Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

decrypt issue during spring.cloud.config.server.bootstrap #2265

Closed
zackfei opened this issue May 13, 2023 · 7 comments · Fixed by #2340
Closed

decrypt issue during spring.cloud.config.server.bootstrap #2265

zackfei opened this issue May 13, 2023 · 7 comments · Fixed by #2340
Labels
bug
Milestone
4.0.5

Comments

@zackfei
Copy link

zackfei commented May 13, 2023
edited

Describe the bug

migrate from
springboot 2.7.x
springcloud 2021.0.6

to

springboot 3.0.6
springcloud 2022.0.2

set spring.cloud.config.server.bootstrap to true, configserver no longer decrypt the entry inside the search-locations when configure itself. It working fine when change it to plain text.

P.s. it working fine during springboot 2.7.x

bootstrap.yml

spring:
  application:
    name: configserver
  profiles:
    active: dev
    default: dev
    include: composite
  cloud:
    config:
      server: ## ConfigServerAutoConfiguration ##
        bootstrap: true
        composite:
          - type: native
            search-locations: 
            - file:/app/config/centralconfig/conf

encrypt:
  key-store:
    location: classpath:/encrypt/encrypt.pkcs12
    password: xxxxxx
    alias: encrypt-dev
    type: pkcs12

configserver-dev.yml

spring:
  security:
    user:
      name: admin
      # admin
      password: '{cipher}{key:encrypt-dev}AQCMdfP7wlVsVq43iJxdqnPiFyBAzpdPyXd7emIppONCqs6ilazJ8ttZLkmR7x26hAhAIxizFSy3+uYwNjakrm3o4M1MGmKEYJcMbdJKXNOKftIf15qcB0CwokXl2pSPeYq23aUwryBld6wKuBWjVg8mQ+8InYxJUVMTVbrOxg+yK/PCjCcf/j8g3g7PtTARaRo2Wz9lnojRZNFs7aHXDdyzUH6USrxFZ7l4kb6eficyhMyv+he7l8LOCckSQIBdEHsoeUnLCfAfSAm2xbbU47H8fSK5058MxJWRuSDSMaoh2O/+UcKUs38WPbofTQGudaxsn0i8xJAvMuTViEZBy+sxIl0raIYdzTcb9Ywy3DTmK5Hj6YGj4k1qiv14MQbHNsk='
      roles: USER, ADMIN
@ryanjbaxter
Copy link
Contributor

Are you saying its not able to decrypt the search-locations property or the property files within the search-locations?

@zackfei
Copy link
Author

zackfei commented May 16, 2023
edited

Are you saying its not able to decrypt the search-locations property or the property files within the search-locations?

not able to decrypt entry inside property files within search-locations.
For example, configserver-dev.yml above is 1 of the file inside search-locations.
I not sure decryption process was not trigger OR decryption does trigger but not able to decrypt during boostrap configserver itself.
Anyway spring.security.user.password inside configserver-dev.yml was not correct when i try fire the api to configserver with the configured spring security username and password, the stacktrace below show, mean spring security using the unencrypted password to configure the default user

java.lang.IllegalArgumentException: There is no PasswordEncoder mapped for the id "key:encrypt-dev"
        at org.springframework.security.crypto.password.DelegatingPasswordEncoder$UnmappedIdPasswordEncoder.matches(DelegatingPasswordEncoder.java:289) ~[spring-security-crypto-6.0.3.jar:6.0.3]
        at org.springframework.security.crypto.password.DelegatingPasswordEncoder.matches(DelegatingPasswordEncoder.java:237) ~[spring-security-crypto-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.dao.DaoAuthenticationProvider.additionalAuthenticationChecks(DaoAuthenticationProvider.java:86) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.dao.AbstractUserDetailsAuthenticationProvider.authenticate(AbstractUserDetailsAuthenticationProvider.java:147) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:182) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:201) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.authentication.ObservationAuthenticationManager.lambda$authenticate$1(ObservationAuthenticationManager.java:53) ~[spring-security-core-6.0.3.jar:6.0.3]
        at io.micrometer.observation.Observation.observe(Observation.java:562) ~[micrometer-observation-1.10.6.jar:1.10.6]
        at org.springframework.security.authentication.ObservationAuthenticationManager.authenticate(ObservationAuthenticationManager.java:52) ~[spring-security-core-6.0.3.jar:6.0.3]
        at org.springframework.security.web.authentication.www.BasicAuthenticationFilter.doFilterInternal(BasicAuthenticationFilter.java:176) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:69) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:62) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:172) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.session.DisableEncodeUrlFilter.doFilterInternal(DisableEncodeUrlFilter.java:42) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.wrapFilter(ObservationFilterChainDecorator.java:185) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$AroundFilterObservation$SimpleAroundFilterObservation.lambda$wrap$0(ObservationFilterChainDecorator.java:268) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$ObservationFilter.doFilter(ObservationFilterChainDecorator.java:169) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.ObservationFilterChainDecorator$VirtualFilterChain.doFilter(ObservationFilterChainDecorator.java:133) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:233) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:191) ~[spring-security-web-6.0.3.jar:6.0.3]
        at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:352) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:268) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at org.springframework.web.filter.ServerHttpObservationFilter.doFilterInternal(ServerHttpObservationFilter.java:109) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201) ~[spring-web-6.0.8.jar:6.0.8]
        at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116) ~[spring-web-6.0.8.jar:6.0.8]
        at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) ~[undertow-servlet-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.Connectors.executeRootHandler(Connectors.java:393) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:859) ~[undertow-core-2.3.5.Final.jar:2.3.5.Final]
        at org.jboss.threads.ContextHandler$1.runWith(ContextHandler.java:18) ~[jboss-threads-3.5.0.Final.jar:3.5.0.Final]
        at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2513) ~[jboss-threads-3.5.0.Final.jar:3.5.0.Final]
        at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1538) ~[jboss-threads-3.5.0.Final.jar:3.5.0.Final]
        at org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) ~[xnio-api-3.8.8.Final.jar:3.8.8.Final]
        at java.base/java.lang.Thread.run(Thread.java:833) ~[na:na]

