Home > Software engineering >  Invalid Certification with Amazon S3 Presigned URL
Invalid Certification with Amazon S3 Presigned URL

Time:03-16

I am trying to download an object from an S3 bucket using a presigned url via the following configuration & code:

public void getDocumentFromPresignedUrl(final String presignedUrl, final String id) {
    
    PresignedUrlDownload transfer = null;
    
    try {
        
        File file = File.createTempFile(id, ".pdf");

        //errors out on this line
        transfer = getTransferMgr().download(new PresignedUrlDownloadRequest(new URL(presignedUrl)), file);
        transfer.waitForCompletion();
   }
}

Which is configured via the following:

private ClientConfiguration getClientConfiguration() {
    
    ClientConfiguration clientConfig = new ClientConfiguration();
    clientConfig.setProtocol(Protocol.HTTPS);
    
    return clientConfig;
    
}

public TransferManager getTransferMgr() {
    return TransferManagerBuilder.standard().withS3Client(getS3Client()).build();
}

public AmazonS3 getS3Client() {
    return AmazonS3ClientBuilder.standard().withRegion(region)
         .withClientConfiguration(getClientConfiguration()).build();
}

However, the following error is thrown each time:

com.amazonaws.SdkClientException: 
Unable to execute HTTP request: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

WHAT I HAVE TRIED:

  1. I tried to take the AWS cert from the presigned url location in-browser, discussed here

  2. I tried to use the traditional RestTemplate provided by Spring, with no luck

  3. I AM able to retrieve the object from S3 both in Postman and my browser, but not via my Spring app

How does one circumvent this sdkClientException and GET their S3 object?

CodePudding user response:

The solution to this problem resides in cacerts. If you are running on a proxy (such as Zscaler), the certification will need to be added to the /cacerts file.

In the case of this question, I was adding the Zscaler cert to the WRONG JRE. Because I was using SpringToolSuite, I needed to add the cert to Spring's JRE, which in my case was:

keytool -import -alias Z_Root -keystore "C:\Program Files\sts-4.8.1.RELEASE\plugins\org.eclipse.justj.openjdk.hotspot.jre.full.win32.x86_64_1.v20201010-1246\jre\lib\security\cacerts" -storepass changeit -file "C:\Users\myUser\Downloads\MyZscalerCert.crt"

and NOT the typical %JAVA_HOME%/jre path.

  • Related