I'm trying to configure the Eureka spring boot server with an SSL certificate. And I can't find good information to do it. I'm doing it on a local machine with a personal certificate for testing purposes.
As much as I can understand to do it, I've done this step:
1 - Created SSL certificate:
keytool -genkeypair -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore ssltest.p12 -validity 365 -ext "SAN:c=DNS:localhost,IP:127.0.0.1"
2 - In application.yml from Eureka server
server:
port: 9290
servlet:
context-path: /discoveryservice
ssl:
enabled: true
key-store: file:c:\tmp\ssl\ssltest.p12
key-store-type: PKCS12
key-store-password: 12345678
trust-store: file:c:\tmp\ssl\ssltest.p12
trust-store-type: PKCS12
trust-store-password: 12345678
eureka:
instance:
hostname: localhost
secure-port: ${server.port}
secure-port-enabled: true
non-secure-port-enabled: false
secure-virtual-host-name: ${spring.application.name}
home-page-url-path: https://${eureka.instance.hostname}:${server.port}/${server.servlet.context-path}/
status-page-url-path: https://${eureka.instance.hostname}:${server.port}/${server.servlet.context-path}/info
health-check-url: https://${eureka.instance.hostname}:${server.port}/${server.servlet.context-path}/health
client:
fetch-registry: false
register-with-eureka: false
server:
wait-time-in-ms-when-sync-empty: 0
logging:
level:
com:
netflix:
eureka: OFF
discovery: OFF
But it doesn't work, because soon as I add:
trust-store: file:c:\tmp\ssl\ssltest.p12
trust-store-type: PKCS12
trust-store-password: 1234567
I'm getting an error message, and I can't find how to resolve it:
org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop'; nested exception is org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:181) ~[spring-context-5.3.19.jar:5.3.19]
at org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:54) ~[spring-context-5.3.19.jar:5.3.19]
at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:356) ~[spring-context-5.3.19.jar:5.3.19]
at java.base/java.lang.Iterable.forEach(Iterable.java:75) ~[na:na]
at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:155) ~[spring-context-5.3.19.jar:5.3.19]
at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:123) ~[spring-context-5.3.19.jar:5.3.19]
at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:935) ~[spring-context-5.3.19.jar:5.3.19]
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:586) ~[spring-context-5.3.19.jar:5.3.19]
at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145) ~[spring-boot-2.6.7.jar:2.6.7]
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:740) ~[spring-boot-2.6.7.jar:2.6.7]
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:415) ~[spring-boot-2.6.7.jar:2.6.7]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) ~[spring-boot-2.6.7.jar:2.6.7]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1312) ~[spring-boot-2.6.7.jar:2.6.7]
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1301) ~[spring-boot-2.6.7.jar:2.6.7]
at io.jdeo.modeldiscoveryservice.ModelDiscoveryServiceApplication.main(ModelDiscoveryServiceApplication.java:12) ~[classes/:na]
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:229) ~[spring-boot-2.6.7.jar:2.6.7]
at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:43) ~[spring-boot-2.6.7.jar:2.6.7]
at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-5.3.19.jar:5.3.19]
... 14 common frames omitted
Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:238) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:282) ~[spring-boot-2.6.7.jar:2.6.7]
at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:213) ~[spring-boot-2.6.7.jar:2.6.7]
... 16 common frames omitted
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1075) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.core.StandardService.addConnector(StandardService.java:234) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
... 18 common frames omitted
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1313) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:614) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.catalina.connector.Connector.startInternal(Connector.java:1072) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
... 20 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[na:na]
at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[na:na]
at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[na:na]
at org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:502) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:433) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
... 26 common frames omitted
Disconnected from the target VM, address: '127.0.0.1:62614', transport: 'socket'
Thank you very much for your support and help.
PS: If someone has a good documentation about it too, I will be please :)
CodePudding user response:
Based on the explanation given by @dave_thompson_085 there is the solution:
There is how to create the correct certificate:
keytool -genkey -alias myCertificate -keystore myCertificate.jks -ext "SAN:c=DNS:localhost,IP:127.0.0.1"
keytool -genkey -alias myClientCertificate -keystore myClientCertificate.jks -ext "SAN:c=DNS:localhost,IP:127.0.0.1"
keytool -export -alias myClientCertificate -file myClientCertificate.crt -keystore myClientCertificate.jks
keytool -export -alias myCertificate -file myCertificate.crt -keystore myCertificate.jks
keytool -import -alias myClientCertificate -file myClientCertificate.crt -keystore myCertificate.jks
And then on Eureka application.yml:
ssl:
enabled: true
key-store: file:c:\tmp\ssl\myCertificate.jks
key-store-type: JKS
key-store-password: 12345678
trust-store: file:c:\tmp\ssl\myCertificate.jks
trust-store-type: PKCS12
trust-store-password: 12345678