We are using clj-http with a keystore consisting of a keystore.pfx with a self-signed certificate:
(let [url (str url "api/fetch")
opts {:keystore "keystore.pfx"
:keystore-type "pkcs12"
:keystore-pass "****"
:body (json/encode {:method "yada"})
:content-type :json
:throw-entire-message? true
:async? false}
response (http/post url opts)]
(-> response
:body
base64-decode))
The API calls with the keystore works locally to call the API with a client-side cert, but not in a Docker on Kubernetes.
Exception is:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Any ideas how to fix? Do we need to add it to the JVM some way? If so, where and how to add the pfx?
Your self signed client/server certs don't share the chain of trust (this is what the error message is telling you).
Put the CA cert(s) in a trust store, e.g.
keytool -importcert -noprompt -alias ca -file ca.crt -keystore truststore -storepass secret
and add the trust store to the request:
; ...
:trust-store "truststore" ; XXX
:trust-store-pass "secret" ; XXX
:keystore "keystore.pfx"
:keystore-pass "****"
; ...