I have a Springboot GRPC client which uses Self Signed Certificate & Private Key to establish a connection with the GRPC server.
File keyFile = new File(getClass().getClassLoader().getResource("certs/key.key").getFile());
File certFile = new File(getClass().getClassLoader().getResource("certs/cert.crt").getFile());
SslContext sslContext = GrpcSslContexts.forClient().keyManager(certFile, keyFile).build();
ManagedChannel channel = NettyChannelBuilder.forAddress(host, port).sslContext(sslContext).build();
The implementation works fine as expected in local springboot run via Intellij;
tested the interaction with server, works as expected but when i execute the jar created by my build(java -jar **-0.1.jar), i get the below exception.
I verified .crt & .key expiry and being available in the build .jar
Invocation of init method failed; nested exception is java.lang.IllegalArgumentException: File does not contain valid certificates: file:\C:\Projects\**-0.1.jar!\BOOT-INF\classes!\certs\cert.crt
Any suggestion/direction for the solution will be of great help.
Thanks in advance.
Related
So I read that Spring Boot now supports PEM since 2.7.0
https://docs.spring.io/spring-boot/docs/2.7.0-SNAPSHOT/reference/htmlsingle/#howto.webserver.configure-ssl 17.3.7. Configure SSL
So I am using PEM generated by certbot.
My application.properties
spring.jpa.generate-ddl=true
spring1.jpa.hibernate.ddl-auto=update
spring.jpa.show-sql=false
spring.jpa.properties.hibernate.format_sql=false
server.port=443
server.ssl.certificate=fullchain1.pem
server.ssl.certificate.certificate-private-key=privkey1.pem
server.ssl.trust-certificate=fullchain1.pem
When I launch I get
org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Could not load key store 'null'
Caused by: org.springframework.boot.web.server.WebServerException: Could not load key store 'null'
Caused by: java.lang.IllegalArgumentException: Resource location must not be null
As per the documentation SSL configuration springboot
UPDATE:
Adding the content from link to directly in the answer, as link can
get updates
SSL can be configured declaratively by setting the various
server.ssl.* properties, typically in application.properties or
application.yml. The following example shows setting SSL properties
using a Java KeyStore file:
server.port=8443
server.ssl.key-store=classpath:keystore.jks
server.ssl.key-store-password=secret
server.ssl.key-password=another-secret
The following example shows setting SSL properties using PEM-encoded
certificate and private key files:
server.port=8443
server.ssl.certificate=classpath:my-cert.crt
server.ssl.certificate-private-key=classpath:my-cert.key
server.ssl.trust-certificate=classpath:ca-cert.crt
Your properties are not correctly declared,
server.ssl.certificate.certificate-private-key=privkey1.pem should be changed to server.ssl.certificate-private-key=privkey1.pem
So this workaround works
#Configuration
public class SSLConfig {
#Bean
public ConfigurableServletWebServerFactory webServerFactory() throws Exception {
TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory();
Ssl ssl = new Ssl();
ssl.setEnabled(true);
ssl.setCertificate("cert1.pem");
ssl.setCertificatePrivateKey("privkey1.pem");
ssl.setKeyStoreType("PKCS12");
ssl.setKeyStorePassword(""); // without this decrytption fails
factory.setSsl(ssl);
factory.setPort(443);
return factory;
}
}
server.ssl.key-store=file:///Users/...
Have you tried this way of setting the path? First, make sure your application up with the correct path, then dig into the next step.
I am trying to connect to a topic that requires SSL. Can anyone suggest an approach to achieve this?
I have a ca.crt, ca.p12 and password provided by the kafka cluster administrator.
I can connect just fine using a test utility that leverages the keytool/keystore, but these don't work for Go.
The code to connect to the cluster is as follows:
func (p *KafkaPublisher) Initialise() {
configFile := "./config/kafka.properties"
fmt.Printf("Reading config file from: %s\n", configFile)
conf := ReadConfig(configFile)
var err error
kafkaProducer, err = kafka.NewProducer(&conf)
// rest of code commented out.
