Guys,
I'm building cloud based microservice architecture using spring cloud which consist of following services.
1) Eureka Server 2) Zuul Service 3) Security Service 4) Functional microservices(Eureka clients)
Everything works fine when it was http but it start failing when it comes to https and SSL enabled.
I've done following things to make it SSL enabled-
1) Using keytool I've generated self signed certificate. 2) Made changes on Eureka server application.properties. 3) Made changes on Eureka client bootstrap.properties
Here is my Eureka Server and Eureka Client configuration.
Eureka Server Configuration in application.properties.
eureka.instance.hostname= localhost eureka.client.registerWithEureka= false eureka.client.fetchRegistry= false server.port= 8761
server.ssl.enabled = true server.ssl.key-store=classpath:ssl.keystore server.ssl.key-store-password=changeit
Eureka Client Configuration in bootstrap.properties.
server.port=8181
spring.application.name=my-client
eureka.instance.hostname=localhost
eureka.instance.securePort = 8181
eureka.instance.securePortEnabled = true
eureka.instance.nonSecurePortEnabled = false
eureka.instance.metadataMap.hostname = ${eureka.instance.hostname}
eureka.instance.metadataMap.securePort = ${server.port}
eureka.instance.homePageUrl = https://${eureka.instance.hostname}:${server.port}/
eureka.instance.statusPageUrl = https://${eureka.instance.hostname}:${server.port}/admin/info
eureka.client.serviceUrl.defaultZone: https://localhost:8761/eureka/
server.ssl.enabled = true
server.ssl.key-store=classpath:ssl.keystore
server.ssl.key-store-password=changeit
with this configuration I start getting below issue.
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(Unknown Source) ~[na:1.8.0_91] at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) ~[na:1.8.0_91] at sun.security.validator.Validator.validate(Unknown Source) ~[na:1.8.0_91] at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) ~[na:1.8.0_91] at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[na:1.8.0_91] at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[na:1.8.0_91] ... 50 common frames omitted
I did lot of quite of hit and trial to make it work but to be honest none of them works. I had also explored others suggestions and incorporated them but that too doesn't works. I'm not sure what's wrong in my configuration. has anybody encountered with similar problem and how it get solved?
I would really appreciate if someone can help on this.
Comment From: spencergibb
server.ssl.* is for the embedded container only. The jersey client (which eureka uses) needs to trust the certificate. You can add it to the jvm keystore or setup eureka's jersey client to ignore certs (can't remember how off the top of my head). Maybe @scottfrederick remembers.
Comment From: aashish-tripathi
@spencergibb we are using embedded container only which is tomcat in this case. moreover we've also added cert to jvm keystore.
To make it more simple I've created only two spring boot app.
1) Spring boot Eureka Server 2) Spring boot Eureka client
Both are having same configuration as mentioned above and when I start Eureka server on https it starts successfully without any issue after that I start Eureka client which goes well until it request for registration to Eureka server and it start failing afterwards as mentioned above.
Interestingly when I keep Eureka Server on non secure port i.e. keep on http then my all eureka client which are ssl enabled able to connect without any issue but I don't really need that in my architecture as I also using zuul for single entry point for all my microservices.
So here I'm seeking guidance from expert to move forward.
Comment From: spencergibb
Please don't cross post http://stackoverflow.com/questions/44039920/pkix-path-building-failed-while-eureka-client-connecting-with-ssl-enabled-eureka
Comment From: aashish-tripathi
@spencergibb I've deleted cross post from Stackoverflow and could be effective tomorrow.
Comment From: aashish-tripathi
Any sample example which can help?
Comment From: stiyyagura
@aashish-tripathi i doubt that it is picking the keystore file properly server.ssl.key-store=classpath:ssl.keystore. I did the same thing in the past it worked for me. I just copied the keystore directly in the spring boot project folder directly and i have mentioned only server.ssl.key-store=mykey.jks
server.ssl.enabled=true
server.ssl.key-store=${SSL_KEYSTORE}
server.ssl.key-store-password=${SSL_KEYSTORE_PASSWORD}
Comment From: ExtremeYu
you need import you .cer .keystore to you security lib,
Comment From: aashish-tripathi
Guys, finally I'm able to make it services SSL enabled and its working fine with Eureka/configuration/Functional Service and Zuul/Routing service.
