You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@camel.apache.org by Riaan Annandale <ri...@mundane.co.za> on 2019/08/07 09:29:01 UTC
http4 and x509HostnameVerifier
Hi guys
I'm trying to speak to a staging environment that uses self-signed certs. This means that when I try connect I get:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
As I run my camel app in a container on openshift (more or less kubernetes) it's not trivial (I base this on feel, not facts) to add the cert to my container. I'd like to use something like the org.apache.http.conn.ssl.NoopHostnameVerifier() so that in staging I can just ignore the cert. But it doesn't look like it's actually using that method.
Implementation looks as follows:
main.bind("NoopForSelfsignedCerts", new org.apache.http.conn.ssl.NoopHostnameVerifier());
and the https bit:
.recipientList().simple("https4://" + System.getenv("someHost") + "/someURI/$simple{in.header.someId}?bridgeEndpoint=true&throwExceptionOnFailure=false&x509HostnameVerifier= NoopForSelfsignedCerts ");
It still gives the same error
Any thoughts/ suggestions?
Thanks
Riaan
RE: http4 and x509HostnameVerifier
Posted by Riaan Annandale <ri...@mundane.co.za>.
Hi Zoran
Your advice was perfect. I imported the offending certificate and then started my camel instance with -Djavax.net.ssl.trustStore=src/main/resources/SSLCerts/cacerts
Problem solved 😊
Thank you!
-----Original Message-----
From: Zoran Regvart <zo...@regvart.com>
Sent: Wednesday, 07 August 2019 13:38
To: users@camel.apache.org
Subject: Re: http4 and x509HostnameVerifier
Hi Riaan,
I would take a different approach: to provide the additional trust anchor certificates in a Java keystore file, privided by a ConfigMap, and on startup check if the additional keystore file exists and either use that instead of the system keystore file or merge the two and configure Camel with the resulting keystore.
zoran
On Wed, Aug 7, 2019 at 11:29 AM Riaan Annandale <ri...@mundane.co.za> wrote:
>
> Hi guys
>
> I'm trying to speak to a staging environment that uses self-signed certs. This means that when I try connect I get:
> PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target As I run my camel app in a container on openshift (more or less kubernetes) it's not trivial (I base this on feel, not facts) to add the cert to my container. I'd like to use something like the org.apache.http.conn.ssl.NoopHostnameVerifier() so that in staging I can just ignore the cert. But it doesn't look like it's actually using that method.
>
> Implementation looks as follows:
> main.bind("NoopForSelfsignedCerts", new
> org.apache.http.conn.ssl.NoopHostnameVerifier());
>
> and the https bit:
>
> .recipientList().simple("https4://" + System.getenv("someHost") +
> "/someURI/$simple{in.header.someId}?bridgeEndpoint=true&throwException
> OnFailure=false&x509HostnameVerifier= NoopForSelfsignedCerts ");
>
> It still gives the same error
>
> Any thoughts/ suggestions?
>
> Thanks
> Riaan
--
Zoran Regvart
Re: http4 and x509HostnameVerifier
Posted by Zoran Regvart <zo...@regvart.com>.
Hi Riaan,
I would take a different approach: to provide the additional trust
anchor certificates in a Java keystore file, privided by a ConfigMap,
and on startup check if the additional keystore file exists and either
use that instead of the system keystore file or merge the two and
configure Camel with the resulting keystore.
zoran
On Wed, Aug 7, 2019 at 11:29 AM Riaan Annandale <ri...@mundane.co.za> wrote:
>
> Hi guys
>
> I'm trying to speak to a staging environment that uses self-signed certs. This means that when I try connect I get:
> PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
> As I run my camel app in a container on openshift (more or less kubernetes) it's not trivial (I base this on feel, not facts) to add the cert to my container. I'd like to use something like the org.apache.http.conn.ssl.NoopHostnameVerifier() so that in staging I can just ignore the cert. But it doesn't look like it's actually using that method.
>
> Implementation looks as follows:
> main.bind("NoopForSelfsignedCerts", new org.apache.http.conn.ssl.NoopHostnameVerifier());
>
> and the https bit:
>
> .recipientList().simple("https4://" + System.getenv("someHost") + "/someURI/$simple{in.header.someId}?bridgeEndpoint=true&throwExceptionOnFailure=false&x509HostnameVerifier= NoopForSelfsignedCerts ");
>
> It still gives the same error
>
> Any thoughts/ suggestions?
>
> Thanks
> Riaan
--
Zoran Regvart