Why Spring Cloud Gateway is unable to find valid certification path to requested target?

Question

I have Spring Cloud Gateway secured with Keycloak.

Keycloak has a self-signed certificate that I generated with these commands:

openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=Acme Root CA" -out ca.crt
openssl req -newkey rsa:2048 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=SZ/O=Acme, Inc./CN=*my-site.com" -out server.csr
openssl x509 -req -extfile <(printf "subjectAltName=DNS:my-site.com") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

In Dockerfile, for Spring Cloud Gateway, I added the CA of the self-signed certificate:

USER root

# Copy the certificate file into the image
COPY --from=build /app/certs/ca.crt /usr/local/share/ca-certificates/ca.crt

# Change the permissions of the /etc/ssl/certs directory
RUN chmod a+w /etc/ssl/certs

# Update the certificate store
RUN update-ca-certificates

But when I attempt to login, after enter the credentials, the Spring Cloud Gateway give me the error:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/sun.security.validator.Validator.validate(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/sun.security.ssl.X509TrustManagerImpl.validate(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   ... 30 common frames omitted
core_api-gateway.1.4z2matjvgalf@ws002cfw    | Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   at java.base/java.security.cert.CertPathBuilder.build(Unknown Source) ~[na:na]
core_api-gateway.1.4z2matjvgalf@ws002cfw    |   ... 36 common frames omitted

Why? How can I solve?

Answer 1

The error messages refer to the Java truststore, while you have imported the certificates to the openssl truststore. Unfortunately, they are not the same.

You will need to import the certificate to the Java truststore. See How to properly import a selfsigned certificate into Java keystore that is available to all Java applications by default? for instructions.