K
Q

SunCertPathBuilderException when calling endpoint using client-side certificate from Kubernetes Docker

12/19/2019

We are using clj-http with a keystore consisting of a keystore.pfx with a self-signed certificate:

(let [url (str url "api/fetch")
      opts {:keystore "keystore.pfx"
            :keystore-type "pkcs12"
            :keystore-pass "****"
            :body (json/encode {:method "yada"})
            :content-type :json
            :throw-entire-message? true
            :async? false}
      response (http/post url opts)]
  (-> response
      :body
      base64-decode))

The API calls with the keystore works locally to call the API with a client-side cert, but not in a Docker on Kubernetes.

Exception is:

sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Any ideas how to fix? Do we need to add it to the JVM some way? If so, where and how to add the pfx?

-- Erwin Rooijakkers
clj-http
clojure
docker
java
kubernetes

Similar Questions

Protect a PHP/k8s application that can be deployed on-premise
How to check what port a pod is listening on with kubectl and not looking at the dockerFile?
Docker image not able to stay alive in a Jenkins Kubernetes build pipeline
Not able to access kubernetes api from inside a pod container
Can Kubernetes Jobs can have args applied like Docker?

1 Answer

12/20/2019

Your self signed client/server certs don't share the chain of trust (this is what the error message is telling you).

Put the CA cert(s) in a trust store, e.g.

keytool -importcert -noprompt -alias ca -file ca.crt -keystore truststore -storepass secret

and add the trust store to the request:

  ; ...
  :trust-store "truststore"  ; XXX
  :trust-store-pass "secret" ; XXX
  :keystore "keystore.pfx"
  :keystore-pass "****"
  ; ...
-- cfrick
Source: StackOverflow