}
And this works just fine for SASL using the following config file:
bootstrap.servers=markets-cb--vog--pu-taejvaba.bf2.kafka.rhcloud.com:443
security.protocol=SASL_SSL
sasl.mechanisms=PLAIN
# Service account user name
sasl.username=700e9c83-b4be-4f23-8697-b6cfa5921354
sasl.password=ab955a0d-e78d-4d96-bd8e-35de3b6b83e5
# Best practice for Kafka producer to prevent data loss
acks=all
I reviewed the following documentation to try and find the right properties:
https://docs.confluent.io/platform/current/clients/librdkafka/html/md_CONFIGURATION.html#autotoc_md91
and have been unsuccessful
bootstrap.servers=my-cluster-kafka-listener1-bootstrap-climate.violet-cluster-new-2761a99850dd8c23002367ac6ce7f9ad-0000.au-syd.containers.appdomain.cloud:443
security.protocol=SSL
ssl.key.password=ebuSuzkDbfFK
ssl.certificate.location="ca.pem"
# Best practice for Kafka producer to prevent data loss
acks=all
I have also tried putting the pem file inline as a single quote-delimited line using the property ssl.certificate.pem. This produced the the most encouraging result with an error:
Failed to create producer: ssl.certificate.pem failed: not in PEM format?: error:0909006C:PEM routines:get_name:no start line: Expecting: CERTIF
But it is a PEM file format...
Here is the certificate (Don't worry, there is no security risk with me pasting this in here as the cert is now removed from the server and I changed the url and password above.)
-----BEGIN CERTIFICATE-----
MIIFLTCCAxWgAwIBAgIUBT4au51IElFmVL4RenvrRsFpwiwwDQYJKoZIhvcNAQEN
BQAwLTETMBEGA1UECgwKaW8uc3RyaW16aTEWMBQGA1UEAwwNY2x1c3Rlci1jYSB2
MDAeFw0yMjA3MTkwNTE4NDBaFw0yMzA3MTkwNTE4NDBaMC0xEzARBgNVBAoMCmlv
LnN0cmltemkxFjAUBgNVBAMMDWNsdXN0ZXItY2EgdjAwggIiMA0GCSqGSIb3DQEB
AQUAA4ICDwAwggIKAoICAQDdghbY97oYE5A1GcGccMMp01RW3DSsl3tZ3U/Q2YKY
IDkqwkITevXu0WjUHh7v/659xwryNMtUjlz8JF4MZQnZwq1xEX6ldA+/+JeG2pJE
eEnFXPvP9meDfi2N5bQC/At5N5ZAca4jfrKVognzgHMj1JMwXtTLu4Jw73Za+dRg
y30I51x33zPTYgq+5QKTssOvvAQp+OGsf2ts1s3P5weOLJ3tfGUrVdhoblMB+RUl
TF7KIuknFY0+sNRUJSeuw29qUdH9KFJ3bYBMEF2afSybS4DlFSrs7Od0ZsPWnONn
ZRV/SdjpvjP13k32XqzX8O1h0oOnHOPExE7OQgjRVcluJh3aJbSEAb9DnAUCRX88
/ZA2tlDWGxJIv94CruKDaF6vMaupUUXmQG0Irk8cfGKHgwjvG2HL2U/oaJpPEtdo
Zu2TgeHxF/k9YBfzKC6ZlZrwQLN1iL+mAL45ql1OYyGVWPS6NWUSpJA9FS7qJlfr
o7hiD/wg4xubtGntBCui+jdrRoDwcVQvk5+pZYNchK26oT4qjY57YhXLWByesg+c
MUSDTgtU//DHfAq6VyJqMbnP68RwW1MRMg1lbiMUTJ8wTsKgBm6fZ1E2+Jg/wJtq
FhLTBjiB6Fa2m6aZQdqaN/RMu9mUNjE45b4GVIFayouS1ejGoNNsC2rv0n4CQhNj
+wIDAQABo0UwQzAdBgNVHQ4EFgQU2YAwObuT5NpEivgwO+j+Z/qSn1gwEgYDVR0T
AQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8EBAMCAQYwDQYJKoZIhvcNAQENBQADggIB
AB+18g/YjUYpLbBrQgzvHhNP0THKUzVQ5ze15JZfaQHdOf6XYhAMpnHm/mBrXM2B
5ZHwkQzCuHfZmSikeVnr/thloh1+2NHdf9s4XQtxZiouZxzNnbX3Hf/gviX/lvm2
p8twSqxsMnI00x7jPDGDmZBF5bX7Mtp3c7gD3K4goz8InHdn8j1jxhYg0fQdX8j3
ryoy+hWCkaW1PPYxGgrmdJg7kiffTBw3jx9+Md11EXb7+ryZeUEsI6MqGQSg6F94
