我有一个java应用程序,它调用外部api,托管在如下地址https://10.20.30.40:1234/test/myurl
这有一个类似CN的域名基础证书*.myappdomain.au
我们已经在我们的linux服务器上注册了证书。我甚至试着用下面的代码加载证书,但它没有用,我们得到了相同的错误
private static SSLSocketFactory createSSLSocketFactory(String certificatePath) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
File crtFile = new File(certificatePath);
Certificate certificate = CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream(crtFile));
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, null);
keyStore.setCertificateEntry("server", certificate);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
return sslContext.getSocketFactory();
}
我尝试过的一件事是在主机中添加条目10.20.30.40 myappdomain.au然后使用urlhttps://myappdomain.au:1234/test/myurl
然后应用程序工作
知道我还需要做什么吗
好吧,如果API托管在一个IP地址上,SSL证书必须将该IP地址定义为Subject Alternative Name。然而,这对像Let's Encrypt这样的服务不起作用。
我想问题的主要原因是您试图通过API的IP地址而不是FQDN来访问它。将API的URL更改为源代码中IP地址的适当DNS名称,只要DNS名称解析为与颁发通配符证书的域相关的内容(例如api.myappdomain.au(,则一切都会正常工作。
尝试在连接之前运行此代码:
public static void trustAllCerts() {
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(
java.security.cert.X509Certificate[] certs, String authType) {
}
}
};
try {
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
}