When I run my application locally, everything works correct, mails are sent, but I deployed my application to aws EC2 and I get this:
org.springframework.mail.MailAuthenticationException: Authentication failed;
I have less secure apps turned off on my gmail account I send emails from, the two steps verification is also turned off. As I said, everything was working before I deployed the app to aws.
Properties:
mail:
host: smtp.gmail.com
username: <my.mail>#gmail.com
password: <my.password>
port: 587
protocol: smtp
properties:
mail.smtps.auth: true
mail.smtp.starttls.enable: true
mail.smtp.ssl.trust: smtp.gmail.com
Am I missing any property or something like this?
This looks like duplicate from:
javax.mail.AuthenticationFailedException: 534-5.7.14 <https://accounts.google.com/signin/continue?sarp=1
Ok, I finally solved this. The problem is that google blocks EC2 ports so what I needed to do was to turn on 2 steps verification in my google account -> then create new password (option under setting 2 steps verification) -> set this password in my .yml file as the new one -> everything works
I also set the SMTP rules in my EC2 security groups but I am not sure if it had any impact or the steps I have descripted above are enough
Related
I've got a Spring Boot Java application that sends emails via SMTP port 465 (non-gmail email). My configuration:
spring:
mail:
host: ssl0.ovh.net
port: 465
username: mailer#external.pl
password: mailerPassword
Locally everything works fine. When I deploy it on GCP Kubernetes cluster I've got a connection reset exception. I've read that GCP recommends some external paid providers but for my solution it's too much of a complication. Additionally I know that port 25 is disabled on GCP -> I've got port 465.
I've tried to simply add a firewall egress rule to enable traffic on every port for my VPC but it also didn't help.
What am I missing? Can anybody help my solve this puzzle?
Additional info:
My Java application is served as a simple deployment in k8s. It is exposed through LoadBalancer service on port 80.
Making a curl from given managed pod works - I receive a correct 2xx responses from various sites.
It turned out that my config map port changed from 456 to 465 but I forgot to restart the app. It works like a charm without any NAT configuration or firewall rules. Thanks for your support.
I have an existing Java Spring Boot project that been using Gmail for sending out email such as forgot password for our web system.
Recently we are moving to production as we are using Smartermail as our company email. The same Java Mail Code wrapper from Spring Boot that is working with Gmail SMTP is now not working after changing the configuration to smartermail SMTP.
However, I have tried to connect it from my Android phone email app using the same Smartermail configuration and credential, and it is all working.
Here is my application.properties content snapshot:
# Email setting
com.eurogain.portal.emailFrom=postmaster#myowndomain.com
spring.mail.host=mail.myowndomain.com
spring.mail.port=465
spring.mail.username=user1#myowndomain.com
spring.mail.password=password
spring.mail.properties.mail.smtp.connectiontimeout=15000
spring.mail.properties.mail.smtp.timeout=15000
spring.mail.properties.mail.smtp.writetimeout=15000
spring.mail.properties.mail.smtp.auth=true
spring.mail.properties.mail.smtp.starttls.enable=true
There are no error, and the above code the reason I put the timeout shorter is because without it, it will keep on running without any stop.
Any advise or tips? Appreciate the helps.
Ok, it was confirmed by the system admin that the port 465 here is for secure encryption type. The non-secure port is 587.
Still, in that case, does that mean Java Sprint Boot email doesn't support the secure type?
I am attempting to setup a Spring Cloud Config Server backed by Spring Cloud Vault secret management. I'm relatively new to Spring but I have tried following instructions and examples here:-
http://cloud.spring.io/spring-cloud-vault-config/
Everything works fine provided you follow the default settings like http, localhost and 8200 for the vault endpoint and tls_disable = 1 to switch off SSL. However these are not practical settings for any real environment and there are few examples anywhere that help with this. Can anyone help with a working example?
I have Successfully set up vault with TLS enable. I have successfully set up a config server that connects using a self signed cert. I can even inject a secret value into the config server and expose it via #Value and #PostConstruct.
All of this is working. However when I try to leverage Spring Conig endpoints to access vault, I get the following:-
{
"timestamp": 1486413850574,
"status": 500,
"error": "Internal Server Error",
"exception": "org.springframework.web.client.ResourceAccessException",
"message": "I/O error on GET request for \"http://127.0.0.1:8200/v1/secret/myapp\": Connection refused: connect; nested exception is java.net.ConnectException: Connection refused: connect",
"path": "/myapp/default"
}
Config server is using default values even though I have set overrides in the bootstrap.yml.:-
server:
port: 8888
spring:
profiles:
active: vault
spring.cloud.vault:
host: myhost.mydomain.com
port: 8200
scheme: https
authentication: TOKEN
token: 0f1887c3-d8a8-befd-a5a2-01e4e066c50
ssl:
trust-store: configTrustStore.jks
trust-store-password: changeit
As you can see it should be pointing to myhost.mydomain.com not
127.0.0.1 and it should be using https, not http as the protocol scheme.
