I'm creating a micro service in Spring Boot which needs to communicate with an existing authentication service.
I have setup the OAuth configuration in Spring Boot, but I'm seeing the following error when it tries to talk to the external authentication service.
Could not fetch user details: class org.springframework.web.client.ResourceAccessException, I/O error on GET request for "https://somedomain.com/profile": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
This appears to be because the certificate on the remote authentication service isn't valid, so it doesn't like it.
How do I resolve this?
I have tried to use openssl to download the domains certificate, and I've added this to Java's keystore, but that didn't fix the problem.
To grab and install the cert I did the following;
openssl s_client -showcerts -connect somedomain.com:443
keytool -importcert -keystore /Library/Java/JavaVirtualMachines/jdk1.8.0_171.jdk/Contents/Home/jre/lib/security/cacerts -storepass changeit -file /Users/myuser/Downloads/plplpl.crt
I was asked if I wanted to trust the cert, I selected yes.
Related
While connecting vault(hosted on https) with spring boot I am getting the below error.
org.springframework.vault.authentication.VaultLoginException: Cannot log in using
org.springframework.web.client.ResourceAccessException: I/O error on POST request
for "https://10.166.181.83:31975/v1/auth/cert/login":
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target; nested exception is
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid
certification path to requested target
My pom.xml is
org.springframework.cloud
spring-cloud-starter-vault-config
While connectiong to localhost vault server which is on http , everything works fine.
Could anyone please help me on this?
**bootstrap.properties is :**
spring.cloud.vault.scheme=https
spring.cloud.vault.kv.enabled=true
spring.cloud.vault.generic.enabled=true
spring.cloud.vault.generic.backend=configuration-server
spring.cloud.vault.generic.default-context=credentials
spring.cloud.vault.connection-timeout=5000
spring.cloud.vault.read-timeout=15000
spring.cloud.vault.config.order=-10
spring.cloud.vault.authentication=CERT
spring.cloud.vault.ssl.cert-auth-path=cert
spring.cloud.vault.ssl.trust-store-location=classpath:vault.jks
spring.cloud.vault.ssl.trust-store-password=ril#12345
management.endpoints.web.exposure.include=*
management.endpoint.env.post.enabled=true
spring.cloud.vault.uri=https://../../../
spring.cloud.vault.token=hvs.XXXXXXXX
It looks like you are connecting to https using IP address in the URI. This results in an SSL error (since certificates are based on name and not IPs) so. you can either add the certificate to the trusted list using keytool or add code to ignore certificate validation (depending on how you connect, this will vary https://howtodoinjava.com/java/java-security/bypass-ssl-certificate-checking-java/ has some examples where one probably will fit).
I havekeycloakrunning inside a docker container with nginx https proxy.
Now I'm trying to connect spring boot with keycloak,
but I get an "ssl handshake" error
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
How can I add the valid certificate path to the requested target?
I tried to add a keystore and trust the certificate from keycloak inside the keystore.
But it doesn't work.
I am getting below error while service to service API communication. certificate is already imported in the java keystore.
[ERROR]: I/O error on GET request for "https://url.com/data-api/customer": PKIX path validation failed: java.security.cert.CertPathValidatorException: name constraints check failed; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path validation failed: java.security.cert.CertPathValidatorException: name constraints check failed
I resolved the issue my self. I had to import the application url SSL certificate to java keystore. This was not required in the Dev and Staging environment though even the SSL cert was used on all environment. I am glad that issue got fixed after importing cert.
keytool -importcert -file ./prod.cer -cacerts -keypass <password> -storepass <password> -noprompt -alias prod-cert
Recently we had an issue with one of our java applications that was trying to run an SSL protected web service of amazone load balancer,that had their certificate signed by GoDaddy. we did not Copy and paste the contents of the public key certificate chain file (PEM-encoded) in the Certificate Chain box. now we were seeing the following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
. Is there a way to resolve this exception?
This error means your java keystore doesnt have ssl certificate for service you are trying to connect.
You need to add the public certificate of GoDaddy/Intermediate CA to your java keystore.
you can use keytool command for that
I have a web application deployed on Linux machine. Now, while generating pdf in web application I am getting following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
It seems that ValiCert Class 3 PKI (X.509) certificate is missing in jre's keystore. Does anyone have an idea of how to download it on Linux? Please provide the steps or link where I can get the required information?
Thnaks in advance!