Spring-cloud-netflix: Zuul with ribbon routing unable to validate custom ssl certificates

Created on 10 Feb 2017  路  30Comments  路  Source: spring-cloud/spring-cloud-netflix

In my application i want to search service with service id but my zuul is not connecting with eureka service, can any one help me out.

  1. when i hit http://localhost:8761/ then zuul is not showing there
  2. If i comment the serviceid and enable the url then it will run as per requirement

here is my application.yml for zuul

spring:
  application:
    name: ZUUL

server:
  port: 8090

ribbon:
  eureka:
    enabled: true

eureka:
  client:
    serviceUrl:
      defaultZone: http://localhost:8761/eureka/

zuul:
  routes:
    test:
      path: /**
      serviceId: main
#     url: http://localhost:9080
enhancement
Source
picture atiwari54

Most helpful comment

Using URL instead of serviceId takes two different code paths as you might imagine. The HTTP Client used will be configured differently. Do you have zuul.sslHostnameValidationEnabled=false in your properties? Actually could you post your application.properties (or yaml)?

picture ryanjbaxter on 13 Feb 2017
👍41

All 30 comments

@atiwari54 unfortunately, we don't have enough information to help you. Please be more descriptive when opening issues. Include, versions, steps to reproduce and, possibly, a project that recreates the issue (not code pasted as comments).

Do you have @EnableDiscoveryClient? Do you have the eureka starter? Is zuul registered with eureka?

spencergibb picture spencergibb on 10 Feb 2017

@spencergibb, yes i have added @EnableDiscoveryClient in my zuul app. No zuul not getting register with eureka, all other microservice are getting register.

i am using

  1. spring 4.2.2.RELEASE version and spring-cloud-netflix 1.0.7.RELEASE version for ZUUL
  2. spring 4.2.2.RELEASE version and spring-cloud-netflix 1.2.3.RELEASE version for EUREKA and MAIN
atiwari54 picture atiwari54 on 13 Feb 2017

@spencergibb, after certain changes zuul get register with eureka but now it giving me 