I'm not sure why it uses these defaults for config server endpoints but uses correct settings during spring cloud vault startup. I'm using all the latest stable builds of Spring Dalsten.M1 and Spring Cloud Vault 1.0.0.M1. I realize these are milestone releases. I've also tried Camden and Brixton combos with no luck. I can supply code if required.
Any help greatly appreciated.
As I mention in my response to spensergibb, I have had some success in resolving this myself. Based on his comments I will clarify my intent as it will help with a common understanding of the issue. I am attempting to do two things:-
Stand up a configuration server that uses Vault as a backend, (as opposed to the default GIT backend) and expose the Vault API to client applications (over TLS) so that they can retrieve their own secrets. I do not want all my client applications to connect to Vault directly. I want them to get their configuration from a config server by having the config server connect to Vault. Until last night I was unable to achieve this goal, unless I set everything up as default with TLS disabled and using loopback address, port 8200 for the Vault software etc. Obviously defaults are not practical for any of our deployed environments. I will mention that the link posted by spencergibb does help me understand why this was not working but the subtlety of the reason is why I missed it before. Read on for my explanation.
I want the config server to configure itself from Vault directly. That is, connect to Vault via Spring Cloud Vault Config. This worked right away for me as described in the documentation. However this goal is somewhat trivial as I do not have a real use case at this time. But I wanted to understand if it could be done since I saw no real reason why not and it seemed like good first steps in integrating Vault.
The distinction between these two capabilities helped me understand that the problem derives from the fact that Spring Cloud Config Server and Spring Cloud Vault appear to be using two different beans to inject the Vault configuration properties. Spring Cloud Config Server uses VaultEnvironmentRepository annotated with #ConfigurationProperties("spring.cloud.config.server.vault") and Spring Cloud Vault uses VaultProperties annotated with #ConfigurationProperties("spring.cloud.vault").
This caused me to add two different configs to my bootstrap yml.
server:
port: 8888
spring:
profiles:
active: local, vault
application:
name: quoting-domain-configuration-server
cloud:
vault:
host: VDDP03P-49A26EF.lm.lmig.com
port: 8200
scheme: https
authentication: TOKEN
token: 0f1997c3-d8a8-befd-a5a2-01e4e066c50a
ssl:
trust-store: configTrustStore.jks
trust-store-password: changeit
config:
server:
vault:
host: VDDP03P-49A26EF.lm.lmig.com
port: 8200
scheme: https
authentication: TOKEN
token: 0f1997c3-d8a8-befd-a5a2-01e4e066c50a
Note the same config details. Just different yml paths. This is the subtle point I missed given that I started by getting goal number 1 to work first and assuming the same config would work for both goals. (Note: Token and password are contrived).
This almost worked except for an SSL handshake error. As you can see there are no SSL attributes set on the spring.cloud.config.server.vault path. The VaultProperties bean does not support them. I was not sure how to deal with this (perhaps another non-vault specific bean that I could not find). My solution was to simply force the cert configuration myself like this:-
#SpringBootApplication
#EnableConfigServer
public class Application
{
public static void main(String[] args)
{
System.setProperty("javax.net.ssl.trustStore",
Application.class.getResource("/configTrustStore.jks").getFile());
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
SpringApplication.run(Application.class, args);
}
}
This SSL solution is pretty ugly. I'm sure there must be a better way to do this part. So I am open to other suggestions. However once I completed all above steps everything now works.
Thanks for your write up. I was struggling to get this working. I was able to get a client service to connect to a Spring Cloud Config server and a Vault server but I was not able to get a Spring Cloud Config server to connect to a Vault server.
I even struggled after copying your configuration into my Spring Cloud Config server. While I eventually got it working with your configuration I was able to pare it down quite a bit. The key was that the token does not belong in the Spring Cloud Config server. It belongs in the client.
I was trying http://localhost:8888/{application}/default in the browser but got the following:
Whitelabel Error Page
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Thu May 11 14:21:31 EDT 2017
There was an unexpected error (type=Bad Request, status=400).
Missing required header: X-Config-Token
I used PostMan to send the request with a X-Config-Token header containing the Vault token and it worked.
