2

I have a problem connecting with my java app in spring-boog to a UAT server in AWS where my RabbitMQ is hosted. I have a load balancer in front which then redirects my requests to one of the RMQ instances.

I use SSL to connect to RabbitMQ and I generated a .p12 (PKCS12) cert file.

This is the properties file for the spring-boot java app :

spring.rabbitmq.host=rmq-lb.uat.mycompany.com
spring.rabbitmq.port=5671
spring.rabbitmq.username=live_prices
spring.rabbitmq.password=aaaa
spring.rabbitmq.virtualHost=my_virtualhost
spring.rabbitmq.ssl.enabled=true
spring.rabbitmq.ssl.algorithm=TLSv1.2
spring.rabbitmq.ssl.key-store=classpath:/rmq_wr.uat.p12
spring.rabbitmq.ssl.key-store-password=bbbb
...

If I use a .NET app I don't have to do any additional steps and I can connect to the RMQ instance with this single .p12 file. Also, if I try to connect locally via a docker container to a RMQ instance it works as well.

Below is my Spring configuration class :

@Configuration
public class RabbitMQConfig {

    @Value("${mycompany.rabbitmq.queue}")
    String queueName;

    @Value("${mycompany.rabbitmq.exchange}")
    String exchange;

    @Value("${mycompany.rabbitmq.routingkey}")
    private String routingkey;    

    @Bean
    Queue queue() {
        return new Queue(queueName, true);
    }

    @Bean
    TopicExchange exchange() {
        return new TopicExchange (exchange);
    }

    @Bean
    Binding binding(Queue queue, TopicExchange exchange) {
        return BindingBuilder.bind(queue).to(exchange).with(routingkey);
    }

    @Bean
    public MessageConverter jsonMessageConverter() {
        return new Jackson2JsonMessageConverter();
    }
    
    public AmqpTemplate rabbitTemplate(ConnectionFactory connectionFactory) {
        final RabbitTemplate rabbitTemplate = new RabbitTemplate(connectionFactory);
        rabbitTemplate.setMessageConverter(jsonMessageConverter());
        return rabbitTemplate;
    }
}

This is the error that I get when debugging the app:

2021-06-10 09:38:19.914  INFO 20056 --- [  restartedMain] o.s.a.r.c.CachingConnectionFactory       : Attempting to connect to: [rmq-lb.uat.mycompany.com:5671]
2021-06-10 09:38:20.145 ERROR 20056 --- [  restartedMain] c.r.client.impl.SocketFrameHandler       : TLS connection failed: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
2021-06-10 09:38:20.149  INFO 20056 --- [  restartedMain] ConditionEvaluationReportLoggingListener : 

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2021-06-10 09:38:20.176 ERROR 20056 --- [  restartedMain] o.s.boot.SpringApplication               : Application run failed

