New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[18.0.0.1] SSL certificates issue #4377
Comments
This is related to #3117 |
@acdemyers FYI |
Liberty SSL does not use cacerts file by default, it has far to much trust. If users would like to use the cacerts file for trust then they will have to create a SSL configuration and keystore configuration to point to the cacerts file. |
@acdemyers would it be possible to allow a user to opt-into trusting cacerts with a single boolean value? Such as: <sslDefault trustCACerts="true"/> <!-- default=false --> |
@aguibert I have never been in favor of doing this kind of special casing in the SSL code. Yet another hidden configuration, then this makes it even more complicated. The hidden defaultSSLConfig can look different depending on a config option. I really think it better for users to add the configuration themselves so the know exactly what they have. |
@acdemyers @aguibert I encountered the issue using Stripe.Com's own Java API (arguably, the most popular payment processor for startups). You can just go to https://api.stripe.com with a browser and see the certificate chain (just click on the lock symbol in the address bar). The Stripe own cert is short lived - a few months. It would be major pain to keep rebuilding/deploying thrust store files every few months in production. However, I was able to import in a trust store the parent certificate (from DigiCert) and use it for Stripe Java API. I think it is valid for about 10 years, so the pain is much smaller, but one still needs to build store file I think @aguibert suggestion to be able to tap into JDK's cacert is excellent option to have. If these certs are good enough for the JDK, they surely should be good enough for OL. Plus, there would be no need to build key/trust store files. |
@hrstoyanov The thing is you can tap into the jdk's cacerts file, just create a configuration entry to point to it. eg. <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<keyStore id="defaultKeyStore" password="<password for default key/keystore"/>
<keyStore id="defaultTrustStore" location="<enter path to JDK cacerts file>" type="JKS" password="changeit" /> Or if you are on a level where default keystore gets auto generated you can do have: <ssl id="defaultSSLConfig" keyStoreRef="defaultKeyStore" trustStoreRef="defaultTrustStore" />
<keyStore id="defaultTrustStore" location="<enter path to JDK cacerts file>" type="JKS" password="changeit" /> |
.. also, this SSL issue is dependent on the way some vendor's Java webs ervice API is using TLS. For example, using the Amazon AWS Java API 2.0 never exhibited that SSL issue, which I suspect is because they go directly for the JDK's cacerts and are imuine to OL SSL configurations. I have not seen the issue with Auth0.Com (a very popular and affordable JWT single-sigh on provider) Java API either. |
@acdemyers Thanks, In case some one needs Gradle code to automatically build stores, I hope this would save your some pain:
|
@hrstoyanov So do you want to use the JDK's default SSLContext and not Liberty's? |
@acdemyers, I probably have to compare Stripe.Com's vs Amazon WAS vs Auth0.Com Java web service wrapper APIs to see why one of them picks up OL SSL config and the other two - don't. I don't intend to use SSL for any other purpose in my app. Fortunately all of the JAva API wrappers above are open source on github.com, so if I have the time, I will do it. ...Just for the record, I was nearly tempted to ditch all of these vendor Java wrappers and go straight with the newly minted Microprofile Rest Client ... but decided to play it safe. Further, OL allows me to keep my WARs super skinny by moving these vendor APIs in shared libraries - again, if someone want to save some pain and go skinny:
and then in your
|
@acdemyers btw, your example on how to reference JDK's cacert sounds like solution to this issue, fell free to close it |
Thanks for the discussion @hrstoyanov, closing out this issue |
np, @aguibert |
IBM Event Streams on Cloud Public would also need something like: They use Let'sEncrypt and refresh server's certificates routinely. |
Here is an SSL exception I get when trying to communicate with Stripe.Com APIs:
Stripe.Com's certificates are perfectly verifiable by only using the root certificates supplied in JDK's \jre\lib\security\cacerts.
Why is OpenLiberty forcing me to import Stripe's certificates in other keystores? And what happens when Stripe's current certificate expires???
The text was updated successfully, but these errors were encountered: