Reputation: 1598
Spring Vault SSLPeerUnverifiedException
I have an application running in Spring Boot, using Spring Vault to retrieve passwords. It is using KubernetesAuthentication to log in. This worked well until I upgraded to Spring Boot 2.2.5. I then started to get SSLPeerUnverifiedException.
org.springframework.web.client.ResourceAccessException:
I/O error on POST request for "https://vault.vault.svc.cluster.local:8200/v1/auth/kubernetes/login"
javax.net.ssl.SSLPeerUnverifiedException:
Certificate for <vault.vault.svc.cluster.local> doesn't match any of the subject alternative names: [vault.vault, vault.vault-lite, vault.vault-ha, vault.vault-dev, vault.vault.svc.cluster.local, 127.0.0.1]
With the dependencies below, everything works:
spring-vault-core: 2.2.2.RELEASE
org.springframework.web: 5.2.3.RELEASE
httpcomponents.httplient: 4.5.10
Updating to below, it starts failing:
spring-vault-core: 2.2.2.RELEASE
org.springframework.web: 5.2.4.RELEASE
httpcomponents.httplient: 4.5.11
I can make it work by providing a custom ClientHttpRequestFactory instead of using the default.
Creating the Vault RestTemplate like this causes the SSLPeerUnverifiedException:
VaultClients.createRestTemplate(vaultEndpointProvider(vaultEndpoint),
new HttpComponentsClientHttpRequestFactory());
Creating RestTemplate like this works:
VaultClients.createRestTemplate(vaultEndpointProvider(vaultEndpoint),
new CustomRequestFactory()) //extends SimpleClientHttpRequestFactory
The question is why does the update in Spring/HttpClient cause the certificate validation to fail. The certificate seems valid since the host I am connecting to is in the SAN of the certificate.
Update
The problem seems to be with httpcomponents.httplient 4.5.11. I can get it working by using the latest version of Spring-Vault, Spring, Spring-Boot and using httpcomponents.httplient 4.5.10 or 4.5.12
Upvotes: 1
Views: 1106
Answers (1)
Reputation: 1598
This was caused by a bug introduced in HttpClient version 4.5.11. Fixed in 4.5.12
https://issues.apache.org/jira/browse/HTTPCLIENT-2047
Upvotes: 1
Related Questions
- Spring Cloud Vault: Token (spring.cloud.vault.token) must not be empty
- Vault Error, Server gave HTTP response to HTTPS client
- This springboot ssl never works
- Spring Vault returns null
- Spring Cloud Vault error: nested exception is javax.net.ssl.SSLHandshakeException: extension (5) should not be presented in certificate_request
- Hashicorp Vault Error: Error checking seal status
- Vault. Spring. Unrecognized SSL message, plaintext connection/
- Spring Boot HttpSecurity always 403 forbidden
- Configure Spring Vault with TLS
- Spring Boot 1.4.1 SSL trustAnchors exception