I have an application based on quarkus. It needs to connect to database using SSL. I have specified the config as follows:
quarkus.datasource.db-kind=postgresql
quarkus.datasource.reactive.url=postgresql://ipaddress:5432/dbname?sslmode=verify-ca
quarkus.datasource.password=password
quarkus.datasource.username=username
quarkus.datasource.reactive.postgresql.ssl-mode=require
quarkus.datasource.reactive.trust-certificate-pem=true
quarkus.datasource.reactive.trust-certificate-pem.certs=certificates/cacertificate.pem,certificates/client.pem
quarkus.datasource.reactive.key-certificate-pem=true
quarkus.datasource.reactive.key-certificate-pem.keys=certificates/private_key.pem
quarkus.datasource.reactive.trust-all=true
However, I got the following error:
io.vertx.core.VertxException: io.vertx.core.VertxException: Missing X.509 certificate
at io.vertx.core.net.impl.SSLHelper.createContext(SSLHelper.java:336)
at io.vertx.core.net.impl.SSLHelper.getContext(SSLHelper.java:511)
at io.vertx.core.net.impl.SSLHelper.createEngine(SSLHelper.java:547)
at io.vertx.core.net.impl.NetSocketImpl.upgradeToSsl(NetSocketImpl.java:307)
at io.vertx.core.net.impl.NetSocketImpl.upgradeToSsl(NetSocketImpl.java:291)
at io.vertx.pgclient.impl.InitiateSslHandler.channelRead(InitiateSslHandler.java:73)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792)
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:475)
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:750)
Caused by: io.vertx.core.VertxException: Missing X.509 certificate
at io.vertx.core.net.impl.KeyStoreHelper.loadKeyCert(KeyStoreHelper.java:231)
at io.vertx.core.net.PemKeyCertOptions.getHelper(PemKeyCertOptions.java:447)
at io.vertx.core.net.PemKeyCertOptions.getKeyManagerFactory(PemKeyCertOptions.java:465)
at io.vertx.core.net.impl.SSLHelper.getKeyMgrFactory(SSLHelper.java:341)
at io.vertx.core.net.impl.SSLHelper.createContext(SSLHelper.java:286)
Did I make any mistake? What is the proper way to connect to database using SSL in Quarkus?
I couldn't find any example in the Quarkus homepage.
I have made sure the certificate and key files (pem format) available in the specified directory. I am not sure how to tell my Quarkus app which the cacertificate and client certificate to be used since the config name is pretty general. I expected the db is connected by only setting up that config and no further code should be added since the connection is handled by Quarkus.
quarkus.datasource.url=jdbc:postgresql://host:port/database?ssl=true&sslmode=require
quarkus.datasource.driver=org.postgresql.Driver
quarkus.datasource.username=username
quarkus.datasource.password=password
# SSL configuration
quarkus.datasource.ssl-mode=require
quarkus.datasource.ssl-factory=org.postgresql.ssl.NonValidatingFactory
quarkus.datasource.ssl-factory-arg=trustStorePath=/path/to/truststore.jks,trustStorePassword=password
To connect to a database using SSL in Quarkus, you can configure the connection properties for the database in the application.properties file. You will need to provide the necessary SSL properties such as the location of the truststore and keystore, and the passwords for those files.
The error message suggests that the X.509 certificate is missing. To fix this issue, ensure that the paths to the certificate files in the properties quarkus.datasource.reactive.trust-certificate-pem.certs and quarkus.datasource.reactive.key-certificate-pem.keys are correct, and that the files are accessible at those locations. It's also important to check that files contain the correct PEM formated certificate . Also, it's worth to double check that the certificate files are in the correct format and match the expected CA and client certificates.
Related
Want to introduce HTTPS protocol (trusted certificate) to my Spring Boot(1.3.2.RELEASE) application.
For this purpose tried next SSL properties:
server.ssl.trust-store=classpath:key.jks
server.ssl.trust-store-password=pass
and have the error:
Caused by: java.lang.IllegalArgumentException: Resource location must not be null
at org.springframework.util.Assert.notNull(Assert.java:115) ~[spring-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.util.ResourceUtils.getURL(ResourceUtils.java:131) ~[spring-core-4.2.4.RELEASE.jar:4.2.4.RELEASE]
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory.configureSslKeyStore(TomcatEmbeddedServletContainerFactory.java:340) ~[spring-boot-1.3.2.RELEASE.jar:1.3.2.RELEASE]
at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainerFactory.configureSsl(TomcatEmbeddedServletContainerFactory.java:323) ~[spring-boot-1.3.2.RELEASE.jar:1.3.2.RELEASE]
In that error you can see that configureSslKeyStore should be passed.
When I am trying to launch the application with next set of changes:
server.ssl.key-store=classpath:key.jks
server.ssl.key-store-password=pass
server.ssl.trust-store=classpath:key.jks
server.ssl.trust-store-password=pass
Application starts successfully but https is not reachable:
So now I have several questions:
What can be the reason of such behavior, that protocol is unsupported?(Certificate is fresh and not outdated)
Is it correctly that there is no way to configure trusted certificate without redundant properties?
Is there some other more convenient way to configure trusted
SSL?
