OAuth2.0 with HTTPs

[vicquiro-capg]

Hi!
I'm trying to use HTTPs, with the EdcHttpClient Library on the EDC connector, to connect keycloak IDP server and when trying to get the ssl certificate I I get this error:

"javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"

Someone can help? Thanks

[paullatzelsperger]

@victorquiroga-capgemini there is a lot of information missing here, such as the full exception stacktrace, or the exact use case you are trying to implement, so I can only give generic answers.

Generally, this exception means that the SSL certificate for the remote URL isn't found in the trust store.

This can happen if the remote service (here: presumably your KC server) is using either a self-signed cert or a cert that was signed by an unknown signer. Either way, this is not an EDC problem.

If that is the case, then you must either add the self-signed cert to the trust store (do not recommend), implement a custom TrustManager(e.g. this, absolutely don't do this!), or use an SSL cert issued by a CA.

[vicquiro-capg]

Srry. @paullatzelsperger. I trying use Kc with self signed cert and use it with EDC oauth extension.
I add a full exception stacktrace:
javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:378)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:321)
at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:316)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1351)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1226)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1169)
at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:201)
at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:172)
at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1510)
at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1425)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:455)
at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:426)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.kt:379)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.kt:337)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.kt:209)
at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.kt:226)
at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.kt:106)
at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.kt:74)
at okhttp3.internal.connection.RealCall.initExchange$okhttp(RealCall.kt:255)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.kt:32)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.kt:95)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.kt:83)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.kt:76)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at org.eclipse.edc.connector.core.base.OkHttpClientFactory$EnforceHttps.intercept(OkHttpClientFactory.java:71)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
at okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
at okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
at dev.failsafe.okhttp.FailsafeCall.lambda$execute$0(FailsafeCall.java:117)
at dev.failsafe.Functions.lambda$get$0(Functions.java:46)
at dev.failsafe.internal.RetryPolicyExecutor.lambda$apply$0(RetryPolicyExecutor.java:74)
at dev.failsafe.SyncExecutionImpl.executeSync(SyncExecutionImpl.java:187)
at dev.failsafe.CallImpl.execute(CallImpl.java:33)
at dev.failsafe.okhttp.FailsafeCall.execute(FailsafeCall.java:121)
at org.eclipse.edc.http.client.EdcHttpClientImpl.execute(EdcHttpClientImpl.java:59)
at org.eclipse.edc.http.client.EdcHttpClientImpl.execute(EdcHttpClientImpl.java:51)
at org.eclipse.edc.iam.oauth2.identity.IdentityProviderKeyResolver.getKeys(IdentityProviderKeyResolver.java:104)
at org.eclipse.edc.iam.oauth2.identity.IdentityProviderKeyResolver.refreshKeys(IdentityProviderKeyResolver.java:136)
at org.eclipse.edc.iam.oauth2.identity.IdentityProviderKeyResolver.start(IdentityProviderKeyResolver.java:82)
at org.eclipse.edc.iam.oauth2.Oauth2ServiceExtension.start(Oauth2ServiceExtension.java:144)
at org.eclipse.edc.boot.system.injection.lifecycle.StartPhase.start(StartPhase.java:34)
at org.eclipse.edc.boot.system.injection.lifecycle.ExtensionLifecycleManager.start(ExtensionLifecycleManager.java:78)
at java.base/java.util.ArrayList.forEach(ArrayList.java:1511)
at org.eclipse.edc.boot.system.ExtensionLoader.bootServiceExtensions(ExtensionLoader.java:76)
at org.eclipse.edc.boot.system.runtime.BaseRuntime.bootExtensions(BaseRuntime.java:153)
at org.eclipse.edc.boot.system.runtime.BaseRuntime.boot(BaseRuntime.java:92)
at org.eclipse.edc.boot.system.runtime.BaseRuntime.main(BaseRuntime.java:77)
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306)
at java.base/sun.security.validator.Validator.validate(Validator.java:264)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:231)
at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:132)
at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1335)
... 49 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434)
... 54 more

[paullatzelsperger]

like I said, this has nothing to do with EDC, because the JDK TrustManager rejects certificates that aren't found in the trust store.

You have to import your self-signed cert into the Java key store of the machine that runs your EDC code. If you run EDC in a docker container, you'd have to import the self-signed cert in the docker container's trust store.

I'm assuming this is a test/demo/dev environment, so it may be worth considering using just HTTP instead of HTTPS.

Note that the EDC project does not recommend, support or condone this!

[paullatzelsperger]

@vicquiro-capg I will close this discussion, as it has nothing to do with EDC