Hello Camunda Team,
I’m facing issue while establishing the connection from Camunda External Task Client (Client Application) to the Camunda Engine (Which is running as Server and secured as well). While fetching the external tasks from the Camunda Engine (we already configured the topic, … in external task client properties file) getting below error.
We have all required certificates at client end to communicate with server.
We observed that it’s not picking the certificates from the client within the application. While sending the request how to send the trust store details from client to server to do that handshake.
Below the snippet of code, how client is communicating with the server.
@Bean
public void getExtClient() {
ExternalTaskClient client = ExternalTaskClient.create().baseUrl(baseUrl)
.addInterceptor(new NotificationClientRequestInterceptor()).asyncResponseTimeout(asyncTimeOut)
.workerId(workerId).maxTasks(maxTasks).build();
client.subscribe(topicName).lockDuration(100000L).handler((externalTask, externalTaskService) -> {
sendEmail(configuration, externalTask, externalTaskService);
}).open();
}
public class NotificationClientRequestInterceptor implements ClientRequestInterceptor {
@Override
public void intercept(ClientRequestContext requestContext) {
requestContext.addHeader("X-AuthToken", tokenAccessor.getAccessToken());
}
}
Below is the configuration we are using.
camunda.bpm.admin-user.id=demo
camunda.bpm.admin-user.password=demo
#Camunda
camunda.bpm.authorization.enabled=true
camunda.bpm.authorization.tenant-check-enabled=true
camunda.bpm.default-serialization-format=application/json
camunda.bpm.history-level=FULL
camunda.bpm.client.async-response-timeout=1800000
camunda.bpm.client.subscriptions.NotificationTopic.variable-names=refId,approverRequested,submittedDate,submitter
camunda.bpm.client.subscriptions.NotificationTopic.process-definition-key=sendemail
camunda.bpm.client.subscriptions.NotificationTopic.lock-duration=1000000
camunda.bpm.client.worker-id=processnotificationworker
camunda.bpm.client.max-tasks=3
camunda.bpm.client.host=hostname
Below is the error I’m getting.
2022-12-02 02:28:58.869 org.camunda.bpm.client [TopicSubscriptionManager] ERROR [process-notification-worker,] - TASK/CLIENT-03001 Exception while fetch and lock task.
org.camunda.bpm.client.impl.EngineClientException: TASK/CLIENT-02002 Exception while establishing connection for request 'POST https://hostname/process/workbench/engine-rest/external-task/fetchAndLock HTTP/1.1’
at org.camunda.bpm.client.impl.EngineClientLogger.exceptionWhileEstablishingConnection(EngineClientLogger.java:36)
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439)
Alternatively, if we import certificates at local (java11\java-11-openjdk-11.0.4.11\lib\security\cacerts) jdk level in cacerts then we are able to communicate with the camunda engine.
But we don’t want this solution because the external task client is going to be deployed as a pod, there we can’t add the certificates to the cacerts in container.
In our project other services are establishing the connection with camunda engine (Server) which is running in OCP, by using the truststore and keystore provided with in the application.
Could you please help me on this, we are blocked because of this.