how to get java application to work with SSL and charles proxy on M1 Mac

Question

Charles 4.6.2, macos 12.1

Following this page, https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/

I tried the following steps:

1. help->ssl proxying->save charles root cert
2. find where java lives: /usr/libexec/java_home
3. cd /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/lib/security
4. sudo keytool -import -alias charles -file  ~/Documents/charles-ssl-proxying-certificate.pem. THis prompts for 3 passwords, which I created new/radom passwords for (dont know what they are)
5. start java thusly: java -jar aem-publish-p4503.jar -Dhttp.proxyHost=127.0.0.1 -Dhttp.proxyPort=8888
6. in charles proxy->ssl proxy settings Check Enable proxy settings.
7. Add URLs in "include" which the java server will call with port 443.

Now when my java app tries to hit api end points I added to the SSL proxying location, I get the following in the charles proxy sequence output:

URL https://npxx.net
Status  Failed
Failure SSL handshake with client failed: An unknown issue occurred processing the certificate (certificate_unknown)
Notes   You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu.
Response Code   200 Connection established
Protocol    HTTP/1.1

In java logs, I see this:

PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

NOTE: the external end point the local java process is hitting has a wild card Multi SAN cert from comodo

=== UPDATE 1 ====

I found an undocumented way to add certificates, in charles proxy, there are some cert install options under help:

Help->SSL proxying->Install Charles Root Cert.

This does nothing. Presume it doesnt work on mac

Help->SSL proxying->Install cert on Java VMs

This does work, and prompts for password, then says complete, but doesnt help.

Answer 1

I found a partial solution. The Charles documentation page: https://www.charlesproxy.com/documentation/using-charles/ssl-certificates/ is missing some key information for windows.

First you have to find where java is. The only way I found to do this was to install gitBash, then use "which java". The result was:

/c/Program Files/Zulu/zulu-8/bin/java

You need to download the pem file from the help->SSL Proxying->Save Root cert.

I copied this to /c/Program Files/Zulu/zulu-8/jre/lib/security/

Then running git bash as admin, did the following from the security directory:

$ keytool -import -alias charles -file charles.pem -keystore "/c/Program Files/Zulu/zulu-8/jre/lib/security/cacerts" -storepass changeit

This appears to have worked, but when I restart my java service, charles still says

"You may need to configure your browser or application to trust the Charles Root Certificate. See SSL Proxying in the Help menu."

And I still don't see SSLed data when running my spring boot app from intellij.

java spits out this error when it attempts to connect: java.security.cert.CertificateException: No subject alternative DNS name matching xxx.yyy.com found.

Presumably, java is detecting that the Charles root cert is fake.

This solution, however, may work for you.

Answer 2

Locate the cacerts file again (/Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/lib/security/cacerts). The keytool command you used was correct, but ensure you're using the right password. The default password for cacerts in many Java installations is "changeit" unless you've explicitly changed it. Try:

sudo keytool -import -alias charles -file ~/Documents/charles-ssl-proxying-certificate.pem -keystore /Library/Java/JavaVirtualMachines/zulu-11.jdk/Contents/Home/lib/security/cacerts -storepass changeit