All geek questions in one place

Can't use Amazon S3 API over SSL?

I am trying to use the Amazon S3 API to encrypt and download a file.

public class AmazonS3 { String KmsId = "my_id_comes_here"; private TransferManager getTransferManager() { AWSCredentials awsCredentials = new ProfileCredentialsProvider().getCredentials(); KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(KmsId); AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(awsCredentials, materialProvider, new CryptoConfiguration().withKmsRegion(Regions.EU_CENTRAL_1)).withRegion(Regions.EU_CENTRAL_1); s3Client.setEndpoint("s3.eu-central-1.amazonaws.com"); TransferManager transferManager = new TransferManager(s3Client); return transferManager; } public void upload(String bucket, String keyName, String filePath) throws InterruptedException, NoSuchAlgorithmException, IOException, InvalidKeySpecException { TransferManager transferManager = getTransferManager(); // TransferManager processes all transfers asynchronously, so this call will return immediately. Upload upload = transferManager.upload(bucket, keyName, new File(filePath)); try { // Or you can block and wait for the upload to finish upload.waitForCompletion(); System.out.println("Upload complete."); } catch (AmazonClientException amazonClientException) { System.out.println("Unable to upload file, upload was aborted."); amazonClientException.printStackTrace(); } }

Which works fine if I don't pass my trust as arguments for my application.

But, if , I initialize my application using my trust as follows:

 -Dspring.profiles.active="dev" -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/usr/share/ca-certificates/anevis/java/activemq/client.ts -Djavax.net.ssl.trustStorePassword=changeit

This gives me this error:

 com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:516) at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:317) at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3595) at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:999) at com.amazonaws.services.s3.transfer.TransferManager.doDownload(TransferManager.java:779) at com.amazonaws.services.s3.transfer.TransferManager.download(TransferManager.java:691) at com.anevis.documentengine.configuration.jms.AmazonS3.download(AmazonS3.java:57) at com.anevis.documentengine.configuration.jms.S3UploadTest.testUpload(S3UploadTest.java:25) at com.anevis.documentengine.configuration.jms.S3UploadTest.main(S3UploadTest.java:9) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:497) at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144) Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302) at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509) at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216) at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979) at sun.security.ssl.Handshaker.process_record(Handshaker.java:914) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062) at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535) at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403) at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:128) at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177) at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304) at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611) at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446) at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57) at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:749) at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:505) ... 13 more Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387) at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292) at sun.security.validator.Validator.validate(Validator.java:260) at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324) at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229) at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124) at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491) ... 32 more Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382) ... 38 more

How can I fix this error?

+5
source share
2 answers

Your trust store does not have a certification authority that protects the AWS API. You need to create a new trust store that integrates client.ts with those needed by AWS. The easiest way to do this is to combine client.ts with the cacerts key store from the JRE.

Example:

 keytool -importkeystore -srckeystore client.ts -destkeystore combined.ts -srcstorepass changeit -deststorepass changeit keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore combined.ts -srcstorepass changeit -deststorepass changeit

Then use combined.ts instead of client.ts .

+6
source

Thank you, we had a similar problem, but I slightly changed the answer for our scenario.

I got this com.amazonaws.AmazonClientException: HTTP request failed: sun.security.validator.ValidatorException: Failed to create PKIX path: sun.security.provider.certpath.SunCertPathBuilderException: could not find a valid certification path for the requested target

when trying to connect to AmazonDynamoDB.

When we moved our application to HTTPS, we started getting this error.

So the solution was the same, the only difference was instead of client.ts I had to add a certificate to cacerts that was generated during the HTTPS migration.

keytool -importkeystore -srckeystore $ JAVA_HOME / jre / lib / security / cacerts -destkeystore test.p12 -srcstorepass changeit -deststorepass test;

Thanks,

0
source

Source: https://habr.com/ru/post/1242109/

More articles:


All Articles