{ "id": "java/ssl-exception-untrusted-cert", "signature": "javax.net.ssl.SSLException: Received fatal alert: certificate_unknown", "signature_zh": "javax.net.ssl.SSLException: 收到致命警报: certificate_unknown", "regex": "javax\\.net\\.ssl\\.SSLException: Received fatal alert: certificate_unknown", "domain": "java", "category": "auth_error", "subcategory": null, "root_cause": "SSLException with certificate_unknown occurs when the SSL/TLS handshake fails because the server's certificate is not trusted by the client, often due to a missing or invalid root CA in the truststore.", "root_cause_type": "generic", "root_cause_zh": "带有 certificate_unknown 的 SSLException 在 SSL/TLS 握手失败时发生,因为服务器的证书不被客户端信任,通常是由于信任库中缺少或无效的根 CA。", "versions": [ { "version": "Java 8", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 11", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Java 17", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "OpenJDK 11.0.18", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Apache Tomcat 9", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "Spring Boot 2.7", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The error is about trust, not cipher suite compatibility; disabling ECC may break other connections.", "fail_rate": 0.5, "condition": "", "sources": [] }, { "action": "", "why_fails": "It opens the system to man-in-the-middle attacks; also, some security policies may reject such code.", "fail_rate": 0.95, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit", "success_rate": 0.9, "how": "Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit", "condition": "", "sources": [] }, { "action": "Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit", "success_rate": 0.85, "how": "Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit", "condition": "", "sources": [] } ], "workarounds_zh": [ "Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit", "Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html", "official_doc_section": null, "error_code": null, "verification_tier": "ai_generated", "confidence": 0.84, "fix_success_rate": 0.88, "resolvable": "true", "first_seen": "2023-06-12", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }