為什么 RestTemplate 調用 HTTPS 總報 “主機名不匹配”?CertificateException 根源解析
作者:一安
RestTemplate?能同時兼容HTTP和HTTPS?協議,是因為RestTemplate?底層會依據請求的URL?協議(http或https?)自動選擇對應的處理邏輯。
前言
在使用RestTemplate調用 API的過程中,我們可能會遇到java.security.cert.CertificateException: No name matching這樣的錯誤。
原因解析
java.security.cert.CertificateException: No name matching錯誤本質上是SSL證書驗證失敗的一種表現。當RestTemplate通過HTTPS協議調用API時,會對服務器返回的SSL證書進行驗證。其中,證書中的主機名(Common Name,簡稱 CN)或主題備用名稱(Subject Alternative Name,簡稱 SAN)需要與我們實際調用的API的主機名相匹配。如果不匹配,就會觸發該錯誤,這是Java的SSL/TLS機制為了保障通信安全而采取的措施,防止中間人攻擊等安全風險。
解決方法
方法一:忽略 SSL 證書驗證(僅適用于開發環境)
創建一個信任所有證書的SSLContext,并將其應用到RestTemplate中。具體代碼如下:
@Configuration
public class RestTemplateConfig {
@Bean
public RestTemplate restTemplate() throws Exception {
// 創建信任所有證書的SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
};
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
// 創建HostnameVerifier,信任所有主機名
HostnameVerifier hostnameVerifier = (s, sslSession) -> true;
// 配置RestTemplate
SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
requestFactory.setConnectTimeout(30000);
requestFactory.setReadTimeout(30000);
return new RestTemplate(requestFactory);
}
}方法二:配置正確的 SSL 證書(適用于生產環境)
- 獲取正確的SSL證書:從API服務提供商處獲取包含正確主機名(CN或SAN)的 SSL 證書,通常為.cer或.pem格式。
- 導入證書到信任庫:使用Java的keytool工具將證書導入到Java的信任庫中。命令如下:
keytool -import -alias apiCert -file /path/to/certificate.cer -keystore $JAVA_HOME/jre/lib/security/cacerts?
執行該命令時,需要輸入信任庫的默認密碼changeit
- 配置RestTemplate使用信任庫:在創建RestTemplate時,指定使用包含正確證書的信任庫。代碼如下:
@Configuration
public class RestTemplateConfig {
@Bean
public RestTemplate restTemplate() throws Exception {
// 加載信任庫
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream fis = new FileInputStream("/path/to/truststore/apiCert.jks");
trustStore.load(fis, "truststorePassword".toCharArray());
fis.close();
// 初始化TrustManagerFactory
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(trustStore);
// 創建SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), new java.security.SecureRandom());
// 配置RestTemplate
SimpleClientHttpRequestFactory requestFactory = new SimpleClientHttpRequestFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
requestFactory.setConnectTimeout(30000);
requestFactory.setReadTimeout(30000);
return new RestTemplate(requestFactory);
}
}總結
RestTemplate能同時兼容HTTP和HTTPS協議,是因為RestTemplate底層會依據請求的URL協議(http或https)自動選擇對應的處理邏輯。當請求為HTTP時,不會觸發SSL證書驗證相關的流程,直接按照HTTP的通信方式進行數據傳輸;當請求為HTTPS時,才會運用我們配置的SSLContext等相關參數進行證書驗證和加密通信。
在生產環境中,為了更靈活地兼容兩種協議,我們可以對RestTemplate的配置進行進一步優化,使用HttpComponentsClientHttpRequestFactory替代SimpleClientHttpRequestFactory,它對HTTP和HTTPS的支持更為完善。
public class RestTemplateConfig {
public RestTemplate restTemplate() throws Exception {
// 加載信任庫
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(new FileInputStream("path/to/truststore"), "truststorePassword".toCharArray());
// 構建SSLContext
SSLContext sslContext = SSLContextBuilder.create()
.loadTrustMaterial(trustStore, null)
.build();
// 創建SSL連接套接字工廠
SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext);
// 創建HttpClient
HttpClient httpClient = HttpClients.custom()
.setSSLSocketFactory(sslSocketFactory)
.build();
// 配置請求工廠
HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
requestFactory.setConnectTimeout(30000);
requestFactory.setReadTimeout(30000);
return new RestTemplate(requestFactory);
}
}也可以SimpleClientHttpRequestFactory實現協議自適應處理,具體步驟如下:
public class DualProtocolRequestFactory extends SimpleClientHttpRequestFactory {
@Override
protected void prepareConnection(HttpURLConnection connection, String httpMethod) {
try {
// HTTP請求直接處理
if (!(connection instanceof HttpsURLConnection)) {
super.prepareConnection(connection, httpMethod);
return;
}
// HTTPS請求跳過證書驗證(僅測試環境)
HttpsURLConnection httpsConnection = (HttpsURLConnection) connection;
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[]{new BlindTrustManager()}, null);
httpsConnection.setSSLSocketFactory(sslContext.getSocketFactory());
httpsConnection.setHostnameVerifier((hostname, session) -> true); // 禁用主機名驗證
super.prepareConnection(httpsConnection, httpMethod);
} catch (Exception e) {
throw new RuntimeException("HTTPS配置失敗", e);
}
}
private static class BlindTrustManager implements X509TrustManager {
public X509Certificate[] getAcceptedIssuers() { return null; }
public void checkClientTrusted(X509Certificate[] certs, String authType) {}
public void checkServerTrusted(X509Certificate[] certs, String authType) {}
}
}責任編輯:武曉燕
來源:
一安未來
