1024节想送大家一个礼物,想来想来,出个题吧,一个AI都没有解决的难题
1024节想送大家一个礼物,想来想来,出个题吧,一个AI都没有解决的难题
烟雨平生
发布于 2025-11-20 11:46:36
发布于 2025-11-20 11:46:36
先说结论:通过升级mac系统到最新的Tahoe 26.0.1,解决。
报错原因未知,问了AI,也没给到解决办法。
探索中。。。
书归正传。话说这个报错,太莫名其妙了。来得突然,走得也突然。
现象1:只在本地报错,uat、pre和pro环境都正常。
现象2:同一个项目,周一[10.20]在本地是可以正常跑的。
周二[10.21]开始报错,一直报错到今天。
到底报了什么错?
1、Java报这个错
unable to find valid certification path to requested target
image.png
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:1.8.0_361]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:1.8.0_361]
at sun.security.validator.Validator.validate(Validator.java:271) ~[na:1.8.0_361]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312) ~[na:1.8.0_361]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) ~[na:1.8.0_361]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128) ~[na:1.8.0_361]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1339) ~[na:1.8.0_361]
... 26 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_361]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_361]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_361]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:1.8.0_361]
... 32 common frames omitted项目报错原因是引用了阿里的dingtalk包,这个组件会定时轮询远程https接口。
完整的报错栈:
2025-10-24 10:53:25.384 ERROR [connection-pool-2-1] com.dingtalk.open.app.stream.network.core.DefaultSessionPool - [TxId : , SpanId : ] [,,][] [DingTalk] establish connection failed, {}
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:1.8.0_361]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:370) ~[na:1.8.0_361]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:313) ~[na:1.8.0_361]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:308) ~[na:1.8.0_361]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1355) ~[na:1.8.0_361]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1230) ~[na:1.8.0_361]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1173) ~[na:1.8.0_361]
at sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:376) ~[na:1.8.0_361]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:479) ~[na:1.8.0_361]
at sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:457) ~[na:1.8.0_361]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:200) ~[na:1.8.0_361]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:155) ~[na:1.8.0_361]
at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1320) ~[na:1.8.0_361]
at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1233) ~[na:1.8.0_361]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:417) ~[na:1.8.0_361]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:389) ~[na:1.8.0_361]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:558) ~[na:1.8.0_361]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:201) ~[na:1.8.0_361]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167) ~[na:1.8.0_361]
at com.dingtalk.open.app.api.open.HttpOpenApiClient.openConnection(HttpOpenApiClient.java:48) ~[dingtalk-stream-1.3.2.jar:1.3.2]
at com.dingtalk.open.app.api.OpenDingTalkStreamClient.openConnection(OpenDingTalkStreamClient.java:84) ~[dingtalk-stream-1.3.2.jar:1.3.2]
at com.dingtalk.open.app.api.OpenDingTalkStreamClient.lambda$start$0(OpenDingTalkStreamClient.java:54) ~[dingtalk-stream-1.3.2.jar:1.3.2]
at com.dingtalk.open.app.stream.network.core.DefaultSessionPool$ConnectionTask.run(DefaultSessionPool.java:159) ~[dingtalk-stream-1.3.2.jar:1.3.2]
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) [na:1.8.0_361]
at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308) [na:1.8.0_361]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180) [na:1.8.0_361]
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294) [na:1.8.0_361]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) [na:1.8.0_361]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) [na:1.8.0_361]
at shade.io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) [dingtalk-stream-1.3.2.jar:1.3.2]
at java.lang.Thread.run(Thread.java:750) [na:1.8.0_361]
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:1.8.0_361]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:1.8.0_361]
at sun.security.validator.Validator.validate(Validator.java:271) ~[na:1.8.0_361]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:312) ~[na:1.8.0_361]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:221) ~[na:1.8.0_361]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:128) ~[na:1.8.0_361]
at sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1339) ~[na:1.8.0_361]
... 26 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:1.8.0_361]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:1.8.0_361]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[na:1.8.0_361]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:1.8.0_361]
... 32 common frames omitted2、Python报这个错
'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
之前可都是好好的,还用TRAE写了不少工具呢!!
完整的报错如下:
% pip install -U pip
WARNING: Disabling truststore since ssl support is missing
WARNING: pip is configured with locations that require TLS/SSL, however the ssl module in Python is not available.
Requirement already satisfied: pip in /Users/cheng.tang/.pyenv/versions/3.11.10/lib/python3.11/site-packages (25.2)
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
WARNING: Retrying (Retry(total=3, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
WARNING: Retrying (Retry(total=2, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
WARNING: Retrying (Retry(total=1, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=None, status=None)) after connection broken by 'SSLError("Can't connect to HTTPS URL because the SSL module is not available.")': /simple/pip/
Could not fetch URL https://pypi.org/simple/pip/: There was a problem confirming the ssl certificate: HTTPSConnectionPool(host='pypi.org', port=443): Max retries exceeded with url: /simple/pip/ (Caused by SSLError("Can't connect to HTTPS URL because the SSL module is not available.")) - skipping这些报错都是不是应用层面的,一下了也没有头绪。
万事不决问AI!!!
