600:140b:a000:29b::ce0, 2600:140b:a000:295::ce0
Connecting to letsencrypt.org (letsencrypt.org)|184.26.113.203|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1174 (1.1K) [application/x-x509-ca-cert]
Saving to: ‘lets-encrypt-x4-cross-signed.der’
lets-encrypt-x4-cross-signed.der 100%[=========================================================================>] 1.15K --.-KB/s in 0s
2019-06-29 10:28:00 (220 MB/s) - ‘lets-encrypt-x4-cross-signed.der’ saved [1174/1174]
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
Certificate was added to keystore
이 스크립트는 여러 번 실행된다고 가정하고 키 저장소에서 설치된 인증서를 제거하는 프로세스도 구현됩니다. 이 때문에 처음 런타임에는 인증서가 없으므로 다음 오류가 발생하지만 문제가 없습니다.
삭제 처리(전체 6개)
keytool -delete -alias isrgrootx1 -keystore $KEYSTORE -storepass changeit 2> /dev/null || true
첫회만 발생하는 에러(전체 6개)
keytool error: java.lang.Exception: Alias <isrgrootx1> does not exist
설치 확인
keytool을 사용하여 설치되었는지 확인합니다.
$ keytool -v -list -keystore $JAVA_HOME/jre/lib/security/cacerts | grep isrgrootx1
Enter keystore password: changeit ★入力してEnter★
Alias name: isrgrootx1 ★表示されればインストール成功★
재부팅
Github에도 나열되어 있지만 재부팅이 필요합니다.
동작 확인
API 요청이 오류가 되지 않는지 확인합니다.
이상입니다. 살아난다.