java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
网上搜索了下是少了中间证书,怎么看出来呢?有两个方法
1.http://stackoverflow.com/questions/6825226/trust-anchor-not-found-for-android-ssl-connection
里面第二个答案有说明,用openssl s_client -debug -connect www.thedomaintocheck.com:443
可以看到:
Certificate chain
0 s:/OU=Domain Control Validated/CN=www.thedomaintocheck.com
i:/O=AlphaSSL/CN=AlphaSSL CA - G2
只有1个证书链。
2.用在线工具检测
https://www.myssl.cn/tools/check-server-cert.html
明确说明了,没有中间证书。
原因可以查看此文
http://blog.sina.com.cn/s/blog_53ed87c10102vn8b.html
stackoverflow也搜索到了相关线索
he problem was cause of my .crt doesn’t include intermediate cert.
This instruction could help you to setup nginx correct with RapidSSL certificate.
After you had got you cert, you should make concatenated file of the Intermediate CA and the SSL Certificate with:
cat IntermediateCA.crt >> ssl_concatenated _certificate.crt
And then use this concatenated file in nginx config:
ssl_certificate /etc/ssl/ssl_concatenated _certificate.crt;
And on this page you can check, if your certificate is installed correctly. You should see something like
既然少了中间证书,那就搞个吧。可以到证书签发机构官网下载,
VeriSign/Thawte/Geotrust 官方网站下载。
我用的是Starfield Root Certificate Authority 签发的,去官网没找到。于是用在线工具生成个:
https://www.myssl.cn/tools/downloadchain.html
生成了个chain.crt,用文本打开,全部复制,粘贴到server.crt的后面。
nginx配置: ssl_certificate /usr/local/nginx/ssl/server.crt;
然后再工具检测下,发现完美了。收工回家。