0

I'm writing a web service which takes a request, authenticates the request's bearer token against an external web service, retrieves the requested information from an encrypted database using a stored procedure, decrypts the data with a provided key, and returns the data as JSON. Fairly standard stuff, although I'm having an absolutely maddening problem with the request authentication.

Authentication against the external authentication service worked fine on my development machine, but all requests were rejected with an invalid certificate error when I went to deploy it to production. I confirmed this by making a request manually using curl, which showed the same problem. The owners of the production environment then provided a certificate (actually two certificates in the same file) in the PEM format. A request made with curl and this certificate worked fine, and so I went to add this certificate to the default trust store using keytool as usual. This didn't solve the error, I kept having it crash when making the request with a certificate error.

I've tried everything I know how to do when it comes to certificates in Java, I've created a custom trust store and pointed the JVM at it, I've even transplanted the known good trust store from my dev machine into the same directory as the exported JAR and set the trustStore property programatically to point at it with absolutely no success. For the purpose of allowing some testing to take place, I did the old "installing a trust manager that just allows everything through" which fixed the issue, but obviously only a complete lunatic would put that code into production so I can't put it into production as is.

I'm completely stumped here. I'm starting to think there's some weird environment problem going on, if it's relevant the production server is running Centos while I'm developing on macOS. The framework for requests and responses is Spring Boot. I'm making the request in the usual manner with javax.net.ssl.HttpsURLConnection. Any advice on this matter would be much appreciated.

ReleaseTheKraken
  • 31
  • 5
  • you should put here some code. I'm guessing that you are not doing it like here https://stackoverflow.com/questions/33497874/resttemplate-with-pem-certificate – Morph21 Jan 11 '21 at 12:41
  • It's not really an issue with the code though, it's a problem with the trust stores. I've seen that question, the problem is that the first step (adding the certificate to the trust store) isn't working properly when I use it even though it claims to have added the certificate and I'd like to understand why. – ReleaseTheKraken Jan 11 '21 at 12:49

0 Answers0