Using Spring Credhub with mTLS and OAuth2 results in certificate_unknown
search cancel

Using Spring Credhub with mTLS and OAuth2 results in certificate_unknown

book

Article ID: 293871

calendar_today

Updated On:

Products

Operations Manager

Issue/Introduction

While creating a Credhub service instance and binding it to a Java application that uses Spring Credhub, Spring Credhub is unable to validate the certificate used on the Credhub server.

For example: 
ERROR [nio-8080-exec-9] c.c.credhub.controller.DataController c.c.c.c.DataController.loadData(DataController.java:109) - GET|/v1/data|||||||||||||Error While Interpolating data {}: org.springframework.web.client.ResourceAccessException: I/O error on POST request for "https://credhub.service.cf.internal:8844/api/v1/interpolate": Received fatal alert: certificate_unknown; nested exception is javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown	at org.springframework.web.client.RestTemplate.doExecute(RestTemplate.java:744)	at org.springframework.web.client.RestTemplate.execute(RestTemplate.java:670)	at org.springframework.web.client.RestTemplate.exchange(RestTemplate.java:579)	at org.springframework.credhub.core.interpolation.CredHubInterpolationTemplate.lambda$interpolateServiceData$0(CredHubInterpolationTemplate.java:52)

You may also see this error if mTLS fails and Spring Credhub tries to fallback to using OAuth2: 
org.springframework.credhub.core.CredHubException: Error calling CredHub: 401: {"error":"invalid_token","error_description":"Full authentication is required to access this resource"}


Environment

Product Version: Other

Resolution

To resolve this issue, follow the below steps:

1. For mTLS, ensure that a Java buildpack with Container Security Provider enabled is used. You will see this scroll by when pushing your app.

2. In most cases you should use mTLS to authenticate to Credhub. If you must use OAuth2 and you're seeing the 401 error referenced above, then validate that you have correctly set the following properties:
  • client-id
  • client-secret
  • authorization-grant-type
  • token-uri
For mTLS configuration refer to the following documentation: https://docs.spring.io/spring-
credhub/docs/2.0.1.RELEASE/reference/html5/#mutual-tls-authentication

For OAuth2 configuration refer to the following documentation: https://docs.spring.io/spring-credhub/docs/2.0.1.RELEASE/reference/html5/#oauth2-authentication

Powered by Wolken Software