1. 问题描述

在bitbucket中导入git仓库中的代码库时,提示如下信息

Peer‘s certificate issuer has been marked as not trusted by the user.

gitlab导入zip gitlab导入忽略https_java

原因是bitbucket代码仓库https证书是自签名

2. 问题解决

解决过程尝试了多种方式,包括配置git全局设置(忽略https验证)、导入证书到java信任库等

2.1 配置git全局设置

修改环境变量

echo 'export GIT_SSL_NO_VERIFY=true' >> ~/.bashrc

对git项目或者全局做配置文件

git config http.sslVerify "false"
git config --global http.sslVerify false

提示:该种方法未生效

2.2 JAVA 导入信任证书

首先获取证书,可以从https网站管理员处获取证书,也可以下载证书

openssl s_client -connect 101.111.111.118:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt

或者

openssl s_client -showcerts -connect 101.111.111.118:443 </dev/null 2>/dev/null | openssl x509 -outform PEM >101.111.111.118.crt

上述命令获取的证书一样

尝试添加到git配置

git config http."https://101.111.111.118".sslCAInfo < 101.111.111.118.crt

提示:该种方法未生效

如果需要验证证书是否损坏,可以使用OpenSSL检查下:
openssl x509 -in 101.111.111.118.crt -text

继续导入证书

keytool -import -trustcacerts  -alias guoji_bitbucket -keystore /data/java/jdk-11.0.14/lib/security/cacerts -file gj_bitbucket.crt

查看证书

注意一下, keystore 文件都受 密码 保护。生成新的 keystore 文件时,会要求你输入一个新密码;而当访问一个已有的 keystore 文件时,会要求你验证密码。

$JAVA_HOME/lib/security/cacerts 的默认密码为 “changeit” !!!

# keytool -list -keystore $JAVA_HOME/lib/security/cacerts | grep guoji
Warning: use -cacerts option to access cacerts keystore
Enter keystore password:  changeit
guoji_bitbucket, May 26, 2022, trustedCertEntry

此种方式未生效

删除证书

keytool -delete -alias gj_bitbucket  -keystore $JAVA_HOME/lib/security/cacerts  -storepass changeit

2.3 添加自签名https证书到centos系统信任

重点,此种方式最终解决了问题!!!

将上面获得的证书添加到centos信任文件中

root也没写权限先加上写权限

chmod u+w /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

然后直接编辑文件,将证书内容添加到末尾

保存

gitlab导入zip gitlab导入忽略https_git_02

之后恢复权限

chmod u-w /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem

2.4 重启服务(参考方案)

如果以上步骤没解决,考虑重启服务,加载java证书。

附件:诊断 Java 环境中是否包含了相应的信任证书,此方式可诊断 HTTPS, IMAPS, LDAPS 等

下载SSLPoke.class

wget https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class

运行如下命令,诊断连接信息是否有效

其中 java 是你要使用的 java 环境,后面是你要诊断的 url 和 port 。

接失败时,则出现如下异常:

# java SSLPoke 101.111.111.118 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
	at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
	at java.base/sun.security.validator.Validator.validate(Validator.java:264)
	at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
	at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
	at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:478)
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:456)
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:198)
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1377)
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1290)
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
	at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:829)
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1195)
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1167)
	at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
	at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
	at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
	at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
	... 20 more

正常连接

# java SSLPoke 101.111.111.118 443
Successfully connected

附件:java keytool证书格式小结

在Security编程中,有几种典型的密码交换信息文件格式:

DER-encoded certificate: .cer, .crt
PEM-encoded message: .pem
PKCS#12 Personal Information Exchange: .pfx, .p12
PKCS#10 Certification Request: .p10
PKCS#7 cert request response: .p7r
PKCS#7 binary message: .p7b

.cer/.crt是用于存放证书,它是2进制形式存放的,不含私钥。

.pem跟crt/cer的区别是它以Ascii来表示。

pfx/p12用于存放个人证书/私钥,他通常包含保护密码,2进制方式

p10是证书请求

p7r是CA对证书请求的回复,只用于导入

p7b以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥。