Spring Boot microservice cannot connect to config-server through https-CodePudding

I've successfully changed all my microservices into calling on each other's REST APIs through https instead of the default http. Only the config-server is left and something keeps going wrong. Currently trying to connect with it through spring.cloud.config.uri=https://localhost:8888/my-config-server defined in its bootstrap.properties file. My application.properties defines the stores like this:

server.ssl.key-store=classpath:SSL.jks
server.ssl.key-store-type=pkcs12
server.ssl.key-store-password=Password!
server.ssl.key-alias=SSL

Trying to connect to the config-server throws this:

I/O error on GET request for "https://localhost:8888/my-config-server: PKIX path building failed
[...]
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

This isn't a new error to me since I ran into this while connecting other services to the api-gateway, I solved that by using System.setProperty("javax.net.ssl.trustStore", ...);. However, this doesn't seem to do anything for the config server. I've turned on -Djavax.net.debug=all but I'm quite new to this, so I don't really know what to make of it. What I can tell you for certain is that a

"ClientHello": {
  "client version": "TLSv1.2" .....

is present, followed by a

"ServerHello": {
  "server version": "TLSv1.2" ....

it fails once it reaches the following:

Consuming server Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
  {
    "certificate": {
      "version": "v3" ....

this becomes a Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed. I've double checked that my applications accept TLSv1.2, as well as TLSv1.3. I generated the keystore using keytool commands:

keytool -genkeypair -alias SSL -keyalg RSA -keypass Password! -storetype PKCS12 -keystore SSL.jks -validity 1095 -keysize 2048

Am I missing something? I feel like I'm quite lost on this implementation.

Edit: the path building error shows up in the microservice and not the config-server. The config-server seems to start up fine on its own and doesn't throw any errors/warnings

CodePudding user response：

You can try adding these parameters when running your application.

-Djavax.net.ssl.trustStore=/app/security/truststore.jks
-Djavax.net.ssl.trustStorePassword=myTrustStorePassword

I personally solved certification issue by manually adding certification from browser into JVM by following this very steps: https://connect2id.com/blog/importing-ca-root-cert-into-jvm-trust-store

CodePudding user response：

So I assumed that it was kind of a loading problem. The config-server runs on https but the other properties haven't loaded any of the keys/certs yet during bootstrapping! So I followed this and forced all my microservices to load these configurations during bootstrapping. The key is this line from the tutorial:

org.springframework.cloud.bootstrap.BootstrapConfiguration = pl.piomin.services.account.SSLConfigServiceBootstrapConfiguration