java
auth_error
ai_generated
true
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
ID: java/ssl-exception-untrusted-cert
88%Fix Rate
84%Confidence
1Evidence
2023-06-12First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Java 8 | active | — | — | — |
| Java 11 | active | — | — | — |
| Java 17 | active | — | — | — |
| OpenJDK 11.0.18 | active | — | — | — |
| Apache Tomcat 9 | active | — | — | — |
| Spring Boot 2.7 | active | — | — | — |
Root Cause
SSLException with certificate_unknown occurs when the SSL/TLS handshake fails because the server's certificate is not trusted by the client, often due to a missing or invalid root CA in the truststore.
generic中文
带有 certificate_unknown 的 SSLException 在 SSL/TLS 握手失败时发生,因为服务器的证书不被客户端信任,通常是由于信任库中缺少或无效的根 CA。
Official Documentation
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.htmlWorkarounds
-
90% success Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit
Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit
-
85% success Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
中文步骤
Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit
Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
Dead Ends
Common approaches that don't work:
-
50% fail
The error is about trust, not cipher suite compatibility; disabling ECC may break other connections.
-
95% fail
It opens the system to man-in-the-middle attacks; also, some security policies may reject such code.