解决javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException

问题现象：

Java Spring应用发送数据报如下问题。

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

原因分析:

用httpclient访问https资源时，会出现异常，与环境也有关系，有些机器请求正常。

解决方案:

1.复制附录代码到文本文件中，改名为InstallCert.java。然后在命令行中执行命令，编译InstallCert.java：

javac InstallCert.java

 2.再执行以下命令：

java InstallCert www.baidu.com

说明：网址处不需要输入(https://)信息，比如 www.baidu.com，只需域名即可。

随后服务器会返回认证的主题，发行方，加密方式等信息。

3.在这里输入1后，回车。

Enter certificate to add to trusted keystore or 'q' to quit: [1]
1

在目录下会生成文件jssecacerts，自此认证过程结束。

替换证书：

1.windows系统：将生成的jssecacerts文件复制到 jdk的相应路径下即可。

windows系统一般需要首先找到jdk安装路径

D:\Java\jdk1.8.0_221\jre\lib\security

2.Linux系统：需要首先使用 scp 命令 将 jssecacerts 传输至服务器。

3.docker：jdk通常在这个地方

/usr/lib/jvm/java-1.8.0-openjdk-amd64/jre/lib/security/

/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/ (和上面其实一样)

替换完后，重启 docker 即可。

附录： 

/*
 * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 *  - Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 *  - Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 *  - Neither the name of Sun Microsystems nor the names of its
 *    contributors may be used to endorse or promote products derived
 *    from this software without specific prior written permission.
 *
 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 
import java.io.*;
 
import java.net.URL;
 
import java.security.*;
 
import java.security.cert.*;
 
import javax.net.ssl.*;
 
public class InstallCert {
 
    public static void main(String[] args) throws Exception {
 
        String host;
 
        int port;
 
        char[] passphrase;
 
        if ((args.length == 1) || (args.length == 2)) {
 
            String[] c = args[0].split(":");
 
            host = c[0];
 
            port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
 
            String p = (args.length == 1) ? "changeit" : args[1];
 
            passphrase = p.toCharArray();
 
        } else {
 
            System.out.println("Usage: java InstallCert [:port] [passphrase]");
 
            return;
 
        }
 
        File file = new File("jssecacerts");
 
        if (file.isFile() == false) {
 
            char SEP = File.separatorChar;
 
            File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security");
 
            file = new File(dir, "jssecacerts");
 
            if (file.isFile() == false) {
 
                file = new File(dir, "cacerts");
 
            }
 
        }
 
        System.out.println("Loading KeyStore " + file + "...");
 
        InputStream in = new FileInputStream(file);
 
        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
 
        ks.load(in, passphrase);
 
        in.close();
 
        SSLContext context = SSLContext.getInstance("TLS");
 
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 
        tmf.init(ks);
 
        X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
 
        SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
 
        context.init(null, new TrustManager[]{tm}, null);
 
        SSLSocketFactory factory = context.getSocketFactory();
 
        System.out.println("Opening connection to " + host + ":" + port + "...");
 
        SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
 
        socket.setSoTimeout(10000);
 
        try {
 
            System.out.println("Starting SSL handshake...");
 
            socket.startHandshake();
 
            socket.close();
 
            System.out.println();
 
            System.out.println("No errors, certificate is already trusted");
 
        } catch (SSLException e) {
 
            System.out.println();
 
            e.printStackTrace(System.out);
 
        }
 
        X509Certificate[] chain = tm.chain;
 
        if (chain == null) {
 
            System.out.println("Could not obtain server certificate chain");
 
            return;
 
        }
 
        BufferedReader reader = new BufferedReader(new InputStreamReader(System.in));
 
        System.out.println();
 
        System.out.println("Server sent " + chain.length + " certificate(s):");
 
        System.out.println();
 
        MessageDigest sha1 = MessageDigest.getInstance("SHA1");
 
        MessageDigest md5 = MessageDigest.getInstance("MD5");
 
        for (int i = 0; i < chain.length; i++) {
 
            X509Certificate cert = chain[i];
 
            System.out.println(" " + (i + 1) + " Subject " + cert.getSubjectDN());
 
            System.out.println("  Issuer  " + cert.getIssuerDN());
 
            sha1.update(cert.getEncoded());
 
            System.out.println("  sha1    " + toHexString(sha1.digest()));
 
            md5.update(cert.getEncoded());
 
            System.out.println("  md5    " + toHexString(md5.digest()));
 
            System.out.println();
 
        }
 
        System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
 
        String line = reader.readLine().trim();
 
        int k;
 
        try {
 
            k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
 
        } catch (NumberFormatException e) {
 
            System.out.println("KeyStore not changed");
 
            return;
 
        }
 
        X509Certificate cert = chain[k];
 
        String alias = host + "-" + (k + 1);
 
        ks.setCertificateEntry(alias, cert);
 
        OutputStream out = new FileOutputStream("jssecacerts");
 
        ks.store(out, passphrase);
 
        out.close();
 
        System.out.println();
 
        System.out.println(cert);
 
        System.out.println();
 
        System.out.println("Added certificate to keystore 'jssecacerts' using alias '" + alias + "'");
 
    }
 
    private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
 
    private static String toHexString(byte[] bytes) {
 
        StringBuilder sb = new StringBuilder(bytes.length * 3);
 
        for (int b : bytes) {
 
            b &= 0xff;
 
            sb.append(HEXDIGITS[b >> 4]);
 
            sb.append(HEXDIGITS[b & 15]);
 
            sb.append(' ');
 
        }
 
        return sb.toString();
 
    }
 
 
    private static class SavingTrustManager implements X509TrustManager {
 
        private final X509TrustManager tm;
 
        private X509Certificate[] chain;
 
 
        SavingTrustManager(X509TrustManager tm) {
 
            this.tm = tm;
 
        }
 
 
        public X509Certificate[] getAcceptedIssuers() {
 
            throw new UnsupportedOperationException();
 
        }
 
 
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
 
            throw new UnsupportedOperationException();
 
        }
 
 
        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
 
            this.chain = chain;
 
            tm.checkServerTrusted(chain, authType);
 
        }
    }
 
}

另详见：https://blog.csdn.net/chaishen10000/article/details/82992291