docker - Spring Boot 1.4.1 SSL trustAnchors exception -
i running spring boot microservices inside docker containers (docker-compose) testing, tried upgrade spring boot 1.4.0 1.4.1 (tried 1.4.2. also) services fail on start
invalidalgorithmparameterexception: trustanchors parameter must non-empty exception.
i have not experienced issues running spring boot 1.4.0. dockerfile use 1 of services provided below (some sensitive values have been replaced, tried 1.4.2 same result.
the same behaviour happens when run service on command line, environment variables , java params listed in dockerfile below.
here extract log:
2016-11-10 08:10:06.645 error [sbsa-account-om-service,,,] 1 --- [ main] o.apache.catalina.core.standardservice : failed start connector [connector[http/1.1-8762]] org.apache.catalina.lifecycleexception: failed start component [connector[http/1.1-8762]] @ org.apache.catalina.util.lifecyclebase.start(lifecyclebase.java:167) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.catalina.core.standardservice.addconnector(standardservice.java:225) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.springframework.boot.context.embedded.tomcat.tomcatembeddedservletcontainer.addpreviouslyremovedconnectors(tomcatembeddedservletcontainer.java:233) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.boot.context.embedded.tomcat.tomcatembeddedservletcontainer.start(tomcatembeddedservletcontainer.java:178) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.boot.context.embedded.embeddedwebapplicationcontext.startembeddedservletcontainer(embeddedwebapplicationcontext.java:297) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.boot.context.embedded.embeddedwebapplicationcontext.finishrefresh(embeddedwebapplicationcontext.java:145) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.context.support.abstractapplicationcontext.refresh(abstractapplicationcontext.java:544) [spring-context-4.3.3.release.jar!/:4.3.3.release] @ org.springframework.boot.context.embedded.embeddedwebapplicationcontext.refresh(embeddedwebapplicationcontext.java:122) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.boot.springapplication.refresh(springapplication.java:761) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.boot.springapplication.refreshcontext(springapplication.java:371) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.boot.springapplication.run(springapplication.java:315) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.boot.springapplication.run(springapplication.java:1186) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ org.springframework.boot.springapplication.run(springapplication.java:1175) [spring-boot-1.4.1.release.jar!/:1.4.1.release] @ com.sbg.om.services.sbsaaccountomserviceapplication.main(sbsaaccountomserviceapplication.java:24) [classes!/:0.0.1-snapshot] @ sun.reflect.nativemethodaccessorimpl.invoke0(native method) ~[na:1.8.0_11] @ sun.reflect.nativemethodaccessorimpl.invoke(nativemethodaccessorimpl.java:62) ~[na:1.8.0_11] @ sun.reflect.delegatingmethodaccessorimpl.invoke(delegatingmethodaccessorimpl.java:43) ~[na:1.8.0_11] @ java.lang.reflect.method.invoke(method.java:483) ~[na:1.8.0_11] @ org.springframework.boot.loader.mainmethodrunner.run(mainmethodrunner.java:48) [app.jar:0.0.1-snapshot] @ org.springframework.boot.loader.launcher.launch(launcher.java:87) [app.jar:0.0.1-snapshot] @ org.springframework.boot.loader.launcher.launch(launcher.java:50) [app.jar:0.0.1-snapshot] @ org.springframework.boot.loader.jarlauncher.main(jarlauncher.java:58) [app.jar:0.0.1-snapshot] caused by: org.apache.catalina.lifecycleexception: service.getname(): "tomcat"; protocol handler start failed @ org.apache.catalina.connector.connector.startinternal(connector.java:976) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.catalina.util.lifecyclebase.start(lifecyclebase.java:150) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] ... 21 common frames omitted caused by: java.lang.illegalargumentexception: java.security.invalidalgorithmparameterexception: trustanchors parameter must non-empty @ org.apache.tomcat.util.net.abstractjsseendpoint.createsslcontext(abstractjsseendpoint.java:103) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.tomcat.util.net.abstractjsseendpoint.initialisessl(abstractjsseendpoint.java:81) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.tomcat.util.net.nioendpoint.bind(nioendpoint.java:244) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.tomcat.util.net.abstractendpoint.start(abstractendpoint.java:874) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.coyote.abstractprotocol.start(abstractprotocol.java:590) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.catalina.connector.connector.startinternal(connector.java:969) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] ... 