1

Is there a way to configure the Eureka client to use a different keystore\truststore than the spring-boot embedded tomcat? OR is there a way to disable cert validation in SBA server?

I have a situation where I have a cluster of spring-boot based microservices across several VMs. All of the microservices, including backend management like SBA and Eureka server are secured using HTTPS and the typical spring-boot SSL certificate configuration. For these services I am using a self-signed CA to generate certificates for each machine. One exception to this is the "gateway" service which serves the api through to our web client. This service is configured with a certificate signed by a real CA, as it is the only publicly accessible service

Getting to the point, my "gateway" service is unable to connect to SBA server, I see a scroll of SSL-related errors complaining about the hostname of the client not matching any alt names in its certificate. This is because it is presenting its public cert to SBA which does not match the internal host name that the request is originating from.

My services are using Netflix Eureka and service discovery.

EDIT: Adding stacktrace from SBA Server:

2019-02-06 21:34:30 [reactor-http-epoll-3] ERROR r.n.http.client.HttpClientConnect - [id: 0x5844260b, L:/172.17.0.5:40928 - R:myhost.mydomain.com/172.xxx.xxx.xxx:443] The connection observed an error
javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
        at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
        at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:802)
        at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:766)
        at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
        at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:278)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:340)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1434)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:362)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:348)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:965)
        at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:799)
        at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:382)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:335)
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
        at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1709)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:310)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1639)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:223)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
        at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
        at java.security.AccessController.doPrivileged(Native Method)
        at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1460)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1365)
        ... 19 common frames omitted
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching myhost.mydomain.com found.
        at sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:214)
        at sun.security.util.HostnameChecker.match(HostnameChecker.java:96)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455)
        at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436)
        at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252)
        at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1626)
        ... 27 common frames omitted

EDIT: Upon further inspection, I have the sequence of this issue wrong. The SSL error is not occurring when the gateway tries to register with SBA, it actually registers fine, the SSL error is occurring when SBA tries to reach back to actuator on the gateway.

So I guess the updated question is a bit more complicated: Is there a way to configure actuator with a different keystore/truststore. Furthermore, is there a way to open up Actuator in Zuul only for connections on the backend like SBA and not for users on the public/client end?

habelson
  • 71
  • 1
  • 6
  • which gateway are you using? zuul or sc gateway? Does error occur from Eureka client inside the gateway? – yongsung.yoon Feb 07 '19 at 05:08
  • I am using Zuul. Error occurs inside SBA server. – habelson Feb 07 '19 at 05:13
  • AFAIK, Eureka client doesn't try to connect to SBA server. Could you post your error messages? – yongsung.yoon Feb 07 '19 at 06:00
  • @yongsung.yoon check here: https://codecentric.github.io/spring-boot-admin/current/ under "2.2.2 Spring Cloud Discovery" – habelson Feb 07 '19 at 15:55
  • The document means that SBA can be configured with Eureka Client. It means that SBA server will try to access Eureka Server to acquire the list of available servers via Eureka client. Namely, it doesn't mean that Eureka client will connect to SBA server. – yongsung.yoon Feb 08 '19 at 11:25
  • @yongsung.yoon while SBA client may be autoconfigured under the hood. I am not explicitly declaring or configuring SBA client. Instead, AutoDiscovery is using the Eureka Instance config in my application.yml to configure SBA client. Regardless, none of these semantics are related to my issue. The client is registering with SBA just fine. – habelson Feb 08 '19 at 12:41
  • Hi, I had an issue where I needed to disable SSL verification on SBA. I found a solution and posted it [here](https://stackoverflow.com/questions/50320573/how-avoid-the-certificate-validation-in-spring-boot-admin/55258603#55258603). Maybe you can modify it to your needs. – crea1 Mar 20 '19 at 10:36

0 Answers0