U+nPWV/qBErEbe5iNISdOkUK8wcjk/IOVAps1CJs8BECcCaReGwVpC8twxx9c8BY
DEW76Y8J9syxgxUZeEywoqguxc80SSuTLXcNkAoifdReUeW/b08cJffP55nztfbE
Fhg4E5vYj41q2Z5iOI1sZsY22Z4VszW0Fl11DcloM4/088W6O3Lp3Jo0rMu/k14/
DNr5AM8Lrgno947S1OWZ87Q1IF8zlayM+c5XWRHO64jBHouTo1HvDodudaF+XYxv
F7xRVUehnnACQExy2OYeOkjtxmsinQDfZcvvj7b7NfCqytM3IjB1jk9GxeoFgKYj
/n9WFjHWtSnC+nsyZo2c37XeaHbBEtls3LHXb6+OmOtiTzw0C8TEQJ4AcqaPNk1k
knHg6PPWBenWskC9KH898c6vvhZ5/VHSWXJG6f8GxWya
-----END CERTIFICATE-----
I am attempting to run and test a Spring Boot application that I have packaged into a zip file and unpacked on a Linux VM. The zip contains everything the application needs (at least to my knowledge). When I attempt to execute the application, it starts but quickly fails because it cannot load a keystore needed for SSH/TLS secure communications.
I have the following in my application.yml:
server:
port: 8091
ssl:
enabled: true
protocol: TLS
trust-store-type: JKS
trust-store: classpath:keystore/server.keystore
trust-store-password: <hidden>
key-store-type: JKS
key-store: classpath:keystore/ra/server.keystore
key-store-password: <hidden>
The directory structure on the test system is as follows:
[centos#route-assessor route-assessor]$ ls -R
.:
config elastic-apm-agent-1.10.0.jar lib run-route-assessor.sh services-0.0.1-SNAPSHOT.jar
./config:
application.yml keystore log4j2.xml
./config/keystore:
mp ra rg server.keystore
./config/keystore/mp:
server.keystore
./config/keystore/ra:
server.keystore
./config/keystore/rg:
server.keystore
./lib
<dependency jars>
Here is the exception thrown:
[2019-10-23 13:21:31.419] main WARN : context.AnnotationConfigServletWebServerApplicationContext:557 - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.context.ApplicationContextException: Unable to start web server; nested exception is org.springframework.boot.web.server.WebServerException: Could not load key store 'classpath:keystore/server.keystore'
The Spring Boot "runtime" obviously sees and accesses the config directory, but doesn't seem to see the keystore directory contained within. Do I need to specify the paths differently in application.yml or do I need to put the keystore files somewhere else?
Note: I can run this application with the application.yml configured as shown from eclipse without any problem. Granted, all resources are located in src/main/resources for that situation.
UPDATE:
As per #borban's suggestion, I modified the application.yml as follows:
key-store: file:config/keystore/ra/server.keystore
trust-store: file:config/keystore/server.keystore
That seems to have solved one problem, but I'm not out of the woods yet:
[2019-10-23 15:07:17.671] main ERROR: boot.SpringApplication:821 - Application run failed
org.springframework.boot.web.server.WebServerException: Unable to start embedded Jetty server
...
Caused by: java.lang.IllegalStateException: no valid keystore
...
