decrypt issue during spring.cloud.config.server.bootstrap

[zackfei]

Describe the bug

migrate from springboot 2.7.x springcloud 2021.0.6

to

springboot 3.0.6 springcloud 2022.0.2

set spring.cloud.config.server.bootstrap to true, configserver no longer decrypt the entry inside the search-locations when configure itself. It working fine when change it to plain text.

P.s. it working fine during springboot 2.7.x

bootstrap.yml

spring:
  application:
    name: configserver
  profiles:
    active: dev
    default: dev
    include: composite
  cloud:
    config:
      server: ## ConfigServerAutoConfiguration ##
        bootstrap: true
        composite:
          - type: native
            search-locations: 
            - file:/app/config/centralconfig/conf

encrypt:
  key-store:
    location: classpath:/encrypt/encrypt.pkcs12
    password: xxxxxx
    alias: encrypt-dev
    type: pkcs12

configserver-dev.yml

spring:
  security:
    user:
      name: admin
      # admin
      password: '{cipher}{key:encrypt-dev}AQCMdfP7wlVsVq43iJxdqnPiFyBAzpdPyXd7emIppONCqs6ilazJ8ttZLkmR7x26hAhAIxizFSy3+uYwNjakrm3o4M1MGmKEYJcMbdJKXNOKftIf15qcB0CwokXl2pSPeYq23aUwryBld6wKuBWjVg8mQ+8InYxJUVMTVbrOxg+yK/PCjCcf/j8g3g7PtTARaRo2Wz9lnojRZNFs7aHXDdyzUH6USrxFZ7l4kb6eficyhMyv+he7l8LOCckSQIBdEHsoeUnLCfAfSAm2xbbU47H8fSK5058MxJWRuSDSMaoh2O/+UcKUs38WPbofTQGudaxsn0i8xJAvMuTViEZBy+sxIl0raIYdzTcb9Ywy3DTmK5Hj6YGj4k1qiv14MQbHNsk='
      roles: USER, ADMIN

[ryanjbaxter]

Are you saying its not able to decrypt the search-locations property or the property files within the search-locations?

[zackfei]

Are you saying its not able to decrypt the search-locations property or the property files within the search-locations?

not able to decrypt entry inside property files within search-locations. For example, configserver-dev.yml above is 1 of the file inside search-locations. I not sure decryption process was not trigger OR decryption does trigger but not able to decrypt during boostrap configserver itself. Anyway spring.security.user.password inside configserver-dev.yml was not correct when i try fire the api to configserver with the configured spring security username and password, the stacktrace below show, mean spring security using the unencrypted password to configure the default user

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "key:encrypt-dev"
        at org.springframework.security.crypto.password.DelegatingPasswordEncoder$UnmappedIdPasswordEncoder.matches(DelegatingPasswordEncoder.java:289) ~[spring-security-crypto-6.0.3.jar:6.0.3]
        at org.springframework.security.crypto.password.DelegatingPasswordEncoder.matches(DelegatingPasswordEncoder.java:237) ~[spring-security-crypto-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:86) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:147) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.ObservationAuthenticationManager.lambda$authenticate$1(ObservationAuthenticationManager.java:53) ~[spring-security-core-6.0.3.jar:6.0.3]
        at io.micrometer.observation.Observation.observe(Observation.java:562) ~[micrometer-observation-1.10.6.jar:1.10.6]
        at org.springframework.security.authentication.ObservationAuthenticationManager.authenticate(ObservationAuthenticationManager.java:52) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:176) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:268) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:169) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18) ~[jboss-threads-3.5.0.Final.jar:3.5.0.Final]
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) ~[jboss-threads-3.5.0.Final.jar:3.5.0.Final]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) ~[jboss-threads-3.5.0.Final.jar:3.5.0.Final]
        at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.8.Final.jar:3.8.8.Final]
        at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]

[ryanjbaxter]

I just noticed in the example you provided the alias is encrypt-prd but the encrypted password is using encrypt-dev.

[zackfei]

I just noticed in the example you provided the alias is encrypt-prd but the encrypted password is using encrypt-dev.

it actually got another bootstrap-dev.yml to override that alias to encrypt-dev. I just want simplify the provided sample yml. I edited the sample to correct alias.

[zackfei]

hi @ryanjbaxter, any update on this?

[ryanjbaxter]

I am not able to reproduce this issue.

Within the search-location I have configured my config server to look in I have application.yaml with the following property hello: "{cipher}AQAbQgcJyxoyhChma8bj635RQySmauqAdK8/DBdAp9/Rskztrp0znaVt8hU5voU2Zt3QgUlL2ol2CxpoBS9geK/rYm+8hfmHSvBNu0IncLAx35QJ58cUEhDDohLsm1yitvB4GI7Bzqiw2gbfeCfAHtJgApoQvE+rNQZI4ZnvoD4rFdRnS25tfqP7J1zDvzaUbG8IPDfOtc9jwlpTmP0dHajT8VUxhz3YdrQCT5XzS7Zlo/LvgytKtWMBtZsBxQT+JZHcZ//FajrWzB9GI+0b+2Llhpj6rwDMK28uN2NK8XdlGORptWt0z62rOMPwxDR3N1D/zBTNSgesEWKhZqYqA2tOnStmWTqGe/o5tZaqdpm+5TDZ/ANNjqX0Zld83JuazBQ="

When I then hit http://localhost:8888/application/default I get the following response with the property decrypted.

