Search code examples
javaspringspring-bootsslhashicorp-vault

Error while connecting Spring Boot App with Vault :PKIX path building failed:sun.security.provider.certpath.SunCertPathBuilderException

While connecting vault(hosted on https) with spring boot I am getting the below error. org.springframework.vault.authentication.VaultLoginException: Cannot log in using org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://10.166.181.83:31975/v1/auth/cert/login": sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target My pom.xml is org.springframework.cloud spring-cloud-starter-vault-config 

While connectiong to localhost vault server which is on http , everything works fine.
Could anyone please help me on this?

**bootstrap.properties is :**

spring.cloud.vault.scheme=https
spring.cloud.vault.kv.enabled=true
spring.cloud.vault.generic.enabled=true
spring.cloud.vault.generic.backend=configuration-server
spring.cloud.vault.generic.default-context=credentials
spring.cloud.vault.connection-timeout=5000
spring.cloud.vault.read-timeout=15000
spring.cloud.vault.config.order=-10

spring.cloud.vault.authentication=CERT
spring.cloud.vault.ssl.cert-auth-path=cert
spring.cloud.vault.ssl.trust-store-location=classpath:vault.jks
spring.cloud.vault.ssl.trust-store-password=ril@12345

management.endpoints.web.exposure.include=*
management.endpoint.env.post.enabled=true

spring.cloud.vault.uri=https://../../../
spring.cloud.vault.token=hvs.XXXXXXXX
Solution

  • It looks like you are connecting to https using IP address in the URI. This results in an SSL error (since certificates are based on name and not IPs) so. you can either add the certificate to the trusted list using keytool or add code to ignore certificate validation (depending on how you connect, this will vary https://howtodoinjava.com/java/java-security/bypass-ssl-certificate-checking-java/ has some examples where one probably will fit).