I've successfully changed all my microservices into calling on each other's REST APIs through https instead of the default http. Only the config-server is left and something keeps going wrong. Currently trying to connect with it through spring.cloud.config.uri=https://localhost:8888/my-config-server
defined in its bootstrap.properties
file. My application.properties
defines the stores like this:
server.ssl.key-store=classpath:SSL.jks
server.ssl.key-store-type=pkcs12
server.ssl.key-store-password=Password!
server.ssl.key-alias=SSL
Trying to connect to the config-server throws this:
I/O error on GET request for "https://localhost:8888/my-config-server: PKIX path building failed
[...]
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This isn't a new error to me since I ran into this while connecting other services to the api-gateway, I solved that by using System.setProperty("javax.net.ssl.trustStore", ...);
. However, this doesn't seem to do anything for the config server. I've turned on -Djavax.net.debug=all
but I'm quite new to this, so I don't really know what to make of it. What I can tell you for certain is that a
"ClientHello": {
"client version": "TLSv1.2" .....
is present, followed by a
"ServerHello": {
"server version": "TLSv1.2" ....
it fails once it reaches the following:
Consuming server Certificate handshake message (
"Certificate": {
"certificate_request_context": "",
"certificate_list": [
{
"certificate": {
"version": "v3" ....
this becomes a Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed
. I've double checked that my applications accept TLSv1.2, as well as TLSv1.3. I generated the keystore using keytool commands:
keytool -genkeypair -alias SSL -keyalg RSA -keypass Password! -storetype PKCS12 -keystore SSL.jks -validity 1095 -keysize 2048
Am I missing something? I feel like I'm quite lost on this implementation.
Edit: the path building error shows up in the microservice and not the config-server. The config-server seems to start up fine on its own and doesn't throw any errors/warnings
CodePudding user response:
You can try adding these parameters when running your application.
-Djavax.net.ssl.trustStore=/app/security/truststore.jks
-Djavax.net.ssl.trustStorePassword=myTrustStorePassword
I personally solved certification issue by manually adding certification from browser into JVM by following this very steps: https://connect2id.com/blog/importing-ca-root-cert-into-jvm-trust-store
CodePudding user response:
So I assumed that it was kind of a loading problem. The config-server runs on https but the other properties haven't loaded any of the keys/certs yet during bootstrapping! So I followed this and forced all my microservices to load these configurations during bootstrapping. The key is this line from the tutorial:
org.springframework.cloud.bootstrap.BootstrapConfiguration = pl.piomin.services.account.SSLConfigServiceBootstrapConfiguration