Here is my final config.
server:
port: ${PORT:8888}
management:
context-path: /manage
security:
enabled: true
spring:
profiles:
active: git,vault
application:
name: config-server
cloud:
config:
server:
git:
order: 1
uri: file:///temp/config-server/config
vault:
order: 0
host: localhost
port: 8200
scheme: http
So it looks like you need to add the token to the client. Maybe using spring.cloud.config.token.
instead
#SpringBootApplication
#EnableConfigServer
public class Application
{
public static void main(String[] args)
{
System.setProperty("javax.net.ssl.trustStore",
Application.class.getResource("/configTrustStore.jks").getFile());
System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
SpringApplication.run(Application.class, args);
}
}
write
bootstrap yml ->
javax.net.ssl.trustStore: /configTrustStore.jks
javax.net.ssl.trustStorePassword: changeit
Although I am answering late. But I was able to configure spring cloud config server to use Vault as backend with CERT authentication via certificates. And moreover you do not require to send X-Config-Token in GET request. So your config-server GET requests will work in the same way it works with GITHUB as backend.As my implementation will get the token on the fly and change the incoming request by appending header. I would recommend to check all the steps in my tutorial and github repo.
Here is my tutorial : https://medium.com/#java.developer.raman/enable-spring-config-server-to-use-cert-authentication-with-vault-as-back-end-ff84e1ef2de7?sk=45a26d7f1277437d91a5cff3d5997287
And GitHub repository: https://github.com/java-developer-raman/config-server-vault-backend
I followed this guide and cloned the authserver. The project has an authserver and a client (as test). Example works fine but if I remove context-path property (I just want my app to work on /), it fails after redirect back to the client. Example:
Go to the client (localhost:9999);
Redirected to the authserver (localhost:8080);
Login through GitHub;
Redirected to the authserver and immediatly to the client with next url:
http://localhost:9999/login?code=dqoxz4&state=79qtJ5
Whitelabel error page responds:
There was an unexpected error (type=Unauthorized, status=401).
Authentication Failed: Could not obtain access token
As I mentioned above, it fails only if context-path is / (or removed at all). Otherwise, all works.
From your link:
The context path has to be explicit if you are running both the client
and the auth server on localhost, otherwise the cookie paths clash and
the two apps cannot agree on a session identifier.
We run successfully an app on / and AuthServer on /uaa. Try to set Context-Path on your AuthServer. Look at cookies from your app and AuthServer: they should not have same path.
EDIT:
Different domains should be fine. They don't share cookies. On same host, like localhost, you must use context path, because cookies are not port specific. See: https://stackoverflow.com/a/16328399/926620
Alternatively, you put domains in /etc/hosts (linux) or c:\windos\system32\drivers\etc\hosts. Just add line like:
127.0.0.1 website authserver
And then you can use http://website:9999 and http://authserver:8080 on same machine for development.
Or you can also set different names for cookies. See http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html:
server.session.cookie.name=auth
server.session.cookie.name=web
You can set RedirecURI in your client application:
security: oauth2:
client:
client-id: acme
client-secret: acmesecret
access-token-uri: http://localhost:8080/oauth/token
user-authorization-uri: http://localhost:8080/oauth/authorize
pre-established-redirect-uri: http://localhost:9999/client
and you can set it on oauth2 server while registering the clients.
but I think it return to your ROOT context pass, Somthing like it have not enough persmission on Root pass or another application uses this context pass...
I have Rundeck installed on an instance that is on a VPC in Amazon AWS. This isn't the default VPC - it is one I have created with different subnets and security groups. My issue is this: Rundeck runs and acts fine except when sending email. I get this error:
2014-10-01 18:05:42,758 [quartzScheduler_Worker-2] ERROR grails.app.services.rundeck.services.NotificationService - Error sending notification email to email#domain.com for Execution 109: Mail server connection failed; nested exception is javax.mail.MessagingException: 501 5.0.0 HELO requires domain address . Failed messages: javax.mail.MessagingException: 501 5.0.0 HELO requires domain address
This is only when the instance is created in my VPC. It is in a public subnet that accesses the internet directly via an internet gateway so it has no Nat instance between it. ACLs are default for this subnet, and the security group is set to allow all outbound.
The weird thing is this works in the Amazon default VPC, but not in my created one. They are setup the exact same. Only difference is IP range obviously - both have public IPs and the security groups are setup the same. Sendmail can send email, but Java appears to not be able to.
Any ideas on what the issue is? I've tried a few things and I am stumped.
I couldn't get it to work with Amazon SES, but I did get it to work with Gmail smtp by using the Rundeck groovy config located here: https://gist.github.com/gschueler/5707281