How to connect to a URL using self-signed certificate with Rest Connector?

Camunda 8 Topics
1

Hi guys,

I am trying to use Rest Connector calling a URL using self-signed certificate. The result is 408. And I found following exceptions in camunda-connectors pod log:
io.camunda.connector.api.error.ConnectorException: An error occurred while executing the request, or the connection was aborted

at io.camunda.connector.http.base.client.apache.CustomApacheHttpClient.execute(CustomApacheHttpClient.java:121)

at io.camunda.connector.http.base.HttpService.executeRequest(HttpService.java:61)

at io.camunda.connector.http.base.HttpService.executeConnectorRequest(HttpService.java:56)

at io.camunda.connector.http.rest.HttpJsonFunction.execute(HttpJsonFunction.java:74)

at io.camunda.connector.runtime.core.outbound.ConnectorJobHandler.handle(ConnectorJobHandler.java:184)

at io.camunda.connector.runtime.outbound.jobhandling.SpringConnectorJobHandler.lambda$handle$0(SpringConnectorJobHandler.java:75)

at io.micrometer.core.instrument.AbstractTimer.record(AbstractTimer.java:250)

at io.camunda.zeebe.spring.client.actuator.MicrometerMetricsRecorder.executeWithTimer(MicrometerMetricsRecorder.java:50)

at io.camunda.connector.runtime.outbound.jobhandling.SpringConnectorJobHandler.handle(SpringConnectorJobHandler.java:66)

at io.camunda.zeebe.client.impl.worker.JobRunnableFactoryImpl.executeJob(JobRunnableFactoryImpl.java:45)

at io.camunda.zeebe.client.impl.worker.JobRunnableFactoryImpl.lambda$create$0(JobRunnableFactoryImpl.java:40)

at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)

at java.base/java.util.concurrent.FutureTask.run(Unknown Source)

at java.base/java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at java.base/java.lang.Thread.run(Unknown Source)

Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.ssl.Alert.createSSLException(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(Unknown Source)

at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(Unknown Source)

at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source)

at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.TransportContext.dispatch(Unknown Source)

at java.base/sun.security.ssl.SSLTransport.decode(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.decode(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(Unknown Source)

at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.executeHandshake(SSLConnectionSocketFactory.java:345)

at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:313)

at org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:251)

at org.apache.hc.client5.http.impl.io.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:189)

at org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManager.connect(PoolingHttpClientConnectionManager.java:450)

at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:162)

at org.apache.hc.client5.http.impl.classic.InternalExecRuntime.connectEndpoint(InternalExecRuntime.java:172)

at org.apache.hc.client5.http.impl.classic.ConnectExec.execute(ConnectExec.java:142)

at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)

at org.apache.hc.client5.http.impl.classic.ProtocolExec.execute(ProtocolExec.java:192)

at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)

at org.apache.hc.client5.http.impl.classic.HttpRequestRetryExec.execute(HttpRequestRetryExec.java:113)

at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)

at org.apache.hc.client5.http.impl.classic.ContentCompressionExec.execute(ContentCompressionExec.java:152)

at org.apache.hc.client5.http.impl.classic.ExecChainElement.execute(ExecChainElement.java:51)

at org.apache.hc.client5.http.impl.classic.InternalHttpClient.doExecute(InternalHttpClient.java:170)

at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:245)

at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:188)

at org.apache.hc.client5.http.impl.classic.CloseableHttpClient.execute(CloseableHttpClient.java:162)

at io.camunda.connector.http.base.client.apache.CustomApacheHttpClient.execute(CustomApacheHttpClient.java:109)

… 16 common frames omitted

Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.validator.PKIXValidator.doBuild(Unknown Source)

at java.base/sun.security.validator.PKIXValidator.engineValidate(Unknown Source)

at java.base/sun.security.validator.Validator.validate(Unknown Source)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source)

at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown Source)

… 48 common frames omitted

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(Unknown Source)

at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)

at java.base/java.security.cert.CertPathBuilder.build(Unknown Source)

… 53 common frames omitted

Is there anyway to skip cert verification or is there anyway I can attach our root cert to the application?

2

Hi,
I suspect you will need to import your cert root into the jvm keystore where your connector is running…

Regards

Rob

3

Thanks. I used an alternative way: mount a truststore

  1. create an empty truststore.
  2. import my certs into the trust store
  3. create a configmap from the trust store file.
  4. mount the configmap as a file to the camunda-connectors deployment
  5. set env var JAVAX_NET_SSL_TRUSTSTORE for camunda-connectors deployment point to the mounted path in step5.
  6. set env var JAVAX_NET_SSL_TRUSTSTOREPASSWORD equals to the password in step1.