PKIX path building failed while Eureka Client connecting with SSL enabled Eureka Server in Spring Cloud

Question

I'm building cloud based microservice architecture using spring boot.we are using embedded container only which is tomcat for spring boot. moreover we've also added cert to jvm keystore.

To make it more simple I've created only two spring boot app.

1) Spring boot Eureka Server
2) Spring boot Eureka client

Both are having same configuration as mentioned above and when I start Eureka server on https it starts successfully without any issue after that I start Eureka client which goes well until it request for registration to Eureka server and it start failing afterwards.

Interestingly when I keep Eureka Server on non secure port i.e. keep on http then my all eureka client which are ssl enabled able to connect without any issue but I don't really need that in my architecture as I also using zuul for single entry point for all my microservices.

Everything works fine when it was http but it start failing when it comes to https and SSL enabled.

Here is my Eureka Server Configuration.

eureka.instance.hostname= localhost
eureka.client.registerWithEureka= false
eureka.client.fetchRegistry= false
server.port= 8761

server.ssl.enabled = true
server.ssl.key-store=classpath:ssl.keystore
server.ssl.key-store-password=changeit

and my Eureka Client Configuration.
server.port=8181
spring.application.name=my-client
eureka.instance.hostname=localhost
eureka.instance.securePort = 8181
eureka.instance.securePortEnabled = true
eureka.instance.nonSecurePortEnabled = false
eureka.instance.metadataMap.hostname = ${eureka.instance.hostname}
eureka.instance.metadataMap.securePort = ${server.port}
eureka.instance.homePageUrl = https://${eureka.instance.hostname}:${server.port}/
eureka.instance.statusPageUrl = https://${eureka.instance.hostname}:${server.port}/admin/info
eureka.client.serviceUrl.defaultZone: https://localhost:8761/eureka/ 
server.ssl.enabled = true
server.ssl.key-store=classpath:ssl.keystore
server.ssl.key-store-password=changeit

and below is the exception trace.

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(Unknown Source) ~[na:1.8.0_91]
at sun.security.validator.PKIXValidator.engineValidate(Unknown Source) ~[na:1.8.0_91]
at sun.security.validator.Validator.validate(Unknown Source) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[na:1.8.0_91]
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[na:1.8.0_91]
... 50 common frames omitted

I did tried numerous hit and trial to make it work which others had tried in stackoverflow but to be honest none of them works. I had also explored others suggestions and incorporated them but that too doesn't works. I'm not sure what's wrong in my configuration. has anybody encountered with similar problem and how it get resolved?

I would really appreciate if someone has insight on this.

Answer 1

IHO you need to configure trust-store on your Eureka client side, not key-store. The property server.ssl.key-store and server.ssl.key-store-password are just for your embedded container. What you need to set up in your Eureka client is trust-store that will be used during verifying SSL certificate from your server when you eureka client is registering itself to Eureka Server

Try to define the below system properties on your eureka client.

java -Djavax.net.ssl.trustStore=xxxx
java -Djavax.net.ssl.trustStorePassword=xxxx