As far as I know, my keystore files are valid and correct (I've been using them on my Windows development box for months). They are copied over as part of the zip distribution. Is there something maybe I'm missing?
I'm also a little concerned with a few other messages in the log. I'm not sure if they're related, but it seems that they could be:
[2019-10-23 15:07:10.153] main WARN : resource.Resource:126 - java.lang.IllegalArgumentException: URI is not hierarchical
[2019-10-23 15:07:10.155] main WARN : resource.Resource:126 - java.lang.IllegalArgumentException: URI is not hierarchical
I don't recall seeing them before.
Are you are trying to access this keystore outside of the classpath and from the filesystem itself? From the folder structure you are giving, that seems to be the case. If you remove the "classpath" prefix and then update your path appropriately, it should work.
From this post, it looks like you have to prefix with "file"
https://maven.apache.org/plugins/maven-resources-plugin/examples/resource-directory.html
You can use maven resource plugin to add the folders you need to the plugin:
https://maven.apache.org/plugins/maven-resources-plugin/examples/resource-directory.html
then use without classpath??
we are developing a Spring cloud application with microservice architecture and have a self signed certificate.We have written the code and completed the SSL settings in back end successfully.
Now we try to set up the certificate in front end in Angular 7.
we made the following changes
1.Generated the SSL .crt and .key files.placed in SSL folder
2.Modified Angular.json file and included
"ssl": true,
"sslKey": "ssl/server.key",
"sslCert": "ssl/server.crt"
but when I start i am getting the following error
error:0907B068:PEM routines:PEM_READ_BIO_PRIVATEKEY:bad password read
I have found 2 helpful links
NodeJS & SSL - "bad password read"
https://github.com/angular/angular-cli/issues/1576
Please note that I don't want these two solutions
1.Running the front end code in back end server by placing the Angular 7 code in static folder
2.Removing the passphrase from the key.
Link1 says that we need to add the code
var credentials = {
key: fs.readFileSync('XXX.key', 'utf8'),
cert: fs.readFileSync('XXX.crt', 'utf8'),
passphrase: 'XXXX'
}
but where in Angular 7 we need to add the these settings
Thanks
Mahidhar
I'm trying to implement JDBCRealm in tomcat (as described in http://tomcat.apache.org/tomcat-4.1-doc/realm-howto.html#Configuring%20a%20Realm) to check credential agains Oracle Database. The thing is that I want database to communicate over SSL. So I configured listener to use TCPS. Like that:
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=<hostname>)(PORT=1521)))<br>
(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=<hostname>)(PORT=1512)))
Generated certificates, etc. I have no problem connecting to database using tcps from sqlplus or from WLS (I can use connection property oracle.net.ssl_cipher_suites=(SSL_DH_anon_WITH_3DES_EDE_CBC_SHA,SSL_DH_anon_WITH_RC4_128_MD5,SSL_DH_anon_WITH_DES_CBC_SHA) there without any problem).
However, I cant get JDBCRealm to work with the database over TCPS. If I configure realm like this:
<Realm className="org.apache.catalina.realm.JDBCRealm" debug="99" driverName="oracle.jdbc.driver.OracleDriver" connectionURL="jdbc:oracle:thin:#(DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = <hostname>)(PORT = 1512)) (CONNECT_DATA = (SERVER = DEDICATED) (SERVICE_NAME = <service name>)))" connectionName="<login>" connectionPassword="<password>" userTable="users" userNameCol="user_name" userCredCol="user_pass" userRoleTable="user_roles" roleNameCol="role_name" />
I'm getting following error:
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I imported certificates in JKS store which I configured in Tomcat like this:
With no success.
I'm not a professional in Tomcat (more in databases). I'll appreciate any help or pointing me in right direction. Thanks in advance!
Error seems to indicate that SSL certificate is not trusted.
I suggest to verify that you indeed have certificate in your trust store (there is a command line tool in JDK to list trust store content, you can Google it) and then add following parameter in Tomcat startup script:
javax.net.ssl.trustStore=<path to trust store>