Quarkus connection to AWS Documentdb

Question

I'm trying to connect to an istance of Documentdb hosted on Aws

In my application.properties I used the connection string I saw on aws:

mongodb://administrator:<insertYourPassword>@mycluster.amazonaws.com:27017/?ssl=true&ssl_ca_certs=rds-combined-ca-bundle.pem&replicaSet=rs0&readPreference=secondaryPreferred&retryWrites=false

It doesn't work cause ssl_ca_certs isn't accepted in the connection string

So I followed this guide: aws tsl connection guide

After creating the truststore I added this to the app properties:

quarkus.http.ssl.certificate.trust-store-file=/path/to/rds-truststore.jks
quarkus.http.ssl.certificate.trust-store-password=changeit

And I added to the connection string tls=true

Both with the first and the second try, the error was the same:

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
at java.base/sun.security.validator.Validator.validate(Validator.java:256)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:285)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:632)
... 21 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
    ... 26 more

Of course I changed all the placeholders I showed in the examples

Answer 1

At the end, nothing was working but creating my own instance of the client, avoiding the use of application.properties built-in mongo parameters:

    @ApplicationScoped
    public class AWSDocumentDbReactiveClient{

    private ReactiveMongoClient reactiveMongoClient;


    public AWSDocumentDbReactiveClient() {
        String template = "mongodb://%s:%s@%s/fitment?ssl=true&replicaSet=rs0&readpreference=%s";
        String username = "administrator";
        String password = "[dbpswd]";
        String clusterEndpoint = "[clusterendpoint].eu-west-1.docdb.amazonaws.com:27017";
        String readPreference = "secondaryPreferred";
        String connectionString = String.format(template, username, password, clusterEndpoint, readPreference);

        String truststore = "rds-truststore.jks";
        String truststorePassword = "changeit";

        System.setProperty("javax.net.ssl.trustStore", truststore);
        System.setProperty("javax.net.ssl.trustStorePassword", truststorePassword);

        MongoClient mongoClient = MongoClients.create(connectionString);

        this.reactiveMongoClient = new ReactiveMongoClientImpl(mongoClient);
    }

    public ReactiveMongoDatabase getDatabase(){
        return this.reactiveMongoClient.getDatabase("[dbname]");
    }
}

You can find the informations about creating the truststore here