I have an environment where SSL is enabled for the db connection with Amazon RDS MySQL, and I'm seeing the following exception when the application starts: Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Path does not chain with any of the trust anchors\n\tat java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
I have downloaded the pem file from the Amazon website, and used the following scripts to first create the truststore, then to upload the secret to the environments.
Script to create the truststore:
mydir= "/myproject/scripts/python/secrets/resources"
truststore=truststore.jks
storepassword=password
split -p "-----BEGIN CERTIFICATE-----" /myproject/scripts/python/secrets/resources/dev-certs/eucentral/eu-central-1-bundle.pem rds-ca-
for CERT in rds-ca-; do
alias=$(openssl x509 -noout -text -in $CERT | perl -ne 'next unless /Subject:/; s/.(CN=|CN = )//; print')
echo "Importing $alias"
keytool -import -file ${CERT} -alias "${alias}" -storepass ${storepassword} -keystore ${truststore} -noprompt
rm $CERT
done
echo "Trust store content is: "
keytool -list -v -keystore "$truststore" -storepass ${storepassword} | grep Alias | cut -d " " -f3- | while read alias
do
expiry=keytool -list -v -keystore "$truststore" -storepass ${storepassword} -alias "${alias}" | grep Valid | perl -ne 'if(/until: (.*?)\n/) { print "$1\n"; }'
echo " Certificate ${alias} expires in '$expiry'"
done
Script to upload the secret to Kubernetes:
def create_certificate_secret(context, namespace, secret_name):
certs = []
path = 'resources/'
if 'dev' in context:
path = path + 'dev-certs/'
eu_central_certs = ['truststore.jks', 'eu-central-1-bundle.pem']
if 'eucentral' in context:
path = path + 'eucentral/'
certs = eu_central_certs
statement = "kubectl --context " + context + " -n " + namespace + " create secret generic " + secret_name
for cert in certs:
statement = statement + " --from-file=" + cert + '=' + path + cert
os.system(statement)
When I run the script, I can see that the secret gets created, and it has inside the pem file and the truststore, and that all the certificates from the pem were included in the truststore. The mountPath looks correct too, so I am wondering why the above configuration doesn't work.
One thing I noticed was that when I reran the first script, the truststore was recreated with the certificates in the output appearing in the same order, but when it got uploaded to Kubernetes, the encoded string associated with it in the secret was different. This didn't happen if I just upload it, without recreating the truststore.