1

I am successful using MySQL Workbench to do full crud on a Bluemix hosted MySQL Compose service.

I then built a simple Microservice with SpringBoot on my local laptop with Apache Derby... successful.

My next step was to use the MySQL Compose hosted in Bluemix.

I edited application.properties and ran into this error "PKIX path building failed: ...." "SunCertPathBuilderException: unable to find valid certification path to request target"

application.properties file
spring.jpa.hibernate.ddl-auto=create
spring.jpa.database-platform=org.hibernate.dialect.MySQLDialect
spring.datasource.url=jdbc:mysql://somedomain:port/compose?useSSL=true?requireSSL=true
spring.datasource.username=myname
spring.datasource.password=mypassword

Bluemix provided me these credentials in json:

{
  "db_type": "mysql",
  "name": "bmix-dal-yp-xxxxxxx-",
  "uri_cli": "mysql -u myname -p --host somedomain.com --port 5555 --ssl-mode=REQUIRED",
  "ca_certificate_base64": "LS0tLS1CRUd......",
  "deployment_id": "58fexxxxxxxxxxx",
  "uri": "mysql://myname:mypassword@somedomain.com:55555/compose"
}

Am I supposed to use the ca certificate somewhere in my application.properties?

Do I need to enable ssl on my embedded tomcat server running by default with springBoot?

How can I configure my springBoot application to connect to my cloud providers MySQL instance with SSL with the json they provided?

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
xpagesbeast
  • 776
  • 1
  • 10
  • 21

1 Answers1

1

Add the following to your pom.xml (or equivalent):

...
<repositories>
   <repository>
      <id>jcenter</id>
      <url>http://jcenter.bintray.com </url>
      <snapshots>
        <enabled>true</enabled>
        <updatePolicy>never</updatePolicy>
        <checksumPolicy>warn</checksumPolicy>
      </snapshots>
       <releases>
         <enabled>true</enabled>
         <checksumPolicy>warn</checksumPolicy>
      </releases>
   </repository>
</repositories> 
...
<dependency>
   <groupId>com.orange.clara.cloud.boot.ssl-truststore-gen</groupId>
   <artifactId>spring-boot-ssl-truststore-gen</artifactId>
   <version>2.0.21</version>
</dependency>
...

Add the following to your manifest.yml 

env:    
    # Add the certificate from VCAP_SERVICES ca_certificate_base64
    # You need to base64 decode the certificate and add it below
    # E.g. echo '<<ca_certificate_base64>>' | base64 -D

    TRUSTED_CA_CERTIFICATE: |-
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----

For more information, see https://github.com/orange-cloudfoundry/spring-boot-ssl-truststore-gen

Also see a minimal app here: https://github.com/snowch/hello-spring-cloud/tree/8b9728a826dcc1995a7ccb19a852ac8face21147

This is my first answer - this did not work. Ignore this section.

One option is:

Import the cert to Java truststore file, pack the file into Java application and specify its path via JAVA_OPTS environment variable; the truststore file can be placed under resource directory. This can be used for single applications:

  • By using the 'cf set-env' command:

    cf set-env <app> JAVA_OPTS '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore -Djavax.net.ssl.trustStorePassword=changeit'

  • or, by using manifest.yml

    applications:
- name: java-app
  ...
  env:
      JAVA_OPTS: '-Djavax.net.ssl.TrustStore=classpath:resources/config/truststore -Djavax.net.ssl.trustStorePassword=changeit'

Note that the certificate in the field ca_certificate_base64 is base64 encoded so you will need to decode it before adding it to your truststore, e.g.

Decode the certificate:

echo '<<ca_certificate_base64>>' | base64 -D  > ca_certificate.pem

Create a truststore:

keytool -import -trustcacerts -file ca_certificate.pem -alias compose_cert -keystore resources/config/truststore -storepass changeit -noprompt

Note that the keystore location (resources/config/truststore) and the storepass (changeit) are set in the JAVA_OPTS.

There are a few different options you can try. See this documentation for more information: https://discuss.pivotal.io/hc/en-us/articles/223454928-How-to-tell-application-containers-running-Java-apps-to-trust-self-signed-certs-or-a-private-or-internal-CA

Chris Snow
  • 23,813
  • 35
  • 144
  • 309
  • Question: I should take the 'ca_certificate_base64' provided to me, decode it into a file called 'truststore' and put it in my resources folder (SpringBoot project)? – xpagesbeast Jun 06 '17 at 13:44
  • I've updated the answer. Please let me know how you get on. If this doesn't work, maybe you could create a minimal example in github that works without ssl that I can attempt to add ssl and verify the fix works. – Chris Snow Jun 06 '17 at 14:39
  • I changed the jdbc to not use ssl and I am able to do full crud on the cloud database from my laptop (springBoot project)...success I followed all the steps you wrote up to create the keystore, but a little confused for the JAVA_OPTS environment variable. Is there a spring application.properties I need to edit so Tomcat loads with the environment variable or do I need to create a environment variable "global" in my O/S (laptop). I am using a Ubuntu Linux workstation. – xpagesbeast Jun 08 '17 at 04:03
  • Great stuff. Is your project available in a public github repo? If it is, I can take the instructions in my answer and verify they work for your specific project. – Chris Snow Jun 08 '17 at 04:07
  • It is not in github. I am not sure where to put the JAVA_OPTS, is it in my application.properties file? Last packet sent to the server was 363 ms ago. – xpagesbeast Jun 09 '17 at 20:14
  • Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target – xpagesbeast Jun 09 '17 at 21:41
  • The approach here did not work for me. I have to do more research into the buildpack to see why this is failing. This may take some time. I suggest also raising a support ticket on bluemix. – Chris Snow Jun 10 '17 at 08:35
  • I found this article which maybe helpful https://www.compose.com/articles/compose-notes-java-and-lets-encrypt-certificates/ – xpagesbeast Jun 14 '17 at 11:29