AI也不会,这次。。。
先说“PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested ”
当时就问了豆包:
给了两个解决方案:
方法 1:将服务器证书导入 Java 信任库(推荐,适用于生产环境)
通过keytool工具将服务器证书添加到 Java 的信任证书库,步骤如下:
获取服务器证书
用浏览器访问目标 HTTPS 地址(如https://xxx.com),点击地址栏的锁图标 → 查看证书 → 导出证书(格式选Base64编码的X.509 (.CER)),保存为server.cer。
方法 2:临时绕过证书验证(仅适用于开发测试,禁止生产环境)
通过代码忽略证书验证(存在安全风险,可能遭受中间人攻击),示例代码如下:
import javax.net.ssl.*;
import java.security.cert.X509Certificate;
public class SSLUtils {
// 禁用SSL证书验证
public static void disableSSLVerification() {
try {
// 创建信任所有证书的TrustManager
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return null;
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {}
public void checkServerTrusted(X509Certificate[] certs, String authType) {}
}
};
// 安装信任管理器
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(null, trustAllCerts, new java.security.SecureRandom());
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
// 忽略主机名验证(可选,若证书域名与实际访问域名不一致时需要)
HostnameVerifier allHostsValid = (hostname, session) -> true;
HttpsURLConnection.setDefaultHostnameVerifier(allHostsValid);
} catch (Exception e) {
e.printStackTrace();
}
}
}感觉不靠谱。
先说方法1:
是项目调所有https都报错,你让我用keytool工具怎么添加?
一看就不对。
再说方法2:
uat、pre、pro都是好的,只是本地环境运行时有这个报错,且这个报错是10.21才有的,你让我搞这种“绕过证书验证”。很明显不靠谱嘛
再说“ssl module in Python is not available”
大模型讲的很对,只是跑不通。具体跑不通的原因及报错记不清了,就不再贴AI给的完整解决方案了。
当时看到命令执行有些慢,然后开了VPN。
but,VPN居然也报类似的错:
image.png
崩溃了。。。
怎么办?
新开发的功能本地测不了,看着一会半会也找不到解决办法,看报错又好像是系统的,干脆给Mac升个级试试。
再重新跑python的pip命令,就可以了。
再启动这个SpringBoot项目,就没有上面的报错了。
目前对“TLS/证书问题”这个知识点研究的不深,那个大佬出手指点指点:1、报错的原因是什么?
2、如何低成本地解决这个问题?
补充:
1、什么是 “SSL/TLS 证书信任链”?
“信任链” 是 SSL/TLS 证书验证的核心机制,本质是一套 “层级化的身份背书体系”,用来确保你访问的服务器是 “真实可信的”,而非钓鱼网站或中间人伪造的。
可以把它理解为 “身份证验证”:你的身份证由派出所颁发(中间层),派出所的权限由公安局(根层)授予,别人通过 “你的身份证→派出所→公安局” 的链条,就能相信你的身份是真实的。
信任链的结构分为三层,必须完整且可追溯,才能通过验证:
- 服务器证书(终端实体证书)你访问的网站 / 服务的证书,包含服务器域名、公钥等信息(相当于 “你的身份证”)。
- 中间证书(中间 CA 证书)由 “中间证书颁发机构(Intermediate CA)” 签发,用来给服务器证书 “背书”(相当于 “派出所”)。由于根证书直接签发的服务器证书较少(根证书私钥需严格保护),大部分服务器证书由中间 CA 签发。
- 根证书(根 CA 证书)由 “根证书颁发机构(Root CA)” 签发,是信任链的 “顶端”(相当于 “公安局”)。根证书本身是 “自信任” 的 —— 它的合法性不需要其他证书验证,而是直接预装在操作系统(如 Windows/macOS)、浏览器(Chrome/Firefox)或应用(Java/Python)的信任库中。
2、解决之后又问了AI,发现有个解决思路好像可行
重新安装 JDK(彻底解决,推荐)
如果没有可复制的正常cacerts,直接重新安装 JDK(会自带完整的默认根证书):
- 卸载当前 JDK:
- macOS:删除 JDK 目录
sudo rm -rf $JAVA_HOME - 或通过
brew uninstall openjdk@8(如果是 brew 安装)
- macOS:删除 JDK 目录
- 重新安装对应版本 JDK(推荐 Oracle JDK 或 AdoptOpenJDK,确保是 “完整版本” 而非 “精简版”):
- 下载地址:Oracle JDK8(需注册)或 AdoptOpenJDK8
- 安装后重新确认
JAVA_HOME指向新安装的 JDK,再验证cacerts大小(应恢复正常)。
由于目前问题已经解决,就没有尝试这个方案。
另外升级Mac系统也有新的风险,就是卡顿。本次解决的方案就是把mac中cpu、mem、disk的使用情况丢给大模型,给的建议是把disk清一个,多留点空间。
清了100G,让disk的剩余空间从22G增加大到100G+,再重启Mac,就流畅很多了。
不过,有同事讲,就是不清理disk,重启下也会变好。。。
最后:
👨💻 今天是1024程序员节!
致敬每一位以代码为笔、
用智慧描绘未来的技术追光者!
本文参与 腾讯云自媒体同步曝光计划,分享自微信公众号。
原始发表:2025-10-24,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
腾讯云开发者
