java mqtt SSL证书认证连接时,提示 is not a CA certificate,开发环境运行正常,生产环境连接出错
生产系统版本:CentOS Linux release 8.4.2105,开发环境:window10
核心代码:
public void start() {
String serverUrl = "ssl://*****:5698";
String caCrtFile = "/usr/local/web/ssl/caCert.pem";
String crtFile = "/usr/local/web/ssl/Jd3BCq_cert.txt";
String keyFile = "/usr/local/web/ssl/Jd3BCq_keys.txt";
try {
MqttClient client = new MqttClient(serverUrl,
"T" + System.currentTimeMillis(), new MemoryPersistence());
MqttConnectOptions options = new MqttConnectOptions();
options.setCleanSession(true);
//设置超时时间
options.setConnectionTimeout(10);
//设置回话心跳时间
options.setKeepAliveInterval(20);
options.setHttpsHostnameVerificationEnabled(false);
SSLSocketFactory factory = SslUtil.getSocketFactory(
caCrtFile, crtFile, keyFile, "");
options.setSocketFactory(factory);
client.connect(options);
System.out.println("服务端已运行");
} catch (Exception e) {
e.printStackTrace();
}
}
springboot pom.xml:
<dependencies>
<dependency>
<groupId>io.grpc</groupId>
<artifactId>grpc-protobuf</artifactId>
<version>1.18.0</version>
</dependency>
<dependency>
<groupId>org.eclipse.paho</groupId>
<artifactId>org.eclipse.paho.client.mqttv3</artifactId>
<version>1.2.1</version>
</dependency>
<dependency>
<groupId>bouncycastle</groupId>
<artifactId>bcprov-jdk15</artifactId>
<version>140</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
</dependencies>
生产环境调用出现错误:
MqttException (0) - javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "EMAILADDRESS=iot@baidu.com, CN=2021-q1-unstack, OU=iot, O=Default Company Ltd, ST=Beijing, C=CN" is not a CA certificate
at org.eclipse.paho.client.mqttv3.internal.ExceptionHelper.createMqttException(ExceptionHelper.java:38)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:736)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "EMAILADDRESS=iot@baidu.com, CN=2021-q1-unstack, OU=iot, O=Default Company Ltd, ST=Beijing, C=CN" is not a CA certificate
at sun.security.ssl.Alert.createSSLException(Alert.java:131)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:353)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:296)
at sun.security.ssl.TransportContext.fatal(TransportContext.java:291)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:652)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:471)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:367)
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444)
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422)
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:183)
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:154)
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1279)
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1188)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:401)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:373)
at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:149)
at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:722)
... 1 more
Caused by: sun.security.validator.ValidatorException: PKIX path validation failed: sun.security.validator.ValidatorException: TrustAnchor with subject "EMAILADDRESS=iot@baidu.com, CN=2021-q1-unstack, OU=iot, O=Default Company Ltd, ST=Beijing, C=CN" is not a CA certificate
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:369)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:275)
at sun.security.validator.Validator.validate(Validator.java:271)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128)
at sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:636)
... 14 more
Caused by: sun.security.validator.ValidatorException: TrustAnchor with subject "EMAILADDRESS=iot@baidu.com, CN=2021-q1-unstack, OU=iot, O=Default Company Ltd, ST=Beijing, C=CN" is not a CA certificate
at sun.security.validator.PKIXValidator.verifyTrustAnchor(PKIXValidator.java:393)
at sun.security.validator.PKIXValidator.toArray(PKIXValidator.java:333)
at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:366)
... 20 more