Search code examples
spring-bootsslnetflix-eureka

Eureka server ssl configuration


I'm trying to configure the Eureka spring boot server with an SSL certificate. And I can't find good information to do it. I'm doing it on a local machine with a personal certificate for testing purposes.

As much as I can understand to do it, I've done this step:

1 - Created SSL certificate:

keytool -genkeypair -keyalg RSA -keysize 2048 -storetype PKCS12 -keystore ssltest.p12 -validity 365 -ext "SAN:c=DNS:localhost,IP:127.0.0.1"

2 - In application.yml from Eureka server

server:
  port: 9290
  servlet:
    context-path: /discoveryservice
  ssl:
    enabled: true
    key-store: file:c:\tmp\ssl\ssltest.p12
    key-store-type: PKCS12
    key-store-password: 12345678
    trust-store: file:c:\tmp\ssl\ssltest.p12
    trust-store-type: PKCS12
    trust-store-password: 12345678

eureka:
  instance:
    hostname: localhost
    secure-port: ${server.port}
    secure-port-enabled: true
    non-secure-port-enabled: false
    secure-virtual-host-name: ${spring.application.name}
    home-page-url-path: https://${eureka.instance.hostname}:${server.port}/${server.servlet.context-path}/
    status-page-url-path: https://${eureka.instance.hostname}:${server.port}/${server.servlet.context-path}/info
    health-check-url: https://${eureka.instance.hostname}:${server.port}/${server.servlet.context-path}/health
  client:
    fetch-registry: false
    register-with-eureka: false

  server:
    wait-time-in-ms-when-sync-empty: 0


logging:
  level:
    com:
      netflix:
        eureka: OFF
        discovery: OFF

But it doesn't work, because soon as I add:

trust-store: file:c:\tmp\ssl\ssltest.p12
trust-store-type: PKCS12
trust-store-password: 1234567

I'm getting an error message, and I can't find how to resolve it:

org.springframework.context.ApplicationContextException: Failed to start bean 'webServerStartStop'; nested exception is org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
    at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:181) ~[spring-context-5.3.19.jar:5.3.19]
    at org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:54) ~[spring-context-5.3.19.jar:5.3.19]
    at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:356) ~[spring-context-5.3.19.jar:5.3.19]
    at java.base/java.lang.Iterable.forEach(Iterable.java:75) ~[na:na]
    at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:155) ~[spring-context-5.3.19.jar:5.3.19]
    at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:123) ~[spring-context-5.3.19.jar:5.3.19]
    at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:935) ~[spring-context-5.3.19.jar:5.3.19]
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:586) ~[spring-context-5.3.19.jar:5.3.19]
    at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:145) ~[spring-boot-2.6.7.jar:2.6.7]
    at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:740) ~[spring-boot-2.6.7.jar:2.6.7]
    at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:415) ~[spring-boot-2.6.7.jar:2.6.7]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:303) ~[spring-boot-2.6.7.jar:2.6.7]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1312) ~[spring-boot-2.6.7.jar:2.6.7]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1301) ~[spring-boot-2.6.7.jar:2.6.7]
    at io.jdeo.modeldiscoveryservice.ModelDiscoveryServiceApplication.main(ModelDiscoveryServiceApplication.java:12) ~[classes/:na]
Caused by: org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
    at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:229) ~[spring-boot-2.6.7.jar:2.6.7]
    at org.springframework.boot.web.servlet.context.WebServerStartStopLifecycle.start(WebServerStartStopLifecycle.java:43) ~[spring-boot-2.6.7.jar:2.6.7]
    at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:178) ~[spring-context-5.3.19.jar:5.3.19]
    ... 14 common frames omitted
Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:238) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:282) ~[spring-boot-2.6.7.jar:2.6.7]
    at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:213) ~[spring-boot-2.6.7.jar:2.6.7]
    ... 16 common frames omitted
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1075) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.catalina.core.StandardService.addConnector(StandardService.java:234) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    ... 18 common frames omitted
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:107) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:234) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1227) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1313) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:614) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.catalina.connector.Connector.startInternal(Connector.java:1072) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    ... 20 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
    at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[na:na]
    at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[na:na]
    at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[na:na]
    at org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:502) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:433) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:105) ~[tomcat-embed-core-9.0.62.jar:9.0.62]
    ... 26 common frames omitted

Disconnected from the target VM, address: '127.0.0.1:62614', transport: 'socket'

Thank you very much for your support and help.

PS: If someone has a good documentation about it too, I will be please :)


Solution

  • Based on the explanation given by @dave_thompson_085 there is the solution:

    There is how to create the correct certificate:

    keytool -genkey -alias myCertificate -keystore myCertificate.jks -ext "SAN:c=DNS:localhost,IP:127.0.0.1"
    
    keytool -genkey -alias myClientCertificate -keystore myClientCertificate.jks -ext "SAN:c=DNS:localhost,IP:127.0.0.1"
    
    keytool -export -alias myClientCertificate -file myClientCertificate.crt -keystore myClientCertificate.jks
    
    keytool -export -alias myCertificate -file myCertificate.crt -keystore myCertificate.jks
    
    keytool -import -alias myClientCertificate -file myClientCertificate.crt -keystore myCertificate.jks
    

    And then on Eureka application.yml:

      ssl:
        enabled: true
        key-store: file:c:\tmp\ssl\myCertificate.jks
        key-store-type: JKS
        key-store-password: 12345678
        trust-store: file:c:\tmp\ssl\myCertificate.jks
        trust-store-type: PKCS12
        trust-store-password: 12345678