PCL2
PCL2 copied to clipboard
Hex-Dragon
自动选取java8策略有误而引起的证书链过期问题
检查项
- [x] 我已在 Issues 页面 和 常见&难检反馈及问题列表 中搜索,确认了这一 Bug 未被提交过。
描述
众所周知,旧版本java8出现了证书链过期引起的正版验证失败问题 ~~,本人游玩贪婪整合包,在游玩一段时间后崩溃~~,查看日志,出现以下内容:
[02:53:24] [Thread-2560/WARN]: Couldn't look up profile properties for com.mojang.authlib.GameProfile@19b46e75[id=d0250867-e089-3519-afc9-121652a3f941,name=atomicblom,properties={},legacy=false]
com.mojang.authlib.exceptions.AuthenticationUnavailableException: Cannot contact authentication server
at com.mojang.authlib.yggdrasil.YggdrasilAuthenticationService.makeRequest(YggdrasilAuthenticationService.java:85) ~[YggdrasilAuthenticationService.class:?]
at com.mojang.authlib.yggdrasil.YggdrasilMinecraftSessionService.fillGameProfile(YggdrasilMinecraftSessionService.java:180) [YggdrasilMinecraftSessionService.class:?]
at com.mojang.authlib.yggdrasil.YggdrasilMinecraftSessionService.fillProfileProperties(YggdrasilMinecraftSessionService.java:173) [YggdrasilMinecraftSessionService.class:?]
at net.minecraft.tileentity.TileEntitySkull.updateGameProfile(SourceFile:151) [awd.class:?]
at ganymedes01.headcrumbs.utils.ThreadedProfileFiller$1.run(ThreadedProfileFiller.java:25) [ThreadedProfileFiller$1.class:?]
at java.lang.Thread.run(Thread.java:745) [?:1.8.0_51]
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) ~[?:1.8.0_51]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) ~[?:1.8.0_51]
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) ~[?:1.8.0_51]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1497) ~[?:1.8.0_51]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) ~[?:1.8.0_51]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_51]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_51]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[?:1.8.0_51]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1432) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1430) ~[?:1.8.0_51]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_51]
at java.security.AccessController.doPrivileged(AccessController.java:713) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1429) ~[?:1.8.0_51]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) ~[?:1.8.0_51]
at com.mojang.authlib.HttpAuthenticationService.performGetRequest(HttpAuthenticationService.java:130) ~[HttpAuthenticationService.class:?]
at com.mojang.authlib.yggdrasil.YggdrasilAuthenticationService.makeRequest(YggdrasilAuthenticationService.java:66) ~[YggdrasilAuthenticationService.class:?]
... 5 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) ~[?:1.8.0_51]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_51]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_51]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_51]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:1.8.0_51]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105) ~[?:1.8.0_51]
at org.dimdev.utils.SSLUtils$2.checkServerTrusted(SSLUtils.java:55) ~[SSLUtils$2.class:?]
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922) ~[?:1.8.0_51]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1479) ~[?:1.8.0_51]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) ~[?:1.8.0_51]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_51]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_51]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[?:1.8.0_51]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1432) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1430) ~[?:1.8.0_51]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_51]
at java.security.AccessController.doPrivileged(AccessController.java:713) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1429) ~[?:1.8.0_51]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) ~[?:1.8.0_51]
at com.mojang.authlib.HttpAuthenticationService.performGetRequest(HttpAuthenticationService.java:130) ~[HttpAuthenticationService.class:?]
at com.mojang.authlib.yggdrasil.YggdrasilAuthenticationService.makeRequest(YggdrasilAuthenticationService.java:66) ~[YggdrasilAuthenticationService.class:?]
