Reputation: 1397
Adding other certificates to existing jks or not using javax.net.ssl.trustStore for a request
I'm running a spring application under Tomcat in linux. I'm using mongodb as my database service.
After searching a lot to find how to use SSL/TLS to connect to mongodb, I found that I have to add certificates to a java keystore and use them in my spring application like this.
System.setProperty("javax.net.ssl.trustStore","/path/truststore.jks");
System.setProperty("javax.net.ssl.trustStorePassword", "apass");
System.setProperty("javax.net.ssl.keyStore", "/path/keystore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "apass");
System.setProperty("javax.security.auth.useSubjectCredsOnly","false");
and everything worked fine and I could connect to mongodb. But the problem is I send other HTTP requests from my application using Spring RestTemplate. After I configured my mongodb with SSL, I cant connect to any other external host.
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I generated my SSL certs using this SO answer. And I used keytools as described here.
I am not expert in using keyTools or Key manager and I haven't had such experiences with ssl before.
UPDATE Even after removing Clearing properties, or even shutting down the system, I still get the same exception. Its like the connection is still trying to use wrong ssl cert.
Upvotes: 1
Views: 2246
Answers (1)
Reputation: 13009
What you've done is create a custom truststore that replaces that provided by the JVM and yours does not contain all the well-known CA certificates used by public internet services. Hence you are getting trust-path errors when your end tries to validate a certificate off the internet.
The quickest workaround would be for you to not set the javax.net.ssl.trustStore and javax.net.ssl.trustStorePassword properties. Instead, import your mongodb CA certificate into the JVM default truststore (usually the cacerts file). You will need to remember to repeat this if you replace/upgrade the JVM.
If you don't have the necessary permissions to modify cacerts, or you're on a shared server where it's forbidden then you could still use your custom truststore but augment it with all the well-known certificates in the cacerts file. You'll be responsible for maintaining it as and when new CA certs appear.
Upvotes: 1
Related Questions
- Add certificates to global Java truststore in code (programatically)
- How to add multiple truststore paths to “java.net.ssl.trustStore”?
- Updating Java Keystore and Truststores with new Certificates
- Java KeyStore jks as certificate authority
- How to import a jks certificate in java trust store
- Confused with different ssl certificates
- How to add multiple key usages to a certificate when using Java keytool
- Add certificates to key-store and trust-store
- Adding certificate to Java truststore and Sslhandshake
- How to add a certificate chain to a JKS