java
auth_error
ai_generated
true
javax.net.ssl.SSLException: 收到致命警报: certificate_unknown
javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
ID: java/ssl-exception-untrusted-cert
88%修复率
84%置信度
1证据数
2023-06-12首次发现
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| Java 8 | active | — | — | — |
| Java 11 | active | — | — | — |
| Java 17 | active | — | — | — |
| OpenJDK 11.0.18 | active | — | — | — |
| Apache Tomcat 9 | active | — | — | — |
| Spring Boot 2.7 | active | — | — | — |
根因分析
带有 certificate_unknown 的 SSLException 在 SSL/TLS 握手失败时发生,因为服务器的证书不被客户端信任,通常是由于信任库中缺少或无效的根 CA。
English
SSLException with certificate_unknown occurs when the SSL/TLS handshake fails because the server's certificate is not trusted by the client, often due to a missing or invalid root CA in the truststore.
官方文档
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html解决方案
-
Import the server's certificate into the JVM truststore using keytool: keytool -import -alias myserver -keystore $JAVA_HOME/lib/security/cacerts -file server.crt -storepass changeit
-
Set the system property to use a custom truststore: -Djavax.net.ssl.trustStore=/path/to/truststore.jks -Djavax.net.ssl.trustStorePassword=changeit
无效尝试
常见但无效的做法:
-
50% 失败
The error is about trust, not cipher suite compatibility; disabling ECC may break other connections.
-
95% 失败
It opens the system to man-in-the-middle attacks; also, some security policies may reject such code.