java.lang.IllegalStateException: Failed to execute CommandLineRunner
        at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:822) ~[spring-boot-2.4.5.jar:2.4.5]
        at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:803) ~[spring-boot-2.4.5.jar:2.4.5]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:346) ~[spring-boot-2.4.5.jar:2.4.5]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1340) ~[spring-boot-2.4.5.jar:2.4.5]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1329) ~[spring-boot-2.4.5.jar:2.4.5]
        at com.mycompany.rmqconnector.RMQConnectorApp.main(RMQConnectorApp.java:119) ~[classes/:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
        at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
        at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) ~[spring-boot-devtools-2.4.5.jar:2.4.5]
Caused by: org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at org.springframework.amqp.rabbit.support.RabbitExceptionTranslator.convertRabbitAccessException(RabbitExceptionTranslator.java:70) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:602) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:724) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils.createConnection(ConnectionFactoryUtils.java:216) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.doExecute(RabbitTemplate.java:2132) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:2105) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.send(RabbitTemplate.java:1049) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.convertAndSend(RabbitTemplate.java:1114) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.convertAndSend(RabbitTemplate.java:1107) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at com.mycompany.rmq.RabbitMQSender.send(RabbitMQSender.java:26) ~[classes/:na]
        at com.mycompany.rmqconnector.RMQConnectorApp.givenUsingTimer_whenSchedulingTaskOnce_thenCorrect(RMQConnectorApp.java:99) ~[classes/:na]
        at com.mycompany.rmqconnector.RMQConnectorApp.lambda$0(RMQConnectorApp.java:60) ~[classes/:na]
        at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:819) ~[spring-boot-2.4.5.jar:2.4.5]
        ... 10 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[na:na]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) ~[na:na]
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:na]
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:na]
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:na]
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:814) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1184) ~[na:na]
        at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81) ~[na:na]
        at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142) ~[na:na]
        at java.base/java.io.DataOutputStream.flush(DataOutputStream.java:123) ~[na:na]
        at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:160) ~[amqp-client-5.10.0.jar:5.10.0]
        at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:170) ~[amqp-client-5.10.0.jar:5.10.0]
        at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:314) ~[amqp-client-5.10.0.jar:5.10.0]
        at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1139) ~[amqp-client-5.10.0.jar:5.10.0]
        at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1087) ~[amqp-client-5.10.0.jar:5.10.0]
        at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.connectAddresses(AbstractConnectionFactory.java:638) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.connect(AbstractConnectionFactory.java:613) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:565) ~[spring-rabbit-2.3.6.jar:2.3.6]
        ... 21 common frames omitted
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na]
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na]
        at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629) ~[na:na]
        ... 44 common frames omitted
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na]
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na]
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na]
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na]
        ... 50 common frames omitted

Any ideas ? Thanks a lot !

Edit 1

I managed to make it work in a simple Java app using Maven with the simple RabbitMQ client library.

This is the code :

char[] keyPassphrase = "bbbb".toCharArray();
        KeyStore ks = KeyStore.getInstance("PKCS12");
        ks.load(this.getClass().getClassLoader().getResourceAsStream("rmq_wr.uat.p12"), keyPassphrase);

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        kmf.init(ks, keyPassphrase);

        TrustManager[] trustAllCerts = new TrustManager[]{
                new X509ExtendedTrustManager() {
                    @Override
                    public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; }
                    @Override
                    public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
                    @Override
                    public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {}
                    @Override
                    public void checkClientTrusted(java.security.cert.X509Certificate[] xcs, String string, Socket socket) throws CertificateException {}
                    @Override
                    public void checkServerTrusted(java.security.cert.X509Certificate[] xcs, String string, Socket socket) throws CertificateException {}
                    @Override
                    public void checkClientTrusted(java.security.cert.X509Certificate[] xcs, String string, SSLEngine ssle) throws CertificateException {}
                    @Override
                    public void checkServerTrusted(java.security.cert.X509Certificate[] xcs, String string, SSLEngine ssle) throws CertificateException {}
                }
        };

        SSLContext c = SSLContext.getInstance("TLSv1.2");
        c.init(kmf.getKeyManagers(), trustAllCerts, null);

        ConnectionFactory factory = new ConnectionFactory();
        factory.setHost(rmqHost);
        factory.setPort(rmqPort);
        factory.setUsername(rmqUsername);
        factory.setPassword(rmqPassword);
        factory.setVirtualHost(vhost);
        factory.useSslProtocol(c);
        //factory.enableHostnameVerification();

        conn = factory.newConnection();
        channel = conn.createChannel();

        channel.basicPublish("my_exchange", "test", null, "Hello, World".getBytes());

I believe it has something to do with the TrustStore option in the application.properties

...
spring.rabbitmq.ssl.trust-store=file:/C:/Users/User/Desktop/rmqconnector/src/main/resources/cacerts
spring.rabbitmq.ssl.trust-store-password=changeit
spring.rabbitmq.ssl.trust-store-type=JKS
...

and in the code I tried :

@Bean
    public CachingConnectionFactory rabbitConnectionFactory(RabbitProperties config) throws Exception {
        ClassPathResource keyStorePath = new ClassPathResource("rmq_wr.uat.p12");    
        ClassPathResource trustStorePath = new ClassPathResource("rmquat.jks");