... 5 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:145) ~[?:1.8.0_51]
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) ~[?:1.8.0_51]
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) ~[?:1.8.0_51]
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ~[?:1.8.0_51]
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) ~[?:1.8.0_51]
at sun.security.validator.Validator.validate(Validator.java:260) ~[?:1.8.0_51]
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) ~[?:1.8.0_51]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) ~[?:1.8.0_51]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:105) ~[?:1.8.0_51]
at org.dimdev.utils.SSLUtils$2.checkServerTrusted(SSLUtils.java:55) ~[SSLUtils$2.class:?]
at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922) ~[?:1.8.0_51]
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1479) ~[?:1.8.0_51]
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212) ~[?:1.8.0_51]
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) ~[?:1.8.0_51]
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) ~[?:1.8.0_51]
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) ~[?:1.8.0_51]
at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563) ~[?:1.8.0_51]
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:90) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1432) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1430) ~[?:1.8.0_51]
at java.security.AccessController.doPrivileged(Native Method) ~[?:1.8.0_51]
at java.security.AccessController.doPrivileged(AccessController.java:713) ~[?:1.8.0_51]
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1429) ~[?:1.8.0_51]
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254) ~[?:1.8.0_51]
at com.mojang.authlib.HttpAuthenticationService.performGetRequest(HttpAuthenticationService.java:130) ~[HttpAuthenticationService.class:?]
at com.mojang.authlib.yggdrasil.YggdrasilAuthenticationService.makeRequest(YggdrasilAuthenticationService.java:66) ~[YggdrasilAuthenticationService.class:?]
... 5 more
然后查看启动器日志,本地拥有以下java(见附件),但是却选择了以下java:
[02:11:25.341] <L/等待游戏窗口出现> [Launch]
[02:11:25.341] <L/等待游戏窗口出现> [Launch] ~ 基础参数 ~
[02:11:25.341] <L/等待游戏窗口出现> [Launch] PCL 版本:Snapshot 2.11.0 (373)
[02:11:25.341] <L/等待游戏窗口出现> [Launch] 游戏版本:1.12.2, Forge 14.23.5.2855, OptiFine G5(识别为 1.12.2)
[02:11:25.341] <L/等待游戏窗口出现> [Launch] 资源版本:1.12
[02:11:25.341] <L/等待游戏窗口出现> [Launch] 版本继承:无
[02:11:25.342] <L/等待游戏窗口出现> [Launch] 分配的内存:15.3 GB(15667 MB)
[02:11:25.342] <L/等待游戏窗口出现> [Launch] MC 文件夹:C:\Minecraft\.minecraft\
[02:11:25.342] <L/等待游戏窗口出现> [Launch] 版本文件夹:C:\Minecraft\.minecraft\versions\GreedyCraft\
[02:11:25.342] <L/等待游戏窗口出现> [Launch] 版本隔离:True
[02:11:25.342] <L/等待游戏窗口出现> [Launch] HMCL 格式:False
[02:11:25.342] <L/等待游戏窗口出现> [Launch] Java 信息:JRE 8 (8.0.51):C:\Users\*****\AppData\Roaming\.minecraft\runtime\jre-legacy\bin\
[02:11:25.342] <L/等待游戏窗口出现> [Launch] 环境变量:未设置
[02:11:25.342] <L/等待游戏窗口出现> [Launch] Natives 文件夹:C:\Minecraft\.minecraft\versions\GreedyCraft\GreedyCraft-natives
此段日志证明,启动器默认选择了版本最低最靠前的java8,此方案不合理。
本issue有两个诉求:
- 自动选取java应该使用同java版本中版本更新的,不应该简单的使用最靠前的
- 根据崩溃日志中
