background
1. Our project needs to be integrated into a third-party platform. The access method is https. The minio server is http at the beginning of the integration. Insecurity problems may occur during the upload and download process. Later, the minio service will be changed to https. How to change to Baidu by yourself.
2. But when we use the minio https service, because the SSL certificate we use is generated by ourselves, we can download the file, but the problem of PKIX path building failed will occur when uploading the file.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Unknown Source)
at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
at sun.security.ssl.Handshaker.fatalSE(Unknown Source)Through tracing the source code, we found that it was caused by an untrusted certificate issue. New MinioClient() is usually an encapsulated network connection.
There are generally two methods to solve the problem online:
1. One is to download the certificate and import the certificate on the client, which is our jdk import certificate, but I imported it myself and it still didn’t work (it may be that there are multiple certificates involved on my side, but in fact I imported them all, and in the end it still didn’t work) No.) I find this import very inconvenient. If I change a server, it means that certificates and the like must be re-imported.
2. Cancel SSL verification through code.
Here we mainly talk about the second type.
Since the problem is the http link, here, we grasp how minioclient performs the https link and start from here.
new MinioClient(), generally initialization will pass in the link, account and password, but what we want to use here is to remove the security verification step when linking. Take a look at the source code. New minio has multiple overload methods. Finally Discover
Isn't this exactly what we want? Just remove the SSL verification when initializing httpclient. Directly upload the code
Remove SSL verification
Direct code, OKhttpClient removes ssl verification connection
public static OkHttpClient getUnsafeOkHttpClent() throws KeyManagementException {
try {
final TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
}
};
final SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new SecureRandom());
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
OkHttpClient.Builder builder = new OkHttpClient.Builder();
builder.sslSocketFactory(sslSocketFactory);
builder.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
return builder.build();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
return null;
}Minio use
//去掉ssl验证
OkHttpClient okHttpClient = SslUtils.getUnsafeOkHttpClent();
// MinioClient minioClient = new MinioClient(minioUrl, minioName, minioPass);
MinioClient minioClient = new MinioClient(minioUrl,9000 ,minioName, minioPass,
null,true,okHttpClient);This solves the problem of SSL certificate verification. I hope it will be helpful to everyone.