Skip to content

Pem SslBundle - allow property source for keystore and truststore #40398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
zbacjxx opened this issue Apr 17, 2024 · 6 comments
Closed

Pem SslBundle - allow property source for keystore and truststore #40398

zbacjxx opened this issue Apr 17, 2024 · 6 comments
Labels
status: duplicate A duplicate of another issue

Comments

@zbacjxx
Copy link

zbacjxx commented Apr 17, 2024
edited
Loading

Current implementation allows us to specify a location.

Ideally we could also specify a property that contains the pem file e.g ${my.app.trust.cert}

This would allow us to inject certificates from external stores at deploy time in an externalised property file rather than bundling files into the app deployment e.g via /resources
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Apr 17, 2024
@scottfrederick
Copy link
Contributor

@zbacjxx It is currently possible to provide certificates as PEM content when configuring SSL bundles. An example of this is shown in the documentation:

spring:
  ssl:
    bundle:
      pem:
        mybundle:
          truststore:
            certificate: |
              -----BEGIN CERTIFICATE-----
              MIID1zCCAr+gAwIBAgIUNM5QQv8IzVQsgSmmdPQNaqyzWs4wDQYJKoZIhvcNAQEL
              BQAwezELMAkGA1UEBhMCWFgxEjAQBgNVBAgMCVN0YXRlTmFtZTERMA8GA1UEBwwI
              ...
              V0IJjcmYjEZbTvpjFKznvaFiOUv+8L7jHQ1/Yf+9c3C8gSjdUfv88m17pqYXd+Ds
              HEmfmNNjht130UyjNCITmLVXyy5p35vWmdf95U3uEbJSnNVtXH8qRmN9oK9mUpDb
              ngX6JBJI7fw7tXoqWSLHNiBODM88fUlQSho8
              -----END CERTIFICATE-----

If you have tried this and it is not working for you, please provide more details on your configuration so we can take a closer look.

@scottfrederick scottfrederick added the status: waiting-for-feedback We need additional information before we can continue label Apr 17, 2024
@zbacjxx
Copy link
Author

zbacjxx commented Apr 18, 2024
edited
Loading

Hi Scott,

SslBundle is an amazing addition to the spring framework, thanks for the quick responseI

have tried the above however I get an error.

I am using spring boot 3.2.2 and application-{env}.properties not a yaml file

The following properties work

spring.ssl.bundle.pem.rest.keystore.certificate=/mnt/c/dev/certs/my-project/my-cert.pem
spring.ssl.bundle.pem.rest.keystore.private-key=/mnt/c/dev/certs/my-project/my-key.pem
spring.ssl.bundle.pem.rest.truststore.certificate=/mnt/c/dev/certs/ca-certificates.crt

however when I switch out the keystore.certificate with the following

"-----BEGIN CERTIFICATE-----
MIIHUjCCBjqgAwIBAgIEYiQNCjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMC\
Z2IxKTAnBgNVBAoTIFRoZSBSb3lhbCBCYW5rIG9mIFNjb3RsYW5kIEdyb3VwMR8w\
...
FJ+OwT2m9J1ZNLi9MEEfnP7i4TRKp9OA3tfJ6JS0/hgb4TiMclH5s+YZri4Q2PGu\
pVFBTQuLxxwTXJx6cPDVW0960f4lC7QtIhzDVa9dhhgug7qEUAFeEtFvpDcKtj3m\
N+HvO31+\
-----END CERTIFICATE-----"

I get the following exception (message only):

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'kafkaPostTestCLRApigee': Unsatisfied dependency expressed through field 'kafkaPostTemplate': Error creating bean with name 'sslRestTemplate' defined in class path resource [com/nwg/da/fraud/oids/api/configuration/CustomRestTemplateConfiguration.class]: Unsatisfied dependency expressed through method 'sslRestTemplate' parameter 1: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'sslRestTemplate' defined in class path resource [com/nwg/da/fraud/oids/api/configuration/CustomRestTemplateConfiguration.class]: Unsatisfied dependency expressed through method 'sslRestTemplate' parameter 1: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: java.io.UncheckedIOException: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: java.io.IOException: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: java.io.FileNotFoundException: /home/zbacjxx/workspace/application/my-project/"-----BEGIN CERTIFICATE----- (No such file or directory)

Note: I have also remove the line endings so the cert is on a single line and I get a slightly different error (message only):

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'kafkaPostTestCLRApigee': Unsatisfied dependency expressed through field 'kafkaPostTemplate': Error creating bean with name 'sslRestTemplate' defined in class path resource [com/nwg/da/fraud/oids/api/configuration/CustomRestTemplateConfiguration.class]: Unsatisfied dependency expressed through method 'sslRestTemplate' parameter 1: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Unable to register SSL bundle 'rest'
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'sslRestTemplate' defined in class path resource [com/nwg/da/fraud/oids/api/configuration/CustomRestTemplateConfiguration.class]: Unsatisfied dependency expressed through method 'sslRestTemplate' parameter 1: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Unable to register SSL bundle 'rest'
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Unable to register SSL bundle 'rest'
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Unable to register SSL bundle 'rest'
Caused by: java.lang.IllegalStateException: Unable to register SSL bundle 'rest'
Caused by: java.lang.IllegalStateException: Missing certificates or unrecognized format

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Apr 18, 2024
@wilkinsona
Copy link
Member

@zbacjxx you don't appear to have formatted the multi-line string correctly. You can either use YAML and minimise the necessary formatting or you can include newlines in the value. This is shown in the documentation that Scott linked to above.

spring.ssl.bundle.pem.rest.keystore.certificate=\
-----BEGIN CERTIFICATE-----\n\
MIID1zCCAr+gAwIBAgIUNM5QQv8IzVQsgSmmdPQNaqyzWs4wDQYJKoZIhvcNAQEL\n\
BQAwezELMAkGA1UEBhMCWFgxEjAQBgNVBAgMCVN0YXRlTmFtZTERMA8GA1UEBwwI\n\
...\n\
V0IJjcmYjEZbTvpjFKznvaFiOUv+8L7jHQ1/Yf+9c3C8gSjdUfv88m17pqYXd+Ds\n\
HEmfmNNjht130UyjNCITmLVXyy5p35vWmdf95U3uEbJSnNVtXH8qRmN9oK9mUpDb\n\
ngX6JBJI7fw7tXoqWSLHNiBODM88fUlQSho8\n\
-----END CERTIFICATE-----\n

@zbacjxx
Copy link
Author

zbacjxx commented Apr 18, 2024

ah - sorry I am an absolute idiot in that case as that works!

Mnay thanks for your time on this - I should have done a better job reading the docs (my quick googles didnt point me to the latest)

I did notice a ticket authored by your good self here (which led me to raise this ticket) on SslBundle usage for kafka - I have gone through the above docs and the kafka docs and I cant see any documentation on how to use the SslBundle on the KafkaTemplate as per the RestTemplate - Is this available?

@wilkinsona
Copy link
Member

You can use spring.kafka.producer.ssl.bundle. This will configure SSL on the producer that's used by the template.

If you have any further questions, please follow up on Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.

@wilkinsona wilkinsona closed this as not planned Won't fix, can't repro, duplicate, stale Apr 18, 2024
@wilkinsona wilkinsona added status: duplicate A duplicate of another issue and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Apr 18, 2024
@zbacjxx
Copy link
Author

zbacjxx commented Apr 18, 2024

fair point and thanks again

@patpatpat123 patpatpat123 mentioned this issue Mar 6, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status: duplicate A duplicate of another issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@scottfrederick @wilkinsona @spring-projects-issues @zbacjxx