PKIXNameConstraintValidatorException:DNS 不是来自允许的子树
PKIXNameConstraintValidatorException: DNS is not from a permitted subtree
我正在从 .crt 文件加载 ssl 证书之一以访问一个资源。但是当我调用该 Intranet 资源时。我得到以下异常。有人可以建议如何克服这个问题吗?我也可以禁用 DNS 检查吗
...
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 81 more
Caused by: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertBC(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 87 more
Caused by: org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException: DNS is not from a permitted subtree.
at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermittedDNS(Unknown Source)
at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermitted(Unknown Source)
我找到了这个问题的答案,分享一下是否可以为其他人节省时间。
据观察,在某些情况下,仅 CA 根证书是不够的。但是当其他中间证书也被加载时,这个问题就没有发生。所以基本上需要整个链证书来克服这个问题。作为充气城堡库升级和包括整个链证书的组合对我有用。
我正在从 .crt 文件加载 ssl 证书之一以访问一个资源。但是当我调用该 Intranet 资源时。我得到以下异常。有人可以建议如何克服这个问题吗?我也可以禁用 DNS 检查吗
...
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:362)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:270)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1496)
... 81 more
Caused by: java.security.cert.CertPathValidatorException: Subtree check for certificate subject alternative name failed.
at org.bouncycastle.jce.provider.RFC3280CertPathUtilities.processCertBC(Unknown Source)
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(Unknown Source)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:357)
... 87 more
Caused by: org.bouncycastle.jce.provider.PKIXNameConstraintValidatorException: DNS is not from a permitted subtree.
at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermittedDNS(Unknown Source)
at org.bouncycastle.jce.provider.PKIXNameConstraintValidator.checkPermitted(Unknown Source)
我找到了这个问题的答案,分享一下是否可以为其他人节省时间。 据观察,在某些情况下,仅 CA 根证书是不够的。但是当其他中间证书也被加载时,这个问题就没有发生。所以基本上需要整个链证书来克服这个问题。作为充气城堡库升级和包括整个链证书的组合对我有用。