Certification issue after MicrocksInstall patching

[vijia123]

We recently patched MicrocksInstall to version 1.9.0 to make it compatible with Microcks Operator 1.9.0 in Openshift to address a vulnerability. However, when we tried to sign into microcks console after the patching, we got a blank white screen. (But we can see there is a new session in microcks keycloak that has been created when trying to sign in) Also we found out there are some error logs from microcks pod, which seem related to certificate issue:

JwtDecoderInitializationException: Failed to lazily resolve the supplied JwtDecoder instance
IllegalArgumentException: Unable to resolve the Configuration with the provided Issuer of “https://microcks-keycloak-microcks.apps.../realms/microcks”
ResourceAccessException: I/O error on GET request for “https://microcks-keycloak-microcks.apps.../realms/microcks/.well-known/openid-configuration”: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
SunCertPathBuilderException: unable to find valid certification path to requested target

How can we resolve this certification issue? How to allow the certificates with the specific issuer for microcks in openshift?

Thank you!

[lbroudoux]

Hi @vijia123

We've switched the security provider with Microcks 1.8.0, and depending on your Keycloak configuration, you may encounter this issue
because the connection between main pod and Kecyloak now performs validation.

I think that in your case, you may have 2 things to check:

1. Be certain to specify a keycloak.privateUrl in your Custom Resource so that JWT tokens are trusted using this direct URL,
2. If the previous point does not solve the issue, you may need to mount an additional secret into the main Webapp pod to provide a truststore with keycloak certificates.

Point 2 can be done that way:

• Specifiy microcks.customSecretRef in your CR.

spec:
  microcks:
    customSecretRef:
       secret: microcks-keystore
       key: cacerts

• Add JAVA_OPTIONS to env variables like this so that JVM will have the password to access the truststore:

spec:
  microcks:
    env:
      - name: JAVA_OPTIONS
        value: "-Djavax.net.ssl.trustStore=/deployments/config/custom/secret/cacerts -Djavax.net.ssl.trustStorePassword=XXXXX"

Let us know how things are going.

[vijia123]

Hi @lbroudoux

I tried point 1 but didn't resolve my issue.

For point 2, do i need to put the specific secret and key value under customSecretRef, or is it just a path? And for Djavax.net.ssl.trustStorePassword, what password should i put here? Is this the password i can specify myself?
Also Do you have any specific example that using customSecretRef and JAVA_OPTIONS that i can take a look?

Thank you!

[vijia123]

Hi @lbroudoux

I've updated microcksinstall based on your suggestion, and i've stored certificate of microcks into microcks-keystore secret as cacert, but i still get blank white screen after i sign in. The log shows following error message:

Caused by: org.springframework.web.client.HttpServerErrorException$ServiceUnavailable: 503 Service Unavailable: "<html><EOL><EOL>  <head><EOL><EOL>    <meta name="viewport" content="width=device-width, initial-scale=1"><EOL><EOL><EOL><EOL>    <style type="text/css"><EOL><EOL>      body {<EOL><EOL>        font-family: "Helvetica Neue", Helvetica, Arial, sans-serif;<EOL><EOL>        line-height: 1.66666667;<EOL><EOL>        font-size: 16px;<EOL><EOL>        color: #333;<EOL><EOL>        background-color: #fff;<EOL><EOL>        margin: 2em 1em;<EOL><EOL>      }<EOL><EOL>      h1 {<EOL><EOL>        font-size: 28px;<EOL><EOL>        font-weight: 400;<EOL><EOL>      }<EOL><EOL>      p {<EOL><EOL>        margin: 0 0 10px;<EOL><EOL>      }<EOL><EOL>      .alert.alert-info {<EOL><EOL>        background-color: #F0F0F0;<EOL><EOL>        margin-top: 30px;<EOL><EOL>        padding: 30px;<EOL><EOL>      }<EOL><EOL>      .alert p {<EOL><EOL>        padding-left: 35px;<EOL><EOL>      }<EOL><EOL>      ul {<EOL><EOL>        padding-left: 51px;<EOL><EOL>        position: relative;<EOL><EOL>      }<EOL><EOL>      li {<EOL><EOL>        font-size: 14px;<EOL><EOL>        margin-bottom: 1em;<EOL><EOL>      }<EOL><EOL>      p.info {<EOL><EOL>        position: relative;<EOL><EOL>        font-size: 20px;<EOL><EOL>      }<EOL><EOL>      p.info:before, p.info:after {<EOL><EOL>        content: "";<EOL><EOL>        left: 0;<EOL><EOL>        position: absolute;<EOL><EOL>        top: 0;<EOL><EOL>      }<EOL><EOL>      p.info:before {<EOL><EOL>        background: #0066CC;<EOL><EOL>        border-radius: 16px;<EOL><EOL>        color: #fff;<EOL><EOL>        content: "i";<EOL><EOL>        font: bold 16px/24px serif;<EOL><EOL>        height: 24px;<EOL><EOL>        left: 0px;<EOL><EOL>        text-align: center;<EOL><EOL>        top: 4px;<EOL><EOL>        width: 24px;<EOL><EOL>      }<EOL><EOL><EOL><EOL>      @media (min-width: 768px) {<EOL><EOL>        body {<EOL><EOL>          margin: 6em;<EOL><EOL>        }<EOL><EOL>      }<EOL><EOL>    </style><EOL><EOL>  </head><EOL><EOL>  <body><EOL><EOL>    <div><EOL><EOL>      <h1>Application is not available</h1><EOL><EOL>      <p>The application is currently not serving requests at this endpoint. It may not have been started or is still starting.</p><EOL><EOL><EOL><EOL>      <div class="alert alert-info"><EOL><EOL>        <p class="info"><EOL><EOL>          Possible reasons you are seeing this page:<EOL><EOL>        </p><EOL><EOL>        <ul><EOL><EOL>          <li><EOL><EOL>            <strong>The host doesn't exist.</strong><EOL><EOL>            Make sure the hostname was typed correctly and that a route matching this hostname exists.<EOL><EOL>          </li><EOL><EOL>          <li><EOL><EOL>            <strong>The host exists, but doesn't have a matching path.</strong><EOL><EOL>            Check if the URL path was typed correctly and that the route was created using the desired path.<EOL><EOL>          </li><EOL><EOL>          <li><EOL><EOL>            <strong>Route and path matches, but all pods are down.</strong><EOL><EOL>            Make sure that the resources exposed by this route (pods, services, deployment configs, etc) have at least one pod running.<EOL><EOL>          </li><EOL><EOL>        </ul><EOL><EOL>      </div><EOL><EOL>    </div><EOL><EOL>  </body><EOL><EOL></html><EOL><EOL>"

Do you have any ideas on this error?

Kind regards,

Vivian