微信支付PKIX path building failed

异常信息

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification p
ath to requested targetat sun.security.ssl.Alerts.getSSLException(Alerts.java:192)at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1904)at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:279)at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:273)at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1446)at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:209)at sun.security.ssl.Handshaker.processLoop(Handshaker.java:901)at sun.security.ssl.Handshaker.process_record(Handshaker.java:837)at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1023)at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1332)at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1359)at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1343)at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:275)at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:254)at org.apache.http.impl.conn.HttpClientConnectionOperator.connect(HttpClientConnectionOperator.java:123)at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:318)at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:363)at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:219)at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:195)at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:86)at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:108)at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:106)at com.gemantic.wealth.admin.util.WxpayUtil.refund(WxpayUtil.java:111)at com.gemantic.wealth.admin.controller.RefundsController.verifyDebt(RefundsController.java:520)at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)at java.lang.reflect.Method.invoke(Method.java:606)at org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:213)at org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:126)at org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:96)at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandlerMethod(RequestMappingHandlerAdapter.java:617)at org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:578)at org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:80)at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:923)at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:852)at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:882)at org.springframework.web.servlet.FrameworkServlet.doPost(FrameworkServlet.java:789)at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at org.jasig.cas.client.util.AssertionThreadLocalFilter.doFilter(AssertionThreadLocalFilter.java:54)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at org.jasig.cas.client.util.HttpServletRequestWrapperFilter.doFilter(HttpServletRequestWrapperFilter.java:75)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at org.jasig.cas.client.validation.AbstractTicketValidationFilter.doFilter(AbstractTicketValidationFilter.java:201)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at com.gemantic.wealth.admin.ArthurFilter.doFilter(ArthurFilter.java:83)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at org.jasig.cas.client.session.SingleSignOutFilter.doFilter(SingleSignOutFilter.java:76)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at org.springframework.web.filter.HttpPutFormContentFilter.doFilterInternal(HttpPutFormContentFilter.java:88)at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:76)at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)at java.lang.Thread.run(Thread.java:745)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetat sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:385)at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)at sun.security.validator.Validator.validate(Validator.java:260)at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:326)at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:126)at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1428)... 79 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested targetat sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196)at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268)at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380)... 85 more

异常原因

这是缺少安全证书时出现的异常

分析问题

本地开发并单元测试通过
测试环境API接口测试通过，服务器192.168.1.20
测试环境管理后台的退款操作，调用接口抛出上面的异常，服务器192.168.1.23

20、23的系统、配置、安装的软件等完全一样，出现这种情况的原因感觉很奇怪。唯一的区别就是23服务器上的管理后台与CAS进行了集成。

解决方案

第一步想到的是把从微信网站上下载的证书导入到jdk的cacerts中

keytool -import -keystore "$JAVA_HOME/jre/lib/security/cacerts" -file /data/admin-web/cer/web/apiclient_cert.p12 -alias staging_wx_web

提示错误：

keytool 错误: java.lang.Exception: 所输入的不是 X.509 证书

第二试着从chrome浏览器中导出证书的cer格式文件，另存为weixin.cer

将上面导出的证书上传到服务器23的/home/look目录下，然后导入$JAVA_HOME/jre/lib/security/cacerts中

keytool -import -keystore "$JAVA_HOME/jre/lib/security/cacerts" -file /home/look/weixin.cer -alias staging_wx

输入密码，按提示输入“是”，完成证书的导入。可以再次查看证书库 keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts，此时已经总数已经多了一个，添加成功

证书配置完成后，重启一下服务。再次测试成功～

----------------------遇到点小问题----------------------

输入密钥口令报错

在这里插入图片描述

导入证书到JDK输入密钥库口令这里没有输入生成证书时自己设置的秘钥而是输入changeit
或者直接：

keytool -import -trustcacerts -alias tomcat -file /opt/mycas/tomcat.cer -keystore "/usr/local/src/java/jdk1.8.0_251/jre/lib/security/cacerts" -storepass changeit

就是命令后面加上密码：-storepass changeit