0

I am running a local Spring boot app that uses oauth2.0 and ssl.

I am using a zerossl signed certificate which is stored in /src/main/resources, and I've imported into the keychain in the project resources.

I am able to retrieve a token and call the /oauth/check_token endpoint manually, however when I try to hit any other endpoint I get the following error:

.o.s.r.w.BearerTokenAuthenticationFilter : Authentication request for failed!

org.springframework.security.authentication.AuthenticationServiceException: I/O error on POST request for "https://localhost:8443/oauth/check_token": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

application.properties:

# The format used for the keystore. It could be set to JKS in case it is a JKS file
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:demo.p12
# The password used to generate the certificate
server.ssl.key-store-password=*****
# The alias mapped to the certificate
server.ssl.key-alias=demo
server.ssl.enabled=true
security.oauth2.resource.token-info-uri=https://localhost:8443/oauth/check_token
security.oauth2.client.registered-redirect-uri=https://localhost:8443/test
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://localhost:8443/oauth/check_token

Stepping through the code it looks like when the NimbusOpaqueTokenIntrospector tries to check the token by calling POST https://localhost:8443/oauth/check_token it is not even hitting the endpoint (I placed a breakpoint in CheckTokenEndpoint controller) and getting the above KPIX error. I've tried using a custom RestTemplate that specifies the SSL context but I'm still seeing the same error.

John Hanley
  • 74,467
  • 6
  • 95
  • 159
foobar
  • 1
  • 2
  • Please show how you configure it in `application.properties` and where does this cert live. – Ivar Mar 04 '21 at 16:57
  • @Aivaras I've updated the question with the relevant info ^ – foobar Mar 04 '21 at 17:10
  • related https://stackoverflow.com/questions/6908948/java-sun-security-provider-certpath-suncertpathbuilderexception-unable-to-find – Ivar Mar 04 '21 at 17:26
  • Hm, it looks like that is an error for self-signed certs. This cert is signed by a trusted authority. Also, why would I need to add cert to truststore when calling a regular endpoint, when calling /oauth/check_token seems to work on its own? – foobar Mar 04 '21 at 17:52

1 Answers1

0

If you are still struggling with this, I also experienced the same issue and also tried to install the Valid certificate into my JDK ca-certs. That was actually the correct solution except that even though both the RootCa and ActualDomain certs were installed as trusted certs in JDK ca-certs, there was an intermediate certificate issued just recently that I had left out. I installed the intermediate certificate as a trusted cert into the JDK ca-certs and the TLS certificate is no more.

RootCA=>!!!IntermediateCert!!!=>SubdomainCert
Draken
  • 3,134
  • 13
  • 34
  • 54
Katlego Mashoeu Harold Maleka
  • 11
  • 1