com.netflix.zuul.exception.ZuulException: Forwarding error
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.forward(RibbonRoutingFilter.java:140)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.run(RibbonRoutingFilter.java:105)
    at com.netflix.zuul.ZuulFilter.runFilter(ZuulFilter.java:112)
    at com.netflix.zuul.FilterProcessor.processZuulFilter(FilterProcessor.java:197)
    at com.netflix.zuul.FilterProcessor.runFilters(FilterProcessor.java:161)
    at com.netflix.zuul.FilterProcessor.route(FilterProcessor.java:120)
    at com.netflix.zuul.ZuulRunner.route(ZuulRunner.java:84)
    at com.netflix.zuul.http.ZuulServlet.route(ZuulServlet.java:111)
    at com.netflix.zuul.http.ZuulServlet.service(ZuulServlet.java:77)
    at org.springframework.web.servlet.mvc.ServletWrappingController.handleRequestInternal(ServletWrappingController.java:158)
    at org.springframework.cloud.netflix.zuul.web.ZuulController.handleRequestInternal(ZuulController.java:43)
    at org.springframework.web.servlet.mvc.AbstractController.handleRequest(AbstractController.java:146)
    at org.springframework.web.servlet.mvc.SimpleControllerHandlerAdapter.handle(SimpleControllerHandlerAdapter.java:50)
    at org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:959)
    at org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:893)
    at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:965)
    at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:856)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)
    at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:841)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.boot.actuate.autoconfigure.EndpointWebMvcAutoConfiguration$ApplicationContextHeaderFilter.doFilterInternal(EndpointWebMvcAutoConfiguration.java:300)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.boot.actuate.trace.WebRequestTraceFilter.doFilterInternal(WebRequestTraceFilter.java:103)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.HiddenHttpMethodFilter.doFilterInternal(HiddenHttpMethodFilter.java:77)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:85)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.boot.actuate.autoconfigure.MetricsFilter.doFilterInternal(MetricsFilter.java:77)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:521)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1096)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:674)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1500)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1456)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: com.netflix.hystrix.exception.HystrixRuntimeException: mainRibbonCommand failed and no fallback available.
    at com.netflix.hystrix.AbstractCommand$16.call(AbstractCommand.java:807)
    at com.netflix.hystrix.AbstractCommand$16.call(AbstractCommand.java:794)
    at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$1.onError(OperatorOnErrorResumeNextViaFunction.java:77)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at com.netflix.hystrix.AbstractCommand$DeprecatedOnFallbackHookApplication$1.onError(AbstractCommand.java:1516)
    at com.netflix.hystrix.AbstractCommand$FallbackHookApplication$1.onError(AbstractCommand.java:1406)
    at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:314)
    at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:306)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$1.onError(OperatorOnErrorResumeNextViaFunction.java:78)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at com.netflix.hystrix.AbstractCommand$HystrixObservableTimeoutOperator$3.onError(AbstractCommand.java:1007)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at com.netflix.hystrix.AbstractCommand$DeprecatedOnRunHookApplication$1.onError(AbstractCommand.java:1475)
    at com.netflix.hystrix.AbstractCommand$ExecutionHookApplication$1.onError(AbstractCommand.java:1371)
    at com.netflix.hystrix.HystrixCommand$1.call(HystrixCommand.java:297)
    at com.netflix.hystrix.HystrixCommand$1.call(HystrixCommand.java:289)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at com.netflix.hystrix.AbstractCommand$1.call(AbstractCommand.java:398)
    at com.netflix.hystrix.AbstractCommand$1.call(AbstractCommand.java:377)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at com.netflix.hystrix.AbstractCommand$ObservableCommand$1.call(AbstractCommand.java:1135)
    at com.netflix.hystrix.AbstractCommand$ObservableCommand$1.call(AbstractCommand.java:1131)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.subscribe(Observable.java:7621)
    at rx.internal.operators.BlockingOperatorToFuture.toFuture(BlockingOperatorToFuture.java:57)
    at rx.observables.BlockingObservable.toFuture(BlockingObservable.java:410)
    at com.netflix.hystrix.HystrixCommand.queue(HystrixCommand.java:379)
    at com.netflix.hystrix.HystrixCommand.execute(HystrixCommand.java:335)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonRoutingFilter.forward(RibbonRoutingFilter.java:125)
    ... 59 common frames omitted
Caused by: com.netflix.client.ClientException: Number of retries on next server exceeded max 1 retries, while making a call for: CSCINDAE752860.asiapac.globalcsc.net:9080
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$4.call(LoadBalancerCommand.java:350)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$4.call(LoadBalancerCommand.java:345)
    at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$1.onError(OperatorOnErrorResumeNextViaFunction.java:77)
    at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber$1$1.onError(OperatorRetryWithPredicate.java:105)
    at rx.observers.SerializedObserver.onError(SerializedObserver.java:122)
    at rx.observers.SerializedSubscriber.onError(SerializedSubscriber.java:79)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onError(OperatorConcat.java:148)
    at rx.internal.operators.OperatorConcat$ConcatInnerSubscriber.onError(OperatorConcat.java:218)
    at rx.observers.SerializedObserver.onError(SerializedObserver.java:122)
    at rx.observers.SerializedSubscriber.onError(SerializedSubscriber.java:79)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onError(OperatorConcat.java:148)
    at rx.internal.operators.OperatorConcat$ConcatInnerSubscriber.onError(OperatorConcat.java:218)
    at rx.internal.operators.OperatorDoOnEach$1.onError(OperatorDoOnEach.java:70)
    at rx.Observable$ThrowObservable$1.call(Observable.java:9415)
    at rx.Observable$ThrowObservable$1.call(Observable.java:9405)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.subscribeNext(OperatorConcat.java:177)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onNext(OperatorConcat.java:142)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onNext(OperatorConcat.java:78)
    at rx.internal.operators.OperatorMap$1.onNext(OperatorMap.java:55)
    at rx.internal.util.ScalarSynchronousObservable$1.call(ScalarSynchronousObservable.java:43)
    at rx.internal.util.ScalarSynchronousObservable$1.call(ScalarSynchronousObservable.java:32)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.subscribeNext(OperatorConcat.java:177)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onNext(OperatorConcat.java:142)
    at rx.internal.operators.OperatorConcat$ConcatSubscriber.onNext(OperatorConcat.java:78)
    at rx.internal.operators.OperatorMap$1.onNext(OperatorMap.java:55)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:185)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$1.call(LoadBalancerCommand.java:180)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.unsafeSubscribe(Observable.java:7531)
    at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber$1.call(OperatorRetryWithPredicate.java:120)
    at rx.schedulers.TrampolineScheduler$InnerCurrentThreadScheduler.enqueue(TrampolineScheduler.java:80)
    at rx.schedulers.TrampolineScheduler$InnerCurrentThreadScheduler.schedule(TrampolineScheduler.java:59)
    at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber.onNext(OperatorRetryWithPredicate.java:77)
    at rx.internal.operators.OperatorRetryWithPredicate$SourceSubscriber.onNext(OperatorRetryWithPredicate.java:45)
    at rx.internal.util.ScalarSynchronousObservable$1.call(ScalarSynchronousObservable.java:43)
    at rx.internal.util.ScalarSynchronousObservable$1.call(ScalarSynchronousObservable.java:32)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable$1.call(Observable.java:144)
    at rx.Observable$1.call(Observable.java:136)
    at rx.Observable.subscribe(Observable.java:7621)
    at rx.observables.BlockingObservable.blockForSingle(BlockingObservable.java:442)
    at rx.observables.BlockingObservable.single(BlockingObservable.java:341)
    at com.netflix.client.AbstractLoadBalancerAwareClient.executeWithLoadBalancer(AbstractLoadBalancerAwareClient.java:102)
    at com.netflix.client.AbstractLoadBalancerAwareClient.executeWithLoadBalancer(AbstractLoadBalancerAwareClient.java:81)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonCommand.forward(RibbonCommand.java:132)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonCommand.run(RibbonCommand.java:106)
    at org.springframework.cloud.netflix.zuul.filters.route.RibbonCommand.run(RibbonCommand.java:1)
    at com.netflix.hystrix.HystrixCommand$1.call(HystrixCommand.java:294)
    ... 104 common frames omitted
Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:184)
    at com.sun.jersey.api.client.Client.handle(Client.java:648)
    at com.sun.jersey.api.client.WebResource.handle(WebResource.java:680)
    at com.sun.jersey.api.client.WebResource.access$200(WebResource.java:74)
    at com.sun.jersey.api.client.WebResource$Builder.get(WebResource.java:507)
    at com.netflix.niws.client.http.RestClient.execute(RestClient.java:618)
    at com.netflix.niws.client.http.RestClient.execute(RestClient.java:527)
    at com.netflix.niws.client.http.RestClient.execute(RestClient.java:92)
    at com.netflix.client.AbstractLoadBalancerAwareClient$1.call(AbstractLoadBalancerAwareClient.java:109)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:303)
    at com.netflix.loadbalancer.reactive.LoadBalancerCommand$3$1.call(LoadBalancerCommand.java:287)
    ... 145 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
    at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
    at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:144)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:131)
    at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
    at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:115)
    at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
    at com.sun.jersey.client.apache4.ApacheHttpClient4Handler.handle(ApacheHttpClient4Handler.java:170)
    ... 155 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
    at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
    at sun.security.validator.Validator.validate(Validator.java:260)
    at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
    at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
    at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
    at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
    ... 173 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
    at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
    at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
    at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
    ... 179 common frames omitted
atiwari54 picture atiwari54 on 13 Feb 2017

