I try to use zuul and eureka discovery with valid SSL certificate but i have the following Exception when i try to access authenticated endpoint of one of my resource service.
Anybody can help me ? Thanks
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name '172.19.0.4' does not match the certificate subject provided by the peer (CN=my-moby.com, OU=PositiveSSL, OU=Domain Control Validated)
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.verifyHostname(SSLConnectionSocketFactory.java:465) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:395) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:141) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.conn.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:353) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:55) ~[httpclient-4.5.2.jar!/:4.5.2]
at org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalancingHttpClient.java:94) ~[spring-cloud-netflix-core-1.3.5.RELEASE.jar!/:1.3.5.RELEASE]
at org.springframework.cloud.netflix.ribbon.apache.RibbonLoadBalancingHttpClient.execute(RibbonLoadBalancingHttpClient.java:43) ~[spring-cloud-netflix-core-1.3.5.RELEASE.jar!/:1.3.5.RELEASE]
at com.netflix.client.AbstractLoadBalancerAwareClient$1.call(AbstractLoadBalancerAwareClient.java:109) ~[ribbon-loadbalancer-2.2.2.jar!/:2.2.2]
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:303) ~[ribbon-loadbalancer-2.2.2.jar!/:2.2.2]
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:287) ~[ribbon-loadbalancer-2.2.2.jar!/:2.2.2]
at rx.internal.util.ScalarSynchronousObservable$3.call(ScalarSynchronousObservable.java:231) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.util.ScalarSynchronousObservable$3.call(ScalarSynchronousObservable.java:228) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.Observable.unsafeSubscribe(Observable.java:10211) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.drain(OnSubscribeConcatMap.java:286) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeConcatMap$ConcatMapSubscriber.onNext(OnSubscribeConcatMap.java:144) ~[rxjava-1.1.10.jar!/:1.1.10]
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:185) ~[ribbon-loadbalancer-2.2.2.jar!/:2.2.2]
at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:180) ~[ribbon-loadbalancer-2.2.2.jar!/:2.2.2]
at rx.Observable.unsafeSubscribe(Observable.java:10211) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeConcatMap.call(OnSubscribeConcatMap.java:94) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeConcatMap.call(OnSubscribeConcatMap.java:42) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.Observable.unsafeSubscribe(Observable.java:10211) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber$1.call(OperatorRetryWithPredicate.java:127) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.schedulers.TrampolineScheduler$InnerCurrentThreadScheduler.enqueue(TrampolineScheduler.java:73) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.schedulers.TrampolineScheduler$InnerCurrentThreadScheduler.schedule(TrampolineScheduler.java:52) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber.onNext(OperatorRetryWithPredicate.java:79) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber.onNext(OperatorRetryWithPredicate.java:45) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.util.ScalarSynchronousObservable$WeakSingleProducer.request(ScalarSynchronousObservable.java:276) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.Subscriber.setProducer(Subscriber.java:209) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.util.ScalarSynchronousObservable$JustOnSubscribe.call(ScalarSynchronousObservable.java:138) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.util.ScalarSynchronousObservable$JustOnSubscribe.call(ScalarSynchronousObservable.java:129) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.Observable.subscribe(Observable.java:10307) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.Observable.subscribe(Observable.java:10274) ~[rxjava-1.1.10.jar!/:1.1.10]
at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:445) ~[rxjava-1.1.10.jar!/:1.1.10]
... 169 common frames omitted
This is my configuration :
Zuul proxy + oauth2 service
server:
hostname: https://www.my-moby.com/
port: 8443
ssl:
enabled: true
key-alias: *******
key-store: ******.jks
key-store-password: *******
key-password: ********
zuul:
sslHostnameValidationEnabled: false
okhttp:
enabled: true
host:
socket-timeout-millis: 30000
connect-timeout-millis: 30000
max-total-connections: 5000
max-per-route-connections: 5
ignored-headers: Access-Control-Allow-Credentials, Access-Control-Allow-Origin
ignored-services: "*"
routes:
limesurvey:
url: https://limesurvey/surveys
path: /surveys/**
sensitiveHeaders:
polygon-service:
path: /polygon/**
sensitiveHeaders:
sslHostnameValidationEnabled: false
mobilita-service:
path: /mobilita/**
url: https://mobilita-service:8443/
sensitiveHeaders:
sslHostnameValidationEnabled: false
ribbon:
ReadTimeout: 20000
ConnectTimeout: 20000
MaxAutoRetries: 0
MaxAutoRetriesNextServer: 1
MaxTotalHttpConnections: 2000
MaxConnectionsPerHost: 1000
polygon-service:
ribbon:
IsSecure: true
CustomSSLSocketFactoryClassName: com.netflix.http4.ssl.AcceptAllSocketFactory
IsHostnameValidationRequired: false
hystrix:
command:
default:
execution:
isolation:
thread:
timeoutInMilliseconds: 30000
strategy: THREAD
eureka:
client:
serviceUrl:
defaultZone: http://discovery-service:8761/eureka/
fetchRegistry: true
registerWithEureka: true
instance:
secureVirtualHostName: ${spring.application.name}
securePort: ${server.port}
nonSecurePortEnabled: false
securePortEnabled: true
leaseRenewalIntervalInSeconds: 7
leaseExpirationDurationInSeconds: 9
preferIpAddress: true
polygon-service (resource service)
server:
port: 8085
ssl:
enabled: true
key-alias: *****
key-store: ******.jks
key-store-password: *******
key-password: *******
security:
oauth2:
client:
accessTokenUri: http://mymoby:8080/oauth/token
resource:
userInfoUri: http://mymoby:8080/auth/user
mymoby:
ribbon:
listOfServers: mymoby:8080
eureka:
client:
fetchRegistry: true
registerWithEureka: true
serviceUrl:
defaultZone: http://discovery-service:8761/eureka/
instance:
preferIpAddress: true
secureVirtualHostName: ${spring.application.name}
securePort: ${server.port}
securePortEnabled: true
leaseRenewalIntervalInSeconds: 7
leaseExpirationDurationInSeconds: 9
Comment From: ryanjbaxter
Your certificate is not correct
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name '172.19.0.4' does not match the certificate subject provided by the peer (CN=my-moby.com, OU=PositiveSSL, OU=Domain Control Validated)
Comment From: freddyaott
I explain better, my micro-service architecture consists of a service that hosts the proxy and oauth2, one resource service and one eureka server deployed with docker compose. The certificate is in the proxy+oauth service and in the resource service.
If i try to contact an endpoint of the resource-serrvice througth the proxy i have that exception (it is only the last part of exception, it begin with a ZuulException: Forwarding Error).
If i remove the certificate from the resource service i have another Exception (ZuulException: Forwarding Error followed by SSLException: Unrecognized SSL message, plaintext connection?).
If i try in my staging enviroment without https and certificate all works fine. What is the way to contact a resource service (througth the proxy) when the call is with https ?
Comment From: freddyaott
resolved.
Comment From: eliucinho
resuelto.
como?
Comment From: waqasdilawar
resolved.
How, can you please share the solution. I'm kinda facing the same issue at Azure.
Comment From: ffroliva
I am also facing this problem. But in my case, I have Consul as Service Discovery Server.
My stack is Consul + Feign client + SSL. Everything in docker containers.