Couldn't look up profile properties for com.mojang.authlib.GameProfile@28d272e2[id=45981610-a784-393a-b4ac-dd67dce40c07,name=ijevin,properties={},legacy=false] com.mojang.authlib.exceptions.AuthenticationUnavailableException: Cannot contact authentication server或其它关键字,判断是否由于java版本过旧引起的证书过期导致minecraft崩溃
如果需要拆分issue,请告诉我
重现步骤
1、电脑本地拥有高版本java8的同时也拥有低版本的java8 2、安装比如ReAuth等会在会话失效时自动尝试重新登录的模组。 3、启动minecraft,稍作等待后手动退出。 ~~,并在进入世界后稍作等待,直到堆栈堆积游戏崩溃~~(崩溃原因存疑,可能由整合包自身导致,但证书链过期确实是个问题,PCL也确实选择错了Java) 4、手动查看日志,会出现多次上述报错
日志与附件
别名: cn=digicert_global_root_g2,ou=www.digicert.com,o=digicert_inc,c=us
创建日期: 2025-7-16
条目类型: trustedCertEntry
所有者: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
发布者: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
序列号: 33af1e6a711a9a0bb2864b11d09fae5
有效期开始日期: Thu Aug 01 20:00:00 CST 2013, 截止日期: Fri Jan 15 20:00:00 CST 2038
证书指纹:
MD5: E4:A6:8A:C8:54:AC:52:42:46:0A:FD:72:48:1B:2A:44
SHA1: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA256: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
签名算法名称: SHA256withRSA
版本: 3
目前 api.minecraftservices.com 证书签发机构是 Microsoft Azure RSA TLS Issuing CA 07,此中间证书的签发机构来自 DigiCert Global Root G2,根证书仍在有效期内,应该考虑为 TLS 劫持
你可以在浏览器中访问 api.minecraftservices.com 并观察浏览器是否弹出证书验证失败的警告
本issue的重点是旧版Java中的证书链过期导致报错,与网络无关,更换新的Java8就可以解决。 可以自己试一下,这个问题在java8.0.51打开1.12.2是100%复现的,游戏内永远会提示会话无效,也可能提示认证服务器正在维护,更换为高版本就不会出现这种问题了,这是本地证书链失效的问题,和网络无关
本issue的重点是旧版Java中的证书链过期导致报错,与网络无关,更换新的Java8就可以解决。
并没有过期,DigiCert Global Root G2 的证书有效期直到 2038 年 1 月 15 日,进而可以推导出签发给 Microsoft Azure RSA TLS Issuing CA 07 的中级证书也是有效的
使用 8u51 + 1.8.9 进入 Hypixel 可以正常加入
如果你遇到了这个问题,代表你的 8u51 是有问题的,你应该删掉这个 Java
java 8u51的cacert里根本没有DigiCert Global Root G2,只有DigiCert Global Root,是证书链过期了,不是证书过期了
keytool -list -keystore "C:\Users<YourUserName>\AppData\Roaming.minecraft\runtime\jre-legacy\lib\security\cacerts" -v
证书库密码changeit,看命令输出,你找得到DigiCert Global Root G2吗
java8u51等其它版本存档:oracle官网
java 8u51的cacert里根本没有DigiCert Global Root G2,只有DigiCert Global Root,是证书链过期了,不是证书过期了
keytool -list -keystore "C:\Users<YourUserName>\AppData\Roaming.minecraft\runtime\jre-legacy\lib\security\cacerts" -v
证书库密码
changeit,看命令输出,你找得到DigiCert Global Root G2吗java8u51等其它版本存档:oracle官网
C:\Users\LuoTianyi\AppData\Roaming\.minecraft\runtime\jre-legacy\bin>keytool -list -v -keystore ..\lib\security\cacerts > list.txt
输入密钥库口令: changeit
使用 Mojang 提供的 Java 8u51
证书信息
别名: cn=digicert_global_root_g2,ou=www.digicert.com,o=digicert_inc,c=us
创建日期: 2025-7-16
条目类型: trustedCertEntry
所有者: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
发布者: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
序列号: 33af1e6a711a9a0bb2864b11d09fae5
有效期开始日期: Thu Aug 01 20:00:00 CST 2013, 截止日期: Fri Jan 15 20:00:00 CST 2038
证书指纹:
MD5: E4:A6:8A:C8:54:AC:52:42:46:0A:FD:72:48:1B:2A:44
SHA1: DF:3C:24:F9:BF:D6:66:76:1B:26:80:73:FE:06:D1:CC:8D:4F:82:A4
SHA256: CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
签名算法名称: SHA256withRSA
版本: 3
扩展:
#1: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#2: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 4E 22 54 20 18 95 E6 E3 6E E6 0F FA FA B9 12 ED N"T ....n.......