Looks like the service Zuul is connecting to is using a certificate that is not trusted

Caused by: com.sun.jersey.api.client.ClientHandlerException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at
ryanjbaxter picture ryanjbaxter on 13 Feb 2017

@ryanjbaxter, its self signed certificate and if i use "URL" instead of "serviceId" its working fine

atiwari54 picture atiwari54 on 13 Feb 2017

Using URL instead of serviceId takes two different code paths as you might imagine. The HTTP Client used will be configured differently. Do you have zuul.sslHostnameValidationEnabled=false in your properties? Actually could you post your application.properties (or yaml)?

ryanjbaxter picture ryanjbaxter on 13 Feb 2017
👍41

@ryanjbaxter, @spencergibb
please find my source code here
https://github.com/atiwari54/netflix

atiwari54 picture atiwari54 on 15 Feb 2017

in ZUUL, application.yml when you comment serviceId and enable url it will run

atiwari54 picture atiwari54 on 15 Feb 2017

Your projects are using an extremely old version of Spring Cloud Netflix. I suggest you try the latest Camden release, SR5, and leverage the Spring Cloud BOM in your POM files and try again.

ryanjbaxter picture ryanjbaxter on 15 Feb 2017

@ryanjbaxter I have update the code and checkedin but still m facing same certificate issue with service id, for URL its working

atiwari54 picture atiwari54 on 16 Feb 2017

What have you done to make the certificate trusted?

spencergibb picture spencergibb on 16 Feb 2017

@spencergibb I used following command
keytool -genkey -alias tomcat -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -ext SAN=DNS:localhost,IP:127.0.0.1 -validity 9999

atiwari54 picture atiwari54 on 16 Feb 2017

And did you install that anywhere? Using it for SSL with boot, won't make it available to Java libraries.

spencergibb picture spencergibb on 16 Feb 2017

@spencergibb No i didnt install it bcz m using java8, so its not required to import in key tool. even if you comment the service id and enable the url in ZUUL it will work.

atiwari54 picture atiwari54 on 16 Feb 2017

So the reason it works when using a url and doesnt when using a serviceId is because we essentially configure the SSL TrustManager to accept all certs in SimpleHostRoutingFilter which handles routing URLs. (I am curious as to what setting zuul.sslHostnameValidationEnabled=false actually does since we aren't really validating the certificates anyways in SimpleHostRoutingFilter).

