spring-data-elastic connection certificate issue: javax.net.ssl.SSLHandshakeException: PKIX path building failed

Question

My Elasticsearch instance is running. Able to connect via kibana web UI and postman with the .crt certificate. I wrote a method to prepare SSLContext for connecting to elastic via spring-data-elasticsearch

@SneakyThrows
    private SSLContext readTLSCertToPrepareSslContext(String user, String password) {

        BasicCredentialsProvider credentialsProvider = new BasicCredentialsProvider();
        credentialsProvider.setCredentials((AuthScope.ANY), new UsernamePasswordCredentials(user, password));


        KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
        ks.load(null, null);

        String certFilePath = webApiConfiguration.getElastic().getCertFilePath();

        ClassLoader classLoader = getClass().getClassLoader();

        InputStream fis;
        try {
            fis = new FileInputStream(new File(classLoader.getResource(certFilePath).toURI()));
        } catch (Exception e) {
            throw e;
        }


        CertificateFactory cf = CertificateFactory.getInstance("X.509");  // cf: factory
        X509Certificate cert; // trustedCa: cert
        cert = (X509Certificate)cf.generateCertificate(fis);

        // Add to the keystore
        ks.setCertificateEntry("caCert", cert);

        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);

        final SSLContext context = SSLContext.getInstance("TLS");

        context.init(null, tmf.getTrustManagers(), null);

        return context;

    }

But I encountered this exception about PKIX / certificate during the healthcheck.

javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at org.elasticsearch.client.RestClient.extractAndWrapCause(RestClient.java:876)
    at org.elasticsearch.client.RestClient.performRequest(RestClient.java:283)
    at org.elasticsearch.client.RestClient.performRequest(RestClient.java:270)
    at org.springframework.boot.actuate.elasticsearch.ElasticsearchRestHealthIndicator.doHealthCheck(ElasticsearchRestHealthIndicator.java:65)
    at org.springframework.boot.actuate.health.AbstractHealthIndicator.health(AbstractHealthIndicator.java:82)
    at org.springframework.boot.actuate.health.HealthIndicator.getHealth(HealthIndicator.java:37)
    at org.springframework.boot.actuate.health.HealthEndpoint.getHealth(HealthEndpoint.java:77)
    at org.springframework.boot.actuate.health.HealthEndpoint.getHealth(HealthEndpoint.java:40)
    at org.springframework.boot.actuate.health.HealthEndpointSupport.getContribution(HealthEndpointSupport.java:130)
    at org.springframework.boot.actuate.health.HealthEndpointSupport.getAggregateContribution(HealthEndpointSupport.java:141)
    at org.springframework.boot.actuate.health.HealthEndpointSupport.getContribution(HealthEndpointSupport.java:126)
    at org.springframework.boot.actuate.health.HealthEndpointSupport.getHealth(HealthEndpointSupport.java:95)
    at org.springframework.boot.actuate.health.HealthEndpointSupport.getHealth(HealthEndpointSupport.java:66)
    at org.springframework.boot.actuate.health.HealthEndpoint.health(HealthEndpoint.java:71)
    at org.springframework.boot.actuate.health.HealthEndpoint.health(HealthEndpoint.java:61)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at org.springframework.util.ReflectionUtils.invokeMethod(ReflectionUtils.java:282)
    at org.springframework.boot.actuate.endpoint.invoke.reflect.ReflectiveOperationInvoker.invoke(ReflectiveOperationInvoker.java:74)
    at org.springframework.boot.actuate.endpoint.annotation.AbstractDiscoveredOperation.invoke(AbstractDiscoveredOperation.java:60)
    at org.springframework.boot.actuate.endpoint.jmx.EndpointMBean.invoke(EndpointMBean.java:122)
    at org.springframework.boot.actuate.endpoint.jmx.EndpointMBean.invoke(EndpointMBean.java:97)
    at java.management/com.sun.jmx.interceptor.DefaultMBeanServerInterceptor.invoke(DefaultMBeanServerInterceptor.java:809)
    at java.management/com.sun.jmx.mbeanserver.JmxMBeanServer.invoke(JmxMBeanServer.java:801)
    at java.management.rmi/javax.management.remote.rmi.RMIConnectionImpl.doOperation(RMIConnectionImpl.java:1466)
    at java.management.rmi/javax.management.remote.rmi.RMIConnectionImpl$PrivilegedOperation.run(RMIConnectionImpl.java:1307)
    at java.management.rmi/javax.management.remote.rmi.RMIConnectionImpl.doPrivilegedOperation(RMIConnectionImpl.java:1399)
    at java.management.rmi/javax.management.remote.rmi.RMIConnectionImpl.invoke(RMIConnectionImpl.java:827)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:566)
    at java.rmi/sun.rmi.server.UnicastServerRef.dispatch(UnicastServerRef.java:359)
    at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:200)
    at java.rmi/sun.rmi.transport.Transport$1.run(Transport.java:197)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.rmi/sun.rmi.transport.Transport.serviceCall(Transport.java:196)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport.handleMessages(TCPTransport.java:562)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run0(TCPTransport.java:796)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.lambda$run$0(TCPTransport.java:677)
    at java.base/java.security.AccessController.doPrivileged(Native Method)
    at java.rmi/sun.rmi.transport.tcp.TCPTransport$ConnectionHandler.run(TCPTransport.java:676)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:834)
...

The SSLContext will be used to make ClientConfiguration in the next step :

            SSLContext sc = readTLSCertToPrepareSslContext(username , password);

            ClientConfiguration clientConfiguration
                    = ClientConfiguration.builder()
                    .connectedTo(elasticUrl)
                    .usingSsl(sc)
                    .withBasicAuth(elasticUsername, elasticPassword)
                    .build();

Your advice is appreciated.

where and how do you use this `SSLContext`? And which version of Spring Data Elasticsearch are you using? — P.J.Meisch, Oct 08 '22 at 13:38
@P.J.Meisch I am using spring boot 2.6.8. The usage of SSLContext is updated to the post. — Os Q, Oct 08 '22 at 23:32
This is ok for Spring Data Elasticsearch. But Spring Boot does not use this configuration. — P.J.Meisch, Oct 11 '22 at 07:20

spring-data-elastic connection certificate issue: javax.net.ssl.SSLHandshakeException: PKIX path building failed

0 Answers0