0010: 06 17 8F 39 ...9
]
]
*******************************************
*******************************************
从浏览器获取的证书序列号为 03:3A:F1:E6:A7:11:A9:A0:BB:28:64:B1:1D:09:FA:E5,移除前导 0 后与密钥库存储的证书序列号匹配
浏览器获取的证书 SHA-256 指纹:cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
证书库内存储的 SHA-256 指纹:CB:3C:CB:B7:60:31:E5:E0:13:8F:8D:D3:9A:23:F9:DE:47:FF:C3:5E:43:C1:14:4C:EA:27:D4:6A:5A:B1:CB:5F
cacerts 文件 hash (SHA-1): 9167d29dea4890e5cdfed5559117a000c339ccef
给龙猫看看好了(
Edit:
btw 我这里也能查到这张证书,但是这张证书似乎 2025-07-16 才被加入到证书库里面
看起来像是证书库本身 Outdate,也许可以考虑做一个自动更新的功能
C:\Users\copytiao\AppData\Roaming\.minecraft\runtime\jre-legacy\bin>keytool -list -v -keystore ..\lib\security\cacerts | findStr "G2"
输入密钥库口令: changeit
所有者: CN=UCA Global G2 Root, O=UniTrust, C=CN
发布者: CN=UCA Global G2 Root, O=UniTrust, C=CN
所有者: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: OU=certSIGN ROOT CA G2, O=CERTSIGN SA, C=RO
发布者: OU=certSIGN ROOT CA G2, O=CERTSIGN SA, C=RO
所有者: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
发布者: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
所有者: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
发布者: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
所有者: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
发布者: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
所有者: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
发布者: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
看起来像是mojang后期自己替换了cacerts文件,但是没有改java版本号,那么最直接的方式仍然是修改java选取策略,或者让启动器给mojang擦屁股也更新一下cacerts文件。总不能让以前使用启动器的人正版验证全爆掉吧
可以确认是Mojang自己改了证书,我这里也有
E:\WpSystem\S-1-5-21-467410735-3879260620-3614731878-1001\AppData\Local\Packages\Microsoft.4297127D64EC6_8wekyb3d8bbwe\LocalCache\Local\runtime\jre-legacy\windows-x64\jre-legacy\bin Celestia@Starmoe 12:30:56
❯ keytool -list -v -keystore ..\lib\security\cacerts | findStr "G2"
输入密钥库口令: changeit
所有者: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
发布者: CN=DigiCert Assured ID Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
所有者: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
发布者: CN=DigiCert Global Root G2, OU=www.digicert.com, O=DigiCert Inc, C=US
所有者: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
发布者: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
所有者: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
发布者: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
所有者: CN=UCA Global G2 Root, O=UniTrust, C=CN
发布者: CN=UCA Global G2 Root, O=UniTrust, C=CN
所有者: OU=certSIGN ROOT CA G2, O=CERTSIGN SA, C=RO
发布者: OU=certSIGN ROOT CA G2, O=CERTSIGN SA, C=RO
作为对比,我再放出Oracle的JRE8u51
E:\jre8u51\bin Celestia@Starmoe 12:47:00
❯ keytool -list -v -keystore ..\lib\security\cacerts | findStr "G2"
输入密钥库口令: changeit
所有者: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
发布者: CN=Entrust Root Certification Authority - G2, OU="(c) 2009 Entrust, Inc. - for authorized use only", OU=See www.entrust.net/legal-terms, O="Entrust, Inc.", C=US
所有者: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
发布者: CN=GeoTrust Primary Certification Authority - G2, OU=(c) 2007 GeoTrust Inc. - For authorized use only, O=GeoTrust Inc., C=US
所有者: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Starfield Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
发布者: CN=Starfield Services Root Certificate Authority - G2, O="Starfield Technologies, Inc.", L=Scottsdale, ST=Arizona, C=US
所有者: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
发布者: CN=SwissSign Gold CA - G2, O=SwissSign AG, C=CH
所有者: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
发布者: CN=SwissSign Platinum CA - G2, O=SwissSign AG, C=CH
所有者: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
发布者: CN=SwissSign Silver CA - G2, O=SwissSign AG, C=CH
所有者: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
发布者: CN=thawte Primary Root CA - G2, OU="(c) 2007 thawte, Inc. - For authorized use only", O="thawte, Inc.", C=US
所有者: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
发布者: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 1 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
所有者: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
发布者: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 2 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
所有者: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
发布者: OU=VeriSign Trust Network, OU="(c) 1998 VeriSign, Inc. - For authorized use only", OU=Class 3 Public Primary Certification Authority - G2, O="VeriSign, Inc.", C=US
Warning:
<equifaxsecureca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<equifaxsecureebusinessca1> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<equifaxsecureglobalebusinessca1> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<gtecybertrustglobalca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<thawtepremiumserverca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<verisignclass1ca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<verisignclass1g2ca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<verisignclass2g2ca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<verisignclass3ca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<verisignclass3g2ca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
<verisigntsaca> 使用的 1024 位 RSA 密钥 被视为存在安全风险。它将在未来的更新中被禁用。
另外这个文件的SHA256是SHA256: edfd543b4e264779933bdacd7abf6fbca98a1cd69fd60c2c42f36256930b2817
在E盘是因为C盘空间不太够我自己迁移了
修改 Java 选取可能没法完全解决问题,因为有的人可能就这一个 Java?