When you specify a serviceId we will use RibbonLoadBalancingHttpClient (by default) which does not configure any kind of TrustManager so certificates will be validated. If the cert is not trusted by the JVM then it will throw an exception.

IMO I think that we should actually be validating certs by default in SimpleHostRoutingFilter as well instead of not validating them. And then have a flag to disable it if need be that works regardless of how the request is being proxied.

ryanjbaxter picture ryanjbaxter on 17 Feb 2017

with zuul & ribbon you can define your own Apache HttpClient with the options you want.

spencergibb picture spencergibb on 17 Feb 2017

@spenceegibb and @ryanjbaxter so now what should I have to do

  1. Should I import the certificate in jvm?
  2. Or I have to setup my http client?
atiwari54 picture atiwari54 on 18 Feb 2017

Either approach works

spencergibb picture spencergibb on 18 Feb 2017

@spencergibb can you please provide me some help for the second approach.. how can I create my http client?

atiwari54 picture atiwari54 on 18 Feb 2017

@atiwari54 have you tried to create a @Bean of HttpClient?

spencergibb picture spencergibb on 20 Feb 2017

@spencergibb i added following code in following order

  1. First in ZUUL but still get same error
  2. Remove from ZUUL and added in Eureka but result is same
  3. In both ZUUL and EUREKA but result is same

is there any issue in code ?

```
@Bean
public HttpClient httpClient() throws Exception {
final KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
if (resource.exists()) {
InputStream inputStream = resource.getInputStream();

      try {
          if (inputStream != null) {
              trustStore.load(inputStream, keyStorePassword.toCharArray());
          }
      } finally {
          if (inputStream != null) {
              inputStream.close();
          }
      }
  } else {
      throw new RuntimeException("Cannot find resource: " + resource.getFilename());
  }

    SSLContext sslcontext = SSLContexts.custom().loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()).build();
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext, new String[]{"TLSv1"}, null, org.apache.http.conn.ssl.SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);//getDefaultHostnameVerifier()
    CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();

   return httpClient;
}

```

atiwari54 picture atiwari54 on 21 Feb 2017

@atiwari54 a little bit of confusion here on what you need to do.

If you create a bean that extends RibbonLoadBalancingHttpClient (or OkHttpLoadBalancingClient depending on what Http Client you want to use) and then override the createDelegate method to customize the HttpClient you should be able to tell the client to not validate the certificate.

ryanjbaxter picture ryanjbaxter on 21 Feb 2017

@atiwari54 yup, my bad. What I was thinking of was the feign http client.

spencergibb picture spencergibb on 21 Feb 2017

@atiwari54 Hello! Recently I'm working on using self-signed cert without importing to JVM. Can I express your question is that when you run zuul, you can't see it in Eureka Server? But you still want zuul to forward your request, then you met exception.
If that's your question, I can say it's caused by zuul can't get other Eureka clients infomations which is caused by your zuul rejecting the https due to self-signed cert.
All eureka clients(include zuul) are using a Discoveryclient which will only use default apache http client. To replace this client, your must supply a DiscoveryClient.DiscoveryClientOptionalArgs bean which has a custom EurekaJerseyClient.
I asked a question and post the answer myself here. http://stackoverflow.com/questions/42289196/how-to-override-spring-cloud-eureka-default-discovery-client-default-ssl-context
My method is not elegant but it do workes for me. Hope it could help you!

AereXu picture AereXu on 23 Feb 2017

@ryanjbaxter it will come with 1.3.0RC1 or 1.3.0RC2?

atiwari54 picture atiwari54 on 24 Mar 2017

@AereXu I can see ZUUL in my eureka but my request not forwarding to my ux app. and i got
com.netflix.zuul.exception.ZuulException: Forwarding error following with
com.netflix.client.ClientException: Load balancer does not have available server for client: UX

atiwari54 picture atiwari54 on 24 Mar 2017

@atiwari54 it is marked as an enhancement. It did not make it into 1.3.0.RC1 as that was released already this week. It might make it into the next release, it depends on timing and demand for the change.

ryanjbaxter picture ryanjbaxter on 24 Mar 2017

Hey,
zuul.sslHostnameValidationEnabled=false worked for us when we had custom SSL certificates and noticed that zuul call was failing during SSL handshake. Thank you

aniruthmp picture aniruthmp on 10 Jul 2017

@ryanjbaxter did #2026 fix this?

spencergibb picture spencergibb on 16 Aug 2017

Yes it should, I will close it.

ryanjbaxter picture ryanjbaxter on 16 Aug 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

lucaGazzola picture lucaGazzola  路  3Comments
jjparsons picture jjparsons  路  3Comments
fahimfarookme picture fahimfarookme  路  3Comments
hetzijzo picture hetzijzo  路  3Comments
sprgn picture sprgn  路  3Comments