Wrong certificate from EKS cluster nginx SSL terminator

Question

I have a strange problem w.r.t secure websoket connection to a spring boot application (with WSS endpoint running). Basically I have a websoket client which is part of my production code and it is suppose to connect to the wss end point available in EKS cluster using let's encrypt certificate. However due to some reason it does not connect and throws me an exception stating "not a valid certificate path". I am sure that I have used the correct certificate on both sides.

After some investigations I found that EKS gives me a Kubernetes fake certificate during handshake rather than let's encrypt certificate due to some reason. And the interesting fact is, if I write a simple websoket client out side my production code, I am able to connect to the end point using let's encrypt certificate.

FYI, I am running both code from my laptop, so JVM environment, certificate store is same. Has anybody faced this issue before, or can you please help me with areas where I should start investigation?

With wireshirk capture I see below difference in production request and my sample app request, server_name is missing from prod app, no idea why.

Answer 1

This problem basically occurs with Java 8. In some specific scenarios this happens. Basically if websocket endpoint has one IP with multiple hostnames, then host_name extension header (SNI) to be supplied from client side and if does not happen then you might end up with problems like getting wrong certificate.

see: http://javabreaks.blogspot.com/2015/12/java-ssl-handshake-with-server-name.html?_sm_au_=iVVZj77NHqPn150Q

I have used this link to resolve this issue. Basically I had to use the websocket client from and provide socket factory wrapper from above link.