Java 7 에서는 Security 관련 변경사항이 많다.
$JAVA_HOME/jre/lib/security/java.security
파일에서 다음을 주석처리한다.#jdk.certpath.disabledAlgorithms=MD2, RSA keySize < 1024 #jdk.tls.disabledAlgorithms=SSLv3
keytool -importkeystore -destkeystore CERTIFICATES.jks -srckeystore CERTIFICATES.p12 -srcstoretype PKCS12
-Dhttps.cipherSuites=TLS_RSA_WITH_AES_256_CBC_SHA256
) and the problem went away. So I think we have a workaround.The source of this error on my Apache 2.4 instance (using a Comodo wildcard certificate) was an incomplete path to the SHA-1 signed root certificate. There were multiple chains in the issued certificate, and the chain leading to a SHA-1 root certificate was missing an intermediate certificate. Modern browsers know how to handle this, but Java 7 doesn't handle it by default (although there are some convoluted ways to accomplish this in code). The result is error messages that look identical to the case of self-signed certificates:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:196) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:268) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:380) ... 22 more
In this case, the “unable to find valid certification path to requested target” message is being produced due to the missing intermediate certificate. You can check which certificate is missing using SSL Labs test against the server. Once you find the appropriate certificate, download it and (if the server is under your control) add it to the certificate bundle. Alternatively, you can import the missing certificate locally. Accommodating this issue on the server is a more general solution to the problem.