1. 问题描述
在bitbucket中导入git仓库中的代码库时,提示如下信息
Peer‘s certificate issuer has been marked as not trusted by the user.
原因是bitbucket代码仓库https证书是自签名
2. 问题解决
解决过程尝试了多种方式,包括配置git全局设置(忽略https验证)、导入证书到java信任库等
2.1 配置git全局设置
修改环境变量
echo 'export GIT_SSL_NO_VERIFY=true' >> ~/.bashrc
对git项目或者全局做配置文件
git config http.sslVerify "false"
git config --global http.sslVerify false
提示:该种方法未生效
2.2 JAVA 导入信任证书
首先获取证书,可以从https网站管理员处获取证书,也可以下载证书
openssl s_client -connect 101.111.111.118:443 < /dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > public.crt
或者
openssl s_client -showcerts -connect 101.111.111.118:443 </dev/null 2>/dev/null | openssl x509 -outform PEM >101.111.111.118.crt
上述命令获取的证书一样
尝试添加到git配置
git config http."https://101.111.111.118".sslCAInfo < 101.111.111.118.crt
提示:该种方法未生效
如果需要验证证书是否损坏,可以使用OpenSSL检查下:
openssl x509 -in 101.111.111.118.crt -text
继续导入证书
keytool -import -trustcacerts -alias guoji_bitbucket -keystore /data/java/jdk-11.0.14/lib/security/cacerts -file gj_bitbucket.crt
查看证书
注意一下, keystore 文件都受 密码 保护。生成新的 keystore 文件时,会要求你输入一个新密码;而当访问一个已有的 keystore 文件时,会要求你验证密码。
$JAVA_HOME/lib/security/cacerts 的默认密码为 “changeit” !!!
# keytool -list -keystore $JAVA_HOME/lib/security/cacerts | grep guoji
Warning: use -cacerts option to access cacerts keystore
Enter keystore password: changeit
guoji_bitbucket, May 26, 2022, trustedCertEntry
此种方式未生效
删除证书
keytool -delete -alias gj_bitbucket -keystore $JAVA_HOME/lib/security/cacerts -storepass changeit
2.3 添加自签名https证书到centos系统信任
重点,此种方式最终解决了问题!!!
将上面获得的证书添加到centos信任文件中
root也没写权限先加上写权限
chmod u+w /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
然后直接编辑文件,将证书内容添加到末尾
保存
之后恢复权限
chmod u-w /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
2.4 重启服务(参考方案)
如果以上步骤没解决,考虑重启服务,加载java证书。
附件:诊断 Java 环境中是否包含了相应的信任证书,此方式可诊断 HTTPS, IMAPS, LDAPS 等
wget https://confluence.atlassian.com/kb/files/779355358/779355357/1/1441897666313/SSLPoke.class
运行如下命令,诊断连接信息是否有效
其中 java 是你要使用的 java 环境,后面是你要诊断的 url 和 port 。
接失败时,则出现如下异常:
# java SSLPoke 101.111.111.118 443
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:478)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:456)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:198)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1377)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1290)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:411)
at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:829)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1195)
at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1167)
at SSLPoke.main(SSLPoke.java:31)
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 20 more
正常连接
# java SSLPoke 101.111.111.118 443
Successfully connected
附件:java keytool证书格式小结
在Security编程中,有几种典型的密码交换信息文件格式:
DER-encoded certificate: .cer, .crt
PEM-encoded message: .pem
PKCS#12 Personal Information Exchange: .pfx, .p12
PKCS#10 Certification Request: .p10
PKCS#7 cert request response: .p7r
PKCS#7 binary message: .p7b
.cer/.crt是用于存放证书,它是2进制形式存放的,不含私钥。
.pem跟crt/cer的区别是它以Ascii来表示。
pfx/p12用于存放个人证书/私钥,他通常包含保护密码,2进制方式
p10是证书请求
p7r是CA对证书请求的回复,只用于导入
p7b以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥。