SAML ERROR: PKIX path construction failed for untrusted credential

SAML ERROR: PKIX path construction failed for untrusted credential

我已经在我的系统中集成了 SAML 2.0,并且像 IDP 一样使用文件 http://idp.ssocircle.com/idp-meta.xml。 上周我的应用程序运行良好,但从昨天(2016 年 12 月 5 日)开始,我没有对配置文件进行任何修改就出现错误。

The error is: 
2016-12-06 10:00:07 ERROR: PKIX path construction failed for untrusted credential: [subjectName='CN=idp.ssocircle.com' |credential entityID='https://idp.ssocircle.com']: unable to find valid certification path to requested target
2016-12-06 10:00:07 INFO : I/O exception (javax.net.ssl.SSLPeerUnverifiedException) caught when processing request: SSL peer failed hostname validation for name: null
2016-12-06 10:00:07 INFO : Retrying request

我的 metada bean 是:

<bean id="metadata" class="org.springframework.security.saml.metadata.CachingMetadataManager">
<constructor-arg>
    <list>
        <bean class="org.opensaml.saml2.metadata.provider.HTTPMetadataProvider">
            <constructor-arg>
                <value type="java.lang.String">http://idp.ssocircle.com/idp-meta.xml</value>
            </constructor-arg>
            <constructor-arg>
                <value type="int">5000</value>
            </constructor-arg>
            <property name="parserPool" ref="parserPool"/>
        </bean>
        <bean class="org.springframework.security.saml.metadata.ExtendedMetadataDelegate">
            <constructor-arg>
                <bean class="org.opensaml.saml2.metadata.provider.FilesystemMetadataProvider">
                    <constructor-arg>
                             <value type="java.io.File">WEB-INF/saml/sp_sg.xml</value>
                       </constructor-arg>
                    <property name="parserPool" ref="parserPool"/>
                </bean>
            </constructor-arg>
            <constructor-arg>
                <bean class="org.springframework.security.saml.metadata.ExtendedMetadata">
                    <property name="local" value="true"/>
                    <property name="securityProfile" value="metaiop"/>
                    <property name="sslSecurityProfile" value="pkix"/>
                    <property name="signMetadata" value="true"/>
                    <property name="signingKey" value="apollo"/>
                    <property name="encryptionKey" value="apollo"/>
                    <property name="requireArtifactResolveSigned" value="false"/>
                    <property name="requireLogoutRequestSigned" value="false"/>
                    <property name="requireLogoutResponseSigned" value="false"/>
                    <property name="idpDiscoveryEnabled" value="false"/>
                    <property name="idpDiscoveryURL" value="http://localhost:8080/portal_report_sg/saml/discovery"/>
                    <property name="idpDiscoveryResponseURL" value="http://localhost:8080/portal_report_sg/saml/login?disco=true"/>
                </bean>
            </constructor-arg>
         </bean>
    </list>
</constructor-arg>
    <property name="hostedSPName" value="http://88.161.49.14/sg1"/> 

感谢您的帮助。

SSOCircle 上使用的根 CA 证书昨天已更改。这可能会在工件解析期间出现,当时 Spring SAML 需要通过 HTTPS 进行调用。

certification authority's website 下载证书,将其存储在文件中(例如 PEM 格式的 ca.cer)并导入到 Spring SAML 的密钥库:

 keytool -importcert -alias identtrustca -file ca.cer -keystore samlKeystore.jks

证书示例:

    -----BEGIN CERTIFICATE-----
    MIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/
    MSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT
    DkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow
    PzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD
    Ew5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O
    rz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq
    OLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b
    xiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw
    7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD
    aeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV
    HQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG
    SIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69
    ikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr
    AvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz
    R8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5
    JDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo
    Ob8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ
    -----END CERTIFICATE-----

Spring SAML 不使用 Java 默认密钥库中的可信 CA,以便更好地控制哪些证书颁发机构是可信的。