{
  "name": "application",
  "profiles": [
    "default"
  ],
  "label": null,
  "version": null,
  "state": null,
  "propertySources": [
    {
      "name": "file:/Users/ryanjbaxter/temp/issues/2265/demo/config/application.yaml",
      "source": {
        "hello": "mysecret"
      }
    }
  ]
}

[zackfei]

the key to reproduce is:

• set spring.cloud.config.server.bootstrap to true
• using composite profile with native type

• since configserver using configserver as spring.application.name, then inside search-location was contain configserver.yml. This file was contain some congiuration which required to startup configserver itself, like the spring security user password as shown above at my 1st post, server.ssl as show below .E.g.

  server:
    ssl:
      key-store: file:/app/tls/micro/application-key.pkcs12
      key-store-password: '{cipher}{key:encrypt-dev}AQCJAj1KyOVG7Pz4E6+0bvKi02gM37f5A7/FU+7J6ZJfAbP1moYUEVG8pc4tFep3dzw+GJKsVqDgWFfq56eCcU6TQ4rYxf6sietO0goWYSC3bsymoH46DuGjP1LunzHGSZMGzURInTfGfU2ag027MRiiqiZkaNPg8uU18Aqt0cdf1ziHDzgj3WlD6IyQ0fknpUMKH1dMR1380NPvfYrZ25t8BkFOzfAc8vkNnn96T3I428MynRBkZZQU8IDxWrJ+JpXFE/20P41yTwLkrZryRgjHe+iBS6C9XpLCzlufWkDUKusny+Vgghwq4uOYwjnDA8xwcicJo+EbQdggZn/Sgsw3dKUdHQ83Q8OEy1pRt1hOL/vZuVBfBQOM9WZIOB7tQ50='
      key-store-type: pkcs12
      key-password: '{cipher}{key:encrypt-dev}AQCJAj1KyOVG7Pz4E6+0bvKi02gM37f5A7/FU+7J6ZJfAbP1moYUEVG8pc4tFep3dzw+GJKsVqDgWFfq56eCcU6TQ4rYxf6sietO0goWYSC3bsymoH46DuGjP1LunzHGSZMGzURInTfGfU2ag027MRiiqiZkaNPg8uU18Aqt0cdf1ziHDzgj3WlD6IyQ0fknpUMKH1dMR1380NPvfYrZ25t8BkFOzfAc8vkNnn96T3I428MynRBkZZQU8IDxWrJ+JpXFE/20P41yTwLkrZryRgjHe+iBS6C9XpLCzlufWkDUKusny+Vgghwq4uOYwjnDA8xwcicJo+EbQdggZn/Sgsw3dKUdHQ83Q8OEy1pRt1hOL/vZuVBfBQOM9WZIOB7tQ50='
      trust-store: file:/app/tls/micro/application-trust.pkcs12
      trust-store-password: '{cipher}{key:encrypt-dev}AQCJAj1KyOVG7Pz4E6+0bvKi02gM37f5A7/FU+7J6ZJfAbP1moYUEVG8pc4tFep3dzw+GJKsVqDgWFfq56eCcU6TQ4rYxf6sietO0goWYSC3bsymoH46DuGjP1LunzHGSZMGzURInTfGfU2ag027MRiiqiZkaNPg8uU18Aqt0cdf1ziHDzgj3WlD6IyQ0fknpUMKH1dMR1380NPvfYrZ25t8BkFOzfAc8vkNnn96T3I428MynRBkZZQU8IDxWrJ+JpXFE/20P41yTwLkrZryRgjHe+iBS6C9XpLCzlufWkDUKusny+Vgghwq4uOYwjnDA8xwcicJo+EbQdggZn/Sgsw3dKUdHQ83Q8OEy1pRt1hOL/vZuVBfBQOM9WZIOB7tQ50='
      trust-store-type: pkcs12

Then it will endup not able to start due to keystore password was incorrect, because configserver didn't decrypt the cipher when bootrap itself. It working fine if i change the all cipher (only the configserver related required to startup itself) to plain text. After it able to start with plain text, any http://localhost:8888/application/default or http://localhost:8888/<application>/<profile> it working fine because it was runtime decryption

org.springframework.context.ApplicationContextException: Unable to start web server
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:164) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:602) ~[spring-context-6.0.11.jar:6.0.11]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:732) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:434) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:310) ~[spring-boot-3.0.10.jar:3.0.10]
        at io.cv.configserver.ConfigServerApplication.main(ConfigServerApplication.java:24) ~[main/:na]
Caused by: java.lang.IllegalStateException: org.springframework.boot.web.server.WebServerException: Could not load key store 'file:/app/tls/micro/application-key.pkcs12'
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.getKeyManagers(SslBuilderCustomizer.java:127) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.customize(SslBuilderCustomizer.java:77) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.UndertowWebServerFactoryDelegate.createBuilder(UndertowWebServerFactoryDelegate.java:167) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory.getWebServer(UndertowServletWebServerFactory.java:297) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.createWebServer(ServletWebServerApplicationContext.java:183) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:161) ~[spring-boot-3.0.10.jar:3.0.10]
        ... 6 common frames omitted
Caused by: org.springframework.boot.web.server.WebServerException: Could not load key store 'file:/app/tls/micro/application-key.pkcs12'
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.loadStore(SslBuilderCustomizer.java:199) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.loadKeyStore(SslBuilderCustomizer.java:171) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.getKeyStore(SslBuilderCustomizer.java:145) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.getKeyManagers(SslBuilderCustomizer.java:112) ~[spring-boot-3.0.10.jar:3.0.10]
        ... 11 common frames omitted
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) ~[na:na]
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) ~[na:na]
        at java.base/java.security.KeyStore.load(KeyStore.java:1473) ~[na:na]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.loadStore(SslBuilderCustomizer.java:195) ~[spring-boot-3.0.10.jar:3.0.10]
        ... 14 common frames omitted
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 18 common frames omitted