问题
I am trying to establish a SSL connection with my MySQL database in Java using MySQL Connector/J (version 5.1.45) and this AWS RDS certificate here: https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
But I am getting the following Exception:
java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors
I could trace this Exception down to the MySQL Connector/J class ExportControlled.java on line 297:
CertPathValidatorResult result = this.validator.validate(certPath, this.validatorParams);
Then I can't go further down since this goes into the JRE security classes, like CertPathValidator.
Since I am using MySQL Connector/J to do the whole SSL magic, my hands are tied and I don't know what's going on or how to fix this. The certificate works fine on MySQL Workbench and on Intelli J IDEA Database, so I have no clue why it's being rejected now.
How do I fix this?
回答1:
I fixed this after A LOT of headaches. The truststore needs to have ALL the certificates of the chain, I was using https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem, which IN THEORY has all the certificates, but when you import it to a keystore file, keytool ignores all but the first certificate, so I only had the root certificate on my keystore and not the root and the AWS Region certificate that I actually needed.
For now, there's no way to bach import all the certificates, I tried several methods, including converting to PKCS7 (which supports certificates chains), but keytool needs one alias for each certificate so you need to import each certificate and give it an alias, one at the time.
You could make a program to call keytool and load one certificate at a time or you could be a bit more lazy as I was and use KeyStore Explorer. You will need to select to create a new keystore file and open the bundled pem certificate using the Examine File option and for each certificate on it, select import, this will import the selected certificate to the new keystore. At the end you just have to define a password for your keystore file and save it.
回答2:
AWS now provides separate certificates and not just the bundle, which has extra stuff you won't need. See Using SSL to Encrypt a Connection to a DB Instance.
You will need to download two certificates: the root certificate, and the intermediate certificate for your region. As stated in the link above,
A root certificate that works for all regions can be downloaded at https://s3.amazonaws.com/rds-downloads/rds-ca-2015-root.pem.
and the intermediate cerificates can be found further down the page. You must use the one appropriate for your region, the region where your database instance is located.
You must use keytool to import both of these into a new keystore, and tell MySQL to use that keystore via the trustCertificateKeyStoreUrl and trustCertificateKeyStorePassword parameters.
I had the further task of getting all of this to work with Tomcat. I had poor luck setting things via the connection URL; what worked was setting the connectionProperties in the connection pool to useSSL=true;requireSSL=true;verifyServerCertificate=true;trustCertificateKeyStoreUrl=file://[absolute path to keystore file];trustCertificateKeyStorePassword=[keystore password]
回答3:
One additional issue is that the MySQL documentation appears to be incorrect.
It describes the following connection properties:
clientCertificateKeyStoreUrl=file:path_to_truststore_file
clientCertificateKeyStorePassword=mypassword
The correct connection parameters are:
trustCertificateKeyStoreUrl
trustCertificateKeyStorePassword
There is a note to this effect in the "User Comments" section of the page.
回答4:
I got the exact same error a couple of hours ago when I moved to 5.1.45.
Trying now with 5.1.42 to see if the problem disappears.
来源:https://stackoverflow.com/questions/48286407/ssl-exception-on-java-path-does-not-chain-with-any-of-the-trust-anchors