sssssjkl

证书链完整，okhttp3请求错误？

证书情况 "myssl.com"验证证书是正常的 "https://myssl.com/ynslyszx.com" (https://link.segmentfault.com/?enc=Rl58bPUsLiXYbKR4SPkgog%3D%3D.BlyaOYBBPkulzooS98TibCDfCcm03tjWdZTvEPlpC2U%3D) 浏览器中查看 "image.png" (https://wmprod.oss-cn-shanghai.aliyuncs.com/images/20250121/0a265834b3836233c2083ad2f3fb6134.png) 使用命令查看 "image.png" (https://wmprod.oss-cn-shanghai.aliyuncs.com/images/20250121/be59a99dd5ffb7bb1928f0e025ce0bab.png) 测试代码 public static void main(String[] args) { String url = "https://ynslyszx.com/fp04/ldt-service/msp/getPublicKey.do"; OkHttpClient client = new OkHttpClient(); // 指定你要请求的URL Request request = new Request.Builder() .url(url) .build(); try (Response response = client.newCall(request).execute()) { if (!response.isSuccessful()) { throw new IOException("Unexpected code " + response); } // 打印响应体的内容 System.out.println(response.body().string()); } catch (IOException e) { e.printStackTrace(); } } 错误信息 使用okhttp请求报错： javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.TransportContext.fatal(TransportContext.java:353) at sun.security.ssl.TransportContext.fatal(TransportContext.java:296) at sun.security.ssl.TransportContext.fatal(TransportContext.java:291) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367) at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373) at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379) at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337) at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209) at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226) at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106) at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74) at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255) at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76) at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109) at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201) at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154) at org.example.App.main(App.java:35) Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) at sun.security.validator.Validator.validate(Validator.java:271) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128) at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636) ... 29 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ... 35 more 问题 1. 同样的代码，请求"https://baidu.com" (https://link.segmentfault.com/?enc=LAsp%2FXr6f6q8V1UnW07%2FBA%3D%3D.VaQZUVr0UBPH5NOsd9mM%2BBVBBQIxSjUsmimAlhCsqoU%3D)或"https://qq.com" (https://link.segmentfault.com/?enc=q5rFqEJ56pJ4MsdHXM%2BI7A%3D%3D.0ENTZ1%2FO3icYP0ebmhX2CQ%3D%3D)是正常的，请求ynslyszx.com就出错；使用"myssl.com"验证后，证书也是正常的，请问是哪个环节出错？ 2. 服务器中尝试用"myssl.com"修复过证书，也是请求不通。 3. 目前解决办法是使okhttp3忽略全部证书验证，但是这样不太合适，请问是否有其他解决方案？

木子弓长

如何通过 digicert 发放的免费证书，实现 ssl 双向认证？我操作了下，但是不成功，该如何实现？

我首先申请了免费的 digicert 证书，服务端用的 nginx。得到了两个文件 domain.pem, domain.key 这样配置的 nginx listen 443 ssl; ssl_certificate the_path_of_domain.pem; ssl_certificate_key the_path_of_domain.key; ssl_client_certificate the_path_of_domain.pem; ssl_verify_client on; ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "HIGH:!aNULL:!MD5 or HIGH:!aNULL:!MD5:!3DES"; ssl_prefer_server_ciphers on; 然后通过 curl 测试，失败 curl --cert domain.pem --key domain.key https://domain 更改了 "ssl_verify_depth" 的值也不可以。 需求帮助

UX_siri

amh面板lngx反代无法使用，出现不能访问怎么解决？

amh的LNGX反代不能使用，目前已经删了lnmp，只保留了LNGX；后端外网ip:3000，在我本地电脑能访问；反代后访问域名无法访问。系统是Debian12 https://wmlx-new-image.oss-cn-shanghai.aliyuncs.com/images/20241023/b7ea566048738e830fa56a42016d7942.png 传递HTTP/S协议 那些也勾过，目前只有一个lngx环境，只有一个站。后端是one-api通过IP加端口可以正常使用。要反代这个one-api。反代后访问域名无法访问。有配置ssl证书。没有cdn。 https://wmlx-new-image.oss-cn-shanghai.aliyuncs.com/images/20241023/cdc68ecdad4ef4c7206d64be3dc88caf.png