-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT?
或者考虑给 cacert 做更新检查
hmm 有什么办法确定某个 Java 的 cacert 是否过期么,可以在过期的时候固定加 -Djavax.net.ssl.trustStoreType=WINDOWS-ROOT ?
大概是可以通过调用命令行然后匹配内容确认证书的
VB 例程
Imports System.Diagnostics
Imports System.Text.RegularExpressions
Module Module1
Sub Main()
' Java 路径 + "\lib\security\cacerts"
Dim cacertsPath As String = "C:\Program Files\Java\jdk-17\lib\security\cacerts"
Dim storePass As String = "changeit"
Dim psi As New ProcessStartInfo()
psi.FileName = "keytool"
psi.Arguments = $"-list -v -keystore ""{cacertsPath}"" -storepass {storePass}"
psi.RedirectStandardOutput = True
psi.UseShellExecute = False
psi.CreateNoWindow = True
Dim p As Process = Process.Start(psi)
Dim output As String = p.StandardOutput.ReadToEnd()
p.WaitForExit()
' 取决于系统,下面两个 Pattern 可能要改成中文的
Dim aliasPattern As String = "Alias name: (.+)"
Dim validPattern As String = "Valid from: (.+) until: (.+)"
Dim aliasMatches As MatchCollection = Regex.Matches(output, aliasPattern)
Dim validMatches As MatchCollection = Regex.Matches(output, validPattern)
For i As Integer = 0 To Math.Min(aliasMatches.Count, validMatches.Count) - 1
Dim aliasName As String = aliasMatches(i).Groups(1).Value.Trim()
Dim untilStr As String = validMatches(i).Groups(2).Value.Trim()
Dim expireDate As DateTime
If DateTime.TryParse(untilStr, expireDate) Then
Dim daysLeft As Integer = (expireDate - DateTime.Now).Days
If daysLeft < 0 Then
Console.WriteLine($"[EXPIRED] {aliasName} 过期于 {expireDate}")
ElseIf daysLeft <= 30 Then
Console.WriteLine($"[SOON] {aliasName} 将在 {daysLeft} 天后到期({expireDate})")
End If
End If
Next
End Sub
End Module
直接调用命令后应该会得到的要用的输出样例
别名: xrampglobalca [jdk]
创建日期: 2025年10月29日
条目类型: trustedCertEntry
所有者: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
发布者: CN=XRamp Global Certification Authority, O=XRamp Security Services Inc, OU=www.xrampsecurity.com, C=US
序列号: 50946cec18ead59c4dd597ef758fa0ad
生效时间: Tue Nov 02 01:14:04 CST 2004, 失效时间: Mon Jan 01 13:37:19 CST 2035
证书指纹:
SHA1: B8:01:86:D1:EB:9C:86:A5:41:04:CF:30:54:F3:4C:52:B7:E5:58:C6
SHA256: CE:CD:DC:90:50:99:D8:DA:DF:C5:B1:D2:09:B7:37:CB:E2:C1:8C:FB:2C:10:C0:FF:0B:CF:0D:32:86:FC:1A:A2
签名算法名称: SHA1withRSA
主体公共密钥算法: 2048 位 RSA 密钥
版本: 3