UPDATE:
It is JAR file and certificate exists inside of it classpath:key.jks"".
The reason was in my .jks file. It was generated in a wrong way.
Here is the link where you can find the correct structure of storekeys.
I've got an app written using the Spark Java framework, with TLS enabled.
See:
Service https = ignite()
.port(8443)
.secure(keystorePath, keystorePass, truststorePath, truststorePass);
This is being served on port 443 via an iptables rule that redirects incoming 443 to 8443.
The problem I am having is that when using the Qualys ssl labs test (https://www.ssllabs.com/ssltest/) the server is not providing the intermediate certificates that have been configured in my truststore.
Similar results occur when I use openssl s_client:
Verify return code: 21 (unable to verify the first certificate)
Along with
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=27:certificate not trusted
verify return:1
depth=0 /OU=Domain Control Validated/OU=PositiveSSL/CN=my.app.com
verify error:num=21:unable to verify the first certificate
verify return:1
From what I can tell, it appears that the server (spark java app, or embedded Jetty I suppose) is not serving up the intermediate certificates for chain validation.
Browsers see the site as secure, but I believe that's because the browsers are downloading the necessary intermediate certificates on their own.
The reason that this is a problem is that I am trying to use Stripe payment webhooks, and they have strict regulations in terms of the TLS cert chain being valid.
I am not sure where to begin on figuring out why these intermediate certs are not being served by my app. Could anyone offer some advice?
I have more or less the same exact problem. I followed the instructions at the Java Spark website (sparse that they are) and only get a Server Error for my efforts.
I imported a third-party certificate in my keystore file. I generated the CSR externally to the java keytool.
I moved the keystone file on the server where the "mydomain.com" exists.
I have the same basic code to do a test "secureHello" (per their documentation), passing the path to the keystore.jks file as the first parameter, and the password as the second.
RESULT: SERVER ERROR.
Not sure what I can try next. Clearly, I'm missing something.
4 hours banging my head on the desk so far (today)...
I have to call a webservice to purge files (delete from its child servers also) from remote server. In that course I am using a URL which has https in it.
WebSphere throws a java.security.cert.CertPathValidatorException: Certificate chaining error.
Later I found and configured signer certificate, By retrieving the certificate information using host name and port number. I saved this new singer certificate and after that i didnt get that exception.
But the problem is in some WebSphere am able to do this and in some am not able to do. In other I am getting this error: DerInputStream.getLength(): lengthTag=127, too big.
So here is my question why am not able to configure in other WebSphere, what could be the reason? am I doing it in wrong way?
DerInputStream.getLength(): lengthTag=127, too big.
This is because the certificate you are trying to import is not a DER format file. I got this error with a PKCS7 file.
In my project,I have integrated Spring Security with CAS server authentication. Now my project is an http application where as the CAS server is an Https application. I was getting following exception after Spring Security and CAS integration: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
In order to solve this error ,I replaced CAS server usr\java\jre\lib\security\cacerts file with my local usr\java\jre\lib\security\cacerts file. After this step the error was gone.
Now I want to deploy my application to some other server. In this new server some other applications are also deployed which may be using different CAS authentication. I cannot directly replace my CAS server cacerts file with this new server cacerts file as in that other application deployed may fail.Right? Can anyone suggest what should I do so that cacerts can be merged,or what should be done? i got to know a command called as keytool but unable to understand how it could be used to merge cacerts file. I dont know how to get my CAS server .cer file,I got to know this could be used in merging,please suggest solution
There is a missunderstanding here.
cacerts is Java's default truststore containing all the trusted certificates for known CA's (Verisign etc). So java can by default trust these certificates same way that your browser does.
This truststore should be used when you want to connect to servers that are signed by these CAs.
In all other cases you are expected to use your own custom truststore so that you can trust specific servers.Actually this is the norm.
So what you should be doing is to load in your code your own truststore and provide that to Java's JSSE to use for authentication during handshake
This website, https://dcs1.noaa.gov, recently updated their SSL certification. Since that change I cannot grab a file from there that I need. I get the following error:
--08:37:12-- https://dcs1.noaa.gov/pdts_compressed.txt
=> `pdts_compressed.txt'
Resolving dcs1.noaa.gov... 205.156.2.181
Connecting to dcs1.noaa.gov|205.156.2.181|:443... connected.
ERROR: Certificate verification error for dcs1.noaa.gov: unable to get local issuer certificate
To connect to dcs1.noaa.gov insecurely, use `--no-check-certificate'.
Unable to establish SSL connection.
I am running Red Hat Linux 4.x and updated all the openssl packages. The usual process I use to access this file is running in Java and uses URL.openStream() to read the file. The command wget also does not work so I am assuming that it is an SSL problem and not a java problem.
the cert is issued by Verisign, probably their root cert is in your servers root cert store. Open the webpage from your machine from a browser and you will see the cert is valid. You can also try to wget from another machine and it will work too.
Probably, the new server certificate is issued by an issuing authority that is not trusted by you. You need to import the issuing authority's certificate in your truststore.
You could try testing the SSL connection with openssl's s_client. I recently had a similar problem and had it resolved. Here's a link to that solution. It also includes information on how to use the s_client to test an SSL connection.
SSL Error: unable to get local issuer certificate