SunCertPathBuilderException when calling endpoint using client-side certificate from Kubernetes Docker
Question
We are using clj-http with a keystore consisting of a keystore.pfx with a self-signed certificate:
(let [url (str url "api/fetch")
opts {:keystore "keystore.pfx"
:keystore-type "pkcs12"
:keystore-pass "****"
:body (json/encode {:method "yada"})
:content-type :json
:throw-entire-message? true
:async? false}
response (http/post url opts)]
(-> response
:body
base64-decode))
The API calls with the keystore works locally to call the API with a client-side cert, but not in a Docker on Kubernetes.
Exception is:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Any ideas how to fix? Do we need to add it to the JVM some way? If so, where and how to add the pfx?
1 answers
solution1
2 ACCPTED 2019-12-20 11:11:10
Your self signed client/server certs don't share the chain of trust (this is what the error message is telling you).
Put the CA cert(s) in a trust store, eg
keytool -importcert -noprompt -alias ca -file ca.crt -keystore truststore -storepass secret
and add the trust store to the request:
; ...
:trust-store "truststore" ; XXX
:trust-store-pass "secret" ; XXX
:keystore "keystore.pfx"
:keystore-pass "****"
; ...
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.