@stiyyagura it was picking my keystore file properly since I had put in spring/resource folder.
Now I've got one issue in Zuul/Routing service where I have to explicitly specify my zuul.rounts.
for e.g.
zuul:
routes:
Earlier when it was http then I don't need to specify even zuul: rounts: it got picked directly from eureka server through zuul as zuul was also registered through eureka . so horizontal scaling was possible to increase no of instances of my services. but now I have to run only one instance of my each funtional and configure them in Zuul yml configuration. Every-time a new service addition actually require to shut down my routing service restart after entry to its configuration.
In fact I had tried to provide serviceid but it doesn't works as given below config.
zuul:
routes:
So I had specify all my service URL in Zuul config to make it work.
Does spring cloud provide serviceId configuration in zuul configuration when its SSL enabled? if it does provide then I can make my life easier to achieve horizontal scaling of my services.
So basically this works
zuul:
routes:
This doesn't
zuul:
routes:
Any suggesition?
Comment From: cirix
So hwo did you make eureka-client to work with https tomcat server? you simple used the javax.net.ssl parts?I am a bit tack. I start eureka server and it can't advertise it self to register as component
Comment From: alexis-globant
@aashish-tripathi could you please share the configuration that you use to enable a client connect to EUREKA throught HTTPS?
Comment From: shraddhaKabra
@aashish-tripathi can you please share eureka server and eureka client configuration. Facing same issue while registering client to eureka server. Thanks in advance.
Comment From: spring-projects-issues
Closing due to age of the question. If you would like us to look at this issue, please comment and we will look at re-opening the issue.
Comment From: umeshrama
Eureka Server : server: port: ${PORT:8761}
ssl: enabled: true key-store: classpath:ssl.p12 key-store-password: changeit
eureka: instance: hostname: domain.com non-secure-port-enabled: false secure-port-enabled: true secure-port: ${server.port} health-check-url: https://${eureka.instance.hostname}:${eureka.instance.secure-port}/health status-page-url: https://${eureka.instance.hostname}:${eureka.instance.secure-port}/info home-page-url: https://${eureka.instance.hostname}:${eureka.instance.secure-port}/
client: registerWithEureka: false fetchRegistry: false serviceUrl: defaultZone: https://${eureka.instance.hostname}:${eureka.instance.secure-port}/eureka/
Gate-Way server: port: 9090
ssl: enabled: true key-store: classpath:ssl.p12 key-store-password: changeit
spring: application: name: gateway-service
zuul:
prefix: /api
routes:
customer-service:
path: /customer/**
url: https://domain.com:8099
eureka: instance: non-secure-port-enabled: false secure-port-enabled: true client: service-url: defaultZone: https://domain.com:8761/eureka/ register-with-eureka: true
Customer Service server: port: ${PORT:8099}
ssl:
key-store: classpath:ssl.p12
key-store-password: changeit
enabled: true
spring: application: name: customer-service
eureka: instance: leaseRenewalIntervalInSeconds: 1 leaseExpirationDurationInSeconds: 3 hostname: domain.com secure-port: ${server.port} secure-port-enabled: true non-secure-port-enabled: false
client: serviceUrl: defaultZone: https://domain.com:8761/eureka/ register-with-eureka: true fetch-registry: true
Eureka Server is started and able to access with HTTPS. when am trying to start gate-way and customer-service eureka client, its throwing an exception com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
all the services are hosted in same machine. please share your experience to solve this issue.
Comment From: ryanjbaxter
@umeshrama generally SSL issues have to do with the jvm not containing the certificate of the server. Please look into this first. If you believe there is a bug please open a separate issue with a sample that reproduces the problem.
Comment From: ashuit87
Unable to register Eureka client on SSL enabled Eureka server on Openshift
Comment From: ashuit87
@aashish-tripathi could you please help me on this