@ryanjbaxter
Copy link
Contributor

I just noticed in the example you provided the alias is encrypt-prd but the encrypted password is using encrypt-dev.

@zackfei
Copy link
Author

zackfei commented May 17, 2023
edited

I just noticed in the example you provided the alias is encrypt-prd but the encrypted password is using encrypt-dev.

it actually got another bootstrap-dev.yml to override that alias to encrypt-dev. I just want simplify the provided sample yml. I edited the sample to correct alias.

@zackfei
Copy link
Author

zackfei commented Jun 20, 2023

hi @ryanjbaxter, any update on this?

@ryanjbaxter
Copy link
Contributor

I am not able to reproduce this issue.

Within the search-location I have configured my config server to look in I have application.yaml with the following property
hello: "{cipher}AQAbQgcJyxoyhChma8bj635RQySmauqAdK8/DBdAp9/Rskztrp0znaVt8hU5voU2Zt3QgUlL2ol2CxpoBS9geK/rYm+8hfmHSvBNu0IncLAx35QJ58cUEhDDohLsm1yitvB4GI7Bzqiw2gbfeCfAHtJgApoQvE+rNQZI4ZnvoD4rFdRnS25tfqP7J1zDvzaUbG8IPDfOtc9jwlpTmP0dHajT8VUxhz3YdrQCT5XzS7Zlo/LvgytKtWMBtZsBxQT+JZHcZ//FajrWzB9GI+0b+2Llhpj6rwDMK28uN2NK8XdlGORptWt0z62rOMPwxDR3N1D/zBTNSgesEWKhZqYqA2tOnStmWTqGe/o5tZaqdpm+5TDZ/ANNjqX0Zld83JuazBQ="

When I then hit http://localhost:8888/application/default I get the following response with the property decrypted.

{
  "name": "application",
  "profiles": [
    "default"
  ],
  "label": null,
  "version": null,
  "state": null,
  "propertySources": [
    {
      "name": "file:/Users/ryanjbaxter/temp/issues/2265/demo/config/application.yaml",
      "source": {
        "hello": "mysecret"
      }
    }
  ]
}

@zackfei
Copy link
Author

zackfei commented Oct 18, 2023
edited

the key to reproduce is:

  • set spring.cloud.config.server.bootstrap to true

  • using composite profile with native type

  • since configserver using configserver as spring.application.name, then inside search-location was contain configserver.yml. This file was contain some congiuration which required to startup configserver itself, like the spring security user password as shown above at my 1st post, server.ssl as show below .E.g.