        RabbitConnectionFactoryBean factory = new RabbitConnectionFactoryBean();
        if (config.determineHost() != null) {
            factory.setHost(config.determineHost());
        }
        factory.setPort(config.determinePort());
        if (config.determineUsername() != null) {
            factory.setUsername(config.determineUsername());
        }
        if (config.determinePassword() != null) {
            factory.setPassword(config.determinePassword());
        }
        if (config.determineVirtualHost() != null) {
            factory.setVirtualHost(config.determineVirtualHost());
        }
        // read ssl properties from applicaiton.properties
        RabbitProperties.Ssl ssl = config.getSsl();
        if (ssl.getEnabled()) {
            factory.setUseSSL(true);
            if (ssl.getAlgorithm() != null) {
                factory.setSslAlgorithm(ssl.getAlgorithm());
            }
            //System.out.println("keystore = " + ssl.getKeyStore());
            // factory.set
             factory.setKeyStore(keyStorePath.getPath());
             factory.setKeyStoreType(ssl.getKeyStoreType());
             factory.setKeyStorePassphrase(ssl.getKeyStorePassword());
            
             factory.setTrustStore(ssl.getTrustStore());
             //factory.setTrustStore(trustStorePath.getPath());
             factory.setTrustStorePassphrase("changeit");
             factory.setTrustStoreType("JKS");
            //factory.setSkipServerCertificateValidation(true);
        }
        factory.afterPropertiesSet();

        CachingConnectionFactory connectionFactory = new CachingConnectionFactory(factory.getObject());     
        connectionFactory.setAddresses(config.determineAddresses());
        //connectionFactory.setPublisherConfirms(config.isPublisherConfirms());
        connectionFactory.setPublisherReturns(config.isPublisherReturns());
        if (config.getCache().getChannel().getSize() != null) {
            connectionFactory.setChannelCacheSize(config.getCache().getChannel().getSize());
        }
        if (config.getCache().getConnection().getMode() != null) {
            connectionFactory.setCacheMode(config.getCache().getConnection().getMode());
        }
        if (config.getCache().getConnection().getSize() != null) {
            connectionFactory.setConnectionCacheSize(config.getCache().getConnection().getSize());
        }
        return connectionFactory;
    }

but this results in the following exception :

2021-06-15 20:32:04.345 ERROR 17816 --- [  restartedMain] c.r.client.impl.SocketFrameHandler       : TLS connection failed: No trusted certificate found
2021-06-15 20:32:04.355  INFO 17816 --- [  restartedMain] ConditionEvaluationReportLoggingListener : 

Error starting ApplicationContext. To display the conditions report re-run your application with 'debug' enabled.
2021-06-15 20:32:04.375 ERROR 17816 --- [  restartedMain] o.s.boot.SpringApplication               : Application run failed

java.lang.IllegalStateException: Failed to execute CommandLineRunner
        at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:822) ~[spring-boot-2.4.5.jar:2.4.5]
        at org.springframework.boot.SpringApplication.callRunners(SpringApplication.java:803) ~[spring-boot-2.4.5.jar:2.4.5]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:346) ~[spring-boot-2.4.5.jar:2.4.5]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1340) ~[spring-boot-2.4.5.jar:2.4.5]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1329) ~[spring-boot-2.4.5.jar:2.4.5]
        at eu.rmqconnector.RMQConnectorApp.main(RMQConnectorApp.java:125) ~[classes/:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:na]
        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:na]
        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:na]
        at java.base/java.lang.reflect.Method.invoke(Method.java:566) ~[na:na]
        at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49) ~[spring-boot-devtools-2.4.5.jar:2.4.5]
Caused by: org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLHandshakeException: No trusted certificate found
        at org.springframework.amqp.rabbit.support.RabbitExceptionTranslator.convertRabbitAccessException(RabbitExceptionTranslator.java:70) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:602) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:724) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils.createConnection(ConnectionFactoryUtils.java:216) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.doExecute(RabbitTemplate.java:2132) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:2105) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.send(RabbitTemplate.java:1049) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.convertAndSend(RabbitTemplate.java:1114) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.core.RabbitTemplate.convertAndSend(RabbitTemplate.java:1107) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at eu.rmq.RabbitMQSender.send(RabbitMQSender.java:26) ~[classes/:na]
        at eu.rmqconnector.RMQConnectorApp.givenUsingTimer_whenSchedulingTaskOnce_thenCorrect(RMQConnectorApp.java:105) ~[classes/:na]
        at eu.rmqconnector.RMQConnectorApp.lambda$0(RMQConnectorApp.java:66) ~[classes/:na]
        at org.springframework.boot.SpringApplication.callRunner(SpringApplication.java:819) ~[spring-boot-2.4.5.jar:2.4.5]
        ... 10 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: No trusted certificate found
        at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[na:na]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na]
        at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) ~[na:na]
        at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:na]
        at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:na]
        at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:na]
        at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:814) ~[na:na]
        at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1184) ~[na:na]
        at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81) ~[na:na]
        at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142) ~[na:na]
        at java.base/java.io.DataOutputStream.flush(DataOutputStream.java:123) ~[na:na]
        at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:160) ~[amqp-client-5.10.0.jar:5.10.0]
        at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:314) ~[amqp-client-5.10.0.jar:5.10.0]
        at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1139) ~[amqp-client-5.10.0.jar:5.10.0]
        at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1087) ~[amqp-client-5.10.0.jar:5.10.0]
        at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.connectAddresses(AbstractConnectionFactory.java:638) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.connect(AbstractConnectionFactory.java:613) ~[spring-rabbit-2.3.6.jar:2.3.6]
        at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:565) ~[spring-rabbit-2.3.6.jar:2.3.6]
        ... 21 common frames omitted
Caused by: sun.security.validator.ValidatorException: No trusted certificate found
        at java.base/sun.security.validator.SimpleValidator.buildTrustedChain(SimpleValidator.java:411) ~[na:na]
        at java.base/sun.security.validator.SimpleValidator.engineValidate(SimpleValidator.java:135) ~[na:na]
        at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na]
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na]
        at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629) ~[na:na]
        ... 44 common frames omitted

I list the entries in the keystore as following :

PS C:\Users\User\Desktop\rmqconnector\src\main\resources> keytool -list -keystore .\rmq_wr.uat.p12 -storepass bbbb -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 1 entry

1, Jun 15, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): D0:B5:76:...

I also copied the cacerts file to use it as a TrustStore, but this also does not work.

PS C:\Users\User\Desktop\rmqconnector\src\main\resources> keytool -list -keystore .\cacerts -storepass changeit -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 93 entries

1, Jun 14, 2021, PrivateKeyEntry,
Certificate fingerprint (SHA-256): D0:B5:76:...
...

.

Improve this question

1 Answer 1

Reset to default
1

Spring is complaining that it doesn't trust on the certificate presented by the host rmq-lb.uat.mycompany.com.

Indeed the issue appears to be with the TrustStore that is being passed to the application.

Locally it works because the code is creating an accepting TrustStrategy, i.e. the Spring application is going to trust in all the presented server certificates.

If the certificate that is being used in rmq-lb.uat.mycompany.com is trusted, i.e. was issued by a trusted CA (Certificate Authority) contained in the cacerts, there shouldn't be a problem.

For development purposes it is ok to trust in all the server certificates, but in production environment it is not advisable as one should only trust in SSL certificates that were issued by official Certificate Authorities.

One thing to check is the certificate chain of the server certificate present in rmq-lb.uat.mycompany.com, and more precisely the CA root certificate. One must also check the intermediate certificates present in the certificate chain. If it was indeed issued by a trusted authority and this CA is not included in the cacerts of the JDK we can include it manually in an already created TrustStore with the command (keytool is present in the JDK bin folder):

keytool -importcert -file /pathToCert/certToTrust.cer -keystore /pathToJKS/truststore.jks -alias "certToTrust"

or alternatively if we want to create a Java KeyStore (JKS) with the specific certificate we can use the same command and it will create a TrustStore with the specified certificate inside.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.