dmikusa
commented
3 years ago Sorry for the delayed response. Given the information here, I don't have an answer for you. The JVM should be able to read both JKS & P12 keystore files, so I don't see why that would necessarily matter, but clearly, it causing an issue somewhere.
What I can tell you:
-
The container security provider is looking at the system-provided certificates and the instance id certs. These are
/etc/ssl/certs/ca-certificates.crtand the path represented by$CF_INSTANCE_CERTand$CF_INSTANCE_KEY. You can't add stuff to these paths from inside the container, but if you could the expected format would be PEM encoded. I only mention this because I don't think the CSP is what you want here, it's not meant to be used by app dev's to add arbitrary certificates, you add arbitrary certs to it through Bosh trusted certs. -
When it's not working for you, the cert has
issuer" : "CN=Diego Instance Identity Intermediate CA",and"subject" : "CN=098e8158-f702-4084-5075-4c15,which is the default container instance id key, which leads me to believe that your customization isn't being applied for some reason. If you configure the SSLContextBuilder to use a particular client cert/key, it should override the default behavior that is supplied by the CSP. -
If you want to disable the CSP's default behavior for keys, you can disable the key manager. That will no longer send the instance id key with requests by default. See here for how you'd disable this: https://github.com/cloudfoundry/java-buildpack/blob/main/docs/framework-container_security_provider.md#configuration. I suspect if you do this, that the request will go out with no cert, but I don't have a lot of detail here so you may want to give this a try and see what happens.
Hope that helps!
Hi, I have a java spring boot application that needs to call a REST API with SSL Client Authentification (self signed). I have a custom truststore / keystore, that I add manually to the SSLContextBuilder. This works fine outside of Cloudfoundry. When I deploy on cf I get a "unknown_ca" Exception. I enabled debug logging and I found out, that my client certificate is not used. On cf I get this log: Produced client Certificate message ( 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "Certificate": { 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "certificate_request_context": "", 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "certificate_list": [ 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] { 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "certificate" : { 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "version" : "v3", 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "serial number" : "...", 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "signature algorithm": "SHA256withRSA", 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "issuer" : "CN=Diego Instance Identity Intermediate CA", 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "not before" : "2020-12-15 17:33:02.000 UTC", 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "not after" : "2020-12-16 17:33:02.000 UTC", 2020-12-15T18:34:00.668+01:00 [APP/PROC/WEB/0] [ERR] "subject" : "CN=098e8158-f702-4084-5075-4c15, OU=organization:eb934609-7e20-4944-ab20-9b08a02bbf6e ...
P.S.: I also tried to add trust & keystore via java system properties: -Djavax.net.ssl.trustStore ... Same behavior.
The problem only occurs with p12 files. When I transform to jks keystore it works fine.
Regards,
DAniel