     server:
   ssl:
     key-store: file:/app/tls/micro/application-key.pkcs12
     key-store-password: '{cipher}{key:encrypt-dev}AQCJAj1KyOVG7Pz4E6+0bvKi02gM37f5A7/FU+7J6ZJfAbP1moYUEVG8pc4tFep3dzw+GJKsVqDgWFfq56eCcU6TQ4rYxf6sietO0goWYSC3bsymoH46DuGjP1LunzHGSZMGzURInTfGfU2ag027MRiiqiZkaNPg8uU18Aqt0cdf1ziHDzgj3WlD6IyQ0fknpUMKH1dMR1380NPvfYrZ25t8BkFOzfAc8vkNnn96T3I428MynRBkZZQU8IDxWrJ+JpXFE/20P41yTwLkrZryRgjHe+iBS6C9XpLCzlufWkDUKusny+Vgghwq4uOYwjnDA8xwcicJo+EbQdggZn/Sgsw3dKUdHQ83Q8OEy1pRt1hOL/vZuVBfBQOM9WZIOB7tQ50='
     key-store-type: pkcs12
     key-password: '{cipher}{key:encrypt-dev}AQCJAj1KyOVG7Pz4E6+0bvKi02gM37f5A7/FU+7J6ZJfAbP1moYUEVG8pc4tFep3dzw+GJKsVqDgWFfq56eCcU6TQ4rYxf6sietO0goWYSC3bsymoH46DuGjP1LunzHGSZMGzURInTfGfU2ag027MRiiqiZkaNPg8uU18Aqt0cdf1ziHDzgj3WlD6IyQ0fknpUMKH1dMR1380NPvfYrZ25t8BkFOzfAc8vkNnn96T3I428MynRBkZZQU8IDxWrJ+JpXFE/20P41yTwLkrZryRgjHe+iBS6C9XpLCzlufWkDUKusny+Vgghwq4uOYwjnDA8xwcicJo+EbQdggZn/Sgsw3dKUdHQ83Q8OEy1pRt1hOL/vZuVBfBQOM9WZIOB7tQ50='
     trust-store: file:/app/tls/micro/application-trust.pkcs12
     trust-store-password: '{cipher}{key:encrypt-dev}AQCJAj1KyOVG7Pz4E6+0bvKi02gM37f5A7/FU+7J6ZJfAbP1moYUEVG8pc4tFep3dzw+GJKsVqDgWFfq56eCcU6TQ4rYxf6sietO0goWYSC3bsymoH46DuGjP1LunzHGSZMGzURInTfGfU2ag027MRiiqiZkaNPg8uU18Aqt0cdf1ziHDzgj3WlD6IyQ0fknpUMKH1dMR1380NPvfYrZ25t8BkFOzfAc8vkNnn96T3I428MynRBkZZQU8IDxWrJ+JpXFE/20P41yTwLkrZryRgjHe+iBS6C9XpLCzlufWkDUKusny+Vgghwq4uOYwjnDA8xwcicJo+EbQdggZn/Sgsw3dKUdHQ83Q8OEy1pRt1hOL/vZuVBfBQOM9WZIOB7tQ50='
     trust-store-type: pkcs12

Then it will endup not able to start due to keystore password was incorrect, because configserver didn't decrypt the cipher when bootrap itself.
It working fine if i change the all cipher (only the configserver related required to startup itself) to plain text. After it able to start with plain text, any http://localhost:8888/application/default or http://localhost:8888/<application>/<profile> it working fine because it was runtime decryption

org.springframework.context.ApplicationContextException: Unable to start web server
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:164) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:602) ~[spring-context-6.0.11.jar:6.0.11]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:146) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:732) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:434) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:310) ~[spring-boot-3.0.10.jar:3.0.10]
        at io.cv.configserver.ConfigServerApplication.main(ConfigServerApplication.java:24) ~[main/:na]
Caused by: java.lang.IllegalStateException: org.springframework.boot.web.server.WebServerException: Could not load key store 'file:/app/tls/micro/application-key.pkcs12'
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.getKeyManagers(SslBuilderCustomizer.java:127) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.customize(SslBuilderCustomizer.java:77) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.UndertowWebServerFactoryDelegate.createBuilder(UndertowWebServerFactoryDelegate.java:167) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.UndertowServletWebServerFactory.getWebServer(UndertowServletWebServerFactory.java:297) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.createWebServer(ServletWebServerApplicationContext.java:183) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.onRefresh(ServletWebServerApplicationContext.java:161) ~[spring-boot-3.0.10.jar:3.0.10]
        ... 6 common frames omitted
Caused by: org.springframework.boot.web.server.WebServerException: Could not load key store 'file:/app/tls/micro/application-key.pkcs12'
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.loadStore(SslBuilderCustomizer.java:199) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.loadKeyStore(SslBuilderCustomizer.java:171) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.getKeyStore(SslBuilderCustomizer.java:145) ~[spring-boot-3.0.10.jar:3.0.10]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.getKeyManagers(SslBuilderCustomizer.java:112) ~[spring-boot-3.0.10.jar:3.0.10]
        ... 11 common frames omitted
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2159) ~[na:na]
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:221) ~[na:na]
        at java.base/java.security.KeyStore.load(KeyStore.java:1473) ~[na:na]
        at org.springframework.boot.web.embedded.undertow.SslBuilderCustomizer.loadStore(SslBuilderCustomizer.java:195) ~[spring-boot-3.0.10.jar:3.0.10]
        ... 14 common frames omitted
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 18 common frames omitted

ryanjbaxter added a commit to ryanjbaxter/spring-cloud-config that referenced this issue Oct 24, 2023
@ryanjbaxter
Move DefaultTextEncryptionAutoConfiguration so the RsaEncryotionAutoc…
21cb1cc 
…onfiguration is loaded first

We need the TextEncryptorLocator from the RSA autoconfiguration to be created first is present.  Fixes spring-cloud#2265
@ryanjbaxter ryanjbaxter mentioned this issue Oct 24, 2023
Merged
@ryanjbaxter ryanjbaxter linked a pull request Oct 24, 2023 that will close this issue
Move DefaultTextEncryptionAutoConfiguration so the RsaEncryotionAutoconfiguration is loaded first #2340
Merged
@ryanjbaxter ryanjbaxter added this to the 4.0.5 milestone Oct 24, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
No open projects
2022.0.5
Status: Done
2023.0.0-RC1
Status: Done
Milestone
4.0.5
3 participants
@ryanjbaxter @zackfei @spring-cloud-issues