Spring-cloud-starter-openfeign: SSL handshake exception with feign-httpclient

Question

When trying to use feign-httpclient with Spring-cloud-starter-openfeign, I am getting SSL Handshake exception while the same code works if I don't use feign-httpclient.

I need to use feign-httpclient as I want to use the connection factory.

build.gradle

//on commenting the below dependency the code works fine.
compile('io.github.openfeign:feign-httpclient:9.4.0')
compile('org.springframework.cloud:spring-cloud-starter-openfeign')

Feign Client

@FeignClient(name = "testClient", url = "https://test:9820")
public interface TestClient {
@RequestMapping(method = RequestMethod.POST, value = "/test", consumes = "application/json", produces = "application/json")
TesteDto get(TestRequestDto testRequestDto);
}

Invocation Code:

 testClient.get(new TestRequestDto("test"));

application.yml

feign:
   client:
     config:
       default:
         connectTimeout: 5000
         readTimeout: 5000
         loggerLevel: full
  httpclient:
     maxConnections: 200
     maxConnectionsPerRoute: 200
     enabled: true

Exception:

javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to 
find valid certification path to requested target

Answer 1

I also encountered the same problem.

1. Solution 1: Refer to the blog https://blog.csdn.net/weixin_44519124/article/details/119909354 to generate the SSL certificate
2. Solution 2:

Step1: Add the following configuration to the nacos configuration or bootstrap. yml

feign:
  okhttp:
    enabled: true
  httpclient:
    disable-ssl-validation: true
    enabled: false

Step2: Add feign okhttp to pom.xml

<dependency>
  <groupId>io.github.openfeign</groupId>
  <artifactId>feign-okhttp</artifactId>
  <version>11.10</version>
</dependency>

The specific version number is same with the feign core

Answer 2

In my case, I need to add in my app properties feign.httpclient.disable-ssl-validation=true

Also, I need to add these dependencies in pom.xml

        <dependency>
            <groupId>io.github.openfeign</groupId>
            <artifactId>feign-okhttp</artifactId>
        </dependency>

        <dependency>
            <groupId>io.github.openfeign</groupId>
            <artifactId>feign-httpclient</artifactId>
        </dependency>

Finally please don't forget to restart your app because of adding new dependencies.

Answer 3

If you want Self Signed Cert then use the following code:

@FeignClient(name = "testClient", url = "https://test:9820", configuration = CustomFeignConfiguration.class)
public interface TestClient {
@RequestMapping(method = RequestMethod.POST, value = "/test", consumes = 
"application/json", produces = "application/json")
   TesteDto get(TestRequestDto testRequestDto);
}
public class CustomFeignConfiguration {
@Bean
public Client feignClient() {
  return new ApacheHttpClient(getHttpClient());
}

private CloseableHttpClient getHttpClient() {
int timeout = 10000;
try {
  SSLContext sslContext = SSLContextBuilder.create()
      .loadTrustMaterial(new TrustSelfSignedStrategy()).build();
  RequestConfig config = RequestConfig.custom()
      .setConnectTimeout(timeout)
      .setConnectionRequestTimeout(timeout)
      .setSocketTimeout(timeout)
      .build();
  return HttpClientBuilder
      .create()
      .useSystemProperties()
      .setDefaultRequestConfig(config)
      .setSSLContext(sslContext)
      .setSSLHostnameVerifier(new NoopHostnameVerifier())
      .build();
} catch (Exception e) {
  throw new RuntimeException();
   }
  }
}

Answer 4

What was required was the following configuration:

feign:
   httpclient:
      disableSslValidation: true