22 common frames omitted caused by: java.security.invalidalgorithmparameterexception: trustanchors parameter must non-empty @ java.security.cert.pkixparameters.settrustanchors(pkixparameters.java:200) ~[na:1.8.0_11] @ java.security.cert.pkixparameters.<init>(pkixparameters.java:157) ~[na:1.8.0_11] @ java.security.cert.pkixbuilderparameters.<init>(pkixbuilderparameters.java:130) ~[na:1.8.0_11] @ org.apache.tomcat.util.net.jsse.jsseutil.getparameters(jsseutil.java:341) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.tomcat.util.net.jsse.jsseutil.gettrustmanagers(jsseutil.java:273) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] @ org.apache.tomcat.util.net.abstractjsseendpoint.createsslcontext(abstractjsseendpoint.java:101) ~[tomcat-embed-core-8.5.5.jar!/:8.5.5] ... 27 common frames omitted 2016-11-10 08:10:06.691 info [sbsa-account-om-service,,,] 1 --- [ main] o.apache.catalina.core.standardservice : stopping service tomcat
dockerfile:
from webdizz/centos-java8 volume /tmp add <app name>.jar app.jar add smoke-test.trust.jks /smoke-test.trust.jks # environment vars ssl keystore + truststore env security_x509_orgunit=<org unit> env server_ssl_enabled="true" env security_sessions="stateless" env security_headers_hsts="all" env server_ssl_ciphers="tls_rsa_with_aes_128_cbc_sha,tls_rsa_with_aes_256_cbc_sha" env server_ssl_protocol="tls" env server_ssl_keystore="/smoke-test.trust.jks" env server_ssl_keystorepassword=<password> env server_ssl_keystoretype="jks" env server_ssl_keyalias=<alias> env server_ssl_keypassword=<password> env ribbon_readtimeout="60000" env ribbon_issecure="true" env ribbon_ishostnamevalidationrequired="true" env ribbon_keystore="/smoke-test.trust.jks" env ribbon_keystorepassword=<password> env security_requiressl="true" env server_ssl_truststore="/smoke-test.trust.jks" env server_ssl_truststorepassword=<password> env server_ssl_truststoretype="jks" env server_ssl_clientauth="need" env ribbon_truststore="/smoke-test.trust.jks" env ribbon_truststorepassword=<password> env ribbon_isclientauthrequired="true" env pci_cipher_key=<key> env liquibase_contexts=<context> # run actual java app run sh -c 'touch /app.jar' expose 8762 expose 9997 entrypoint ["java", \ "-djavax.net.ssl.truststore=/smoke-test.trust.jks", \ "-djavax.net.ssl.truststorepassword=<password>", \ "-djavax.net.ssl.truststoretype=jks", \ "-djavax.net.debug=ssl", \ "-dspring.profiles.active=testing", \ "-dom.security.enabled=true", \ "-dmanagement.security.enabled=true", \ "-dom.security.x509.subjectprincipalregex=ou=(.*?)(?:,|$)", \ "-dom.security.x509.roleconfiguration[0].rolenames[0]=<rolename>", \ "-dom.security.x509.roleconfiguration[0].searchvalues[0]=<value>", \ "-dom.security.orderedpathrestrictions[0].pattern='/**'", \ "-dom.security.orderedpathrestrictions[0].roles=<role>", \ "-dom.security.orderedpathrestrictions[0].csrfdisabled=true", \ "-xdebug", \ "-agentlib:jdwp=transport=dt_socket,address=9997,server=y,suspend=n", \ "-dserver.port=8762", \ "-deureka.instance.non-secure-port=0", \ "-deureka.instance.secure-port=8762", \ "-deureka.instance.hostname=<name>", \ "-deureka.instance.nonsecureportenabled=false", \ "-deureka.instance.secureportenabled=true", \ "-deureka.client.serviceurl.defaultzone=<url>", \ "-dspring.application.name=sbsa-account-om-service", \ "-deureka.instance.securevirtualhostname=<name>", \ "-djava.security.egd=file:/dev/./urandom", \ "-jar", \ "/app.jar"]
edit: not same issue mentioned in trustanchors question problem related going spring boot version 1.4.0 1.4.1, change being boot version, other configs worked under spring boot 1.4.0 have been left same.
turns out of spring boot 1.4.1 underlying tomcat version got bumped 8.5.6 , not accept other certificate types other than
entry type: trustedcertentry
i using self signed certs of type:
entry type: privatekeyentry
after re-generating certs started working fine.
Comments
Post a Comment