PKIX path building failed问题

1 问题背景

服务已经很久没有变动，部署在服务器上的服务也没有进行更新，之前服务一切正常，突然调用某个第三方接口的时候，返回错误信息：

javax.net.ssL.SSLHandshalositorvImpleException:sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPethBuilderException:unable to find valid certification path to requested target
1

经排查，该问题出现在第三方接口更换证书之后。

2 问题解决

尝试的解决方式如下：

2.1 重启服务

最开始猜测是因为对方更换了证书，而我方调用接口用的okhttpclient为单例，证书没有更新导致，重启一下服务，重新加载更新一下。

验证结果：失败

2.2 手动上传证书处理

参考文章https://www.cnblogs.com/fuhai0815/p/16188972.html中的第一条解决方案

验证结果：失败

2.3 OkHttpClient信任所有证书

OkHttpClient设置信任所有证书：

static {
    SSLSocketFactory ssfFactory = null;
    try {
        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(null, new TrustManager[]{new TrustAllCerts()}, new SecureRandom());
        ssfFactory = sc.getSocketFactory();
        client = new OkHttpClient.Builder()
                .connectTimeout(30L, TimeUnit.SECONDS)
                .readTimeout(5, TimeUnit.MINUTES)
                .writeTimeout(5, TimeUnit.MINUTES)
                .sslSocketFactory(ssfFactory, new TrustAllCerts())
                .build();
    } catch (Exception e) {
        e.printStackTrace();
        throw new RuntimeException("okHttp客户端初始化失败");
    }
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;

public class TrustAllCerts implements X509TrustManager {

        @Override
        public void checkClientTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) throws java.security.cert.CertificateException {

        }

        @Override
        public void checkServerTrusted(java.security.cert.X509Certificate[] x509Certificates, String s) throws java.security.cert.CertificateException {

        }

        @Override
        public X509Certificate[] getAcceptedIssuers() {
                return new X509Certificate[0];
        }

}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

验证结果：成功