Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Java KCL unable to find valid certification path to requested target #56

Open
roek5803 opened this issue Dec 18, 2017 · 5 comments
Open

Java KCL unable to find valid certification path to requested target #56

roek5803 opened this issue Dec 18, 2017 · 5 comments

Comments

@roek5803
Copy link

Hi!

I am trying to use kinesalite and dynalite for integration tests purpose, but cant figure out how to set everything up.

First of all im using:
Java 8
amazon-kinesis-client 1.8.8
amazon-kinesis-producer 0.12.5

I start kinesalite and dynalite with

kinesalite --ssl true --port 4567
dynalite --port 4568

In my /etc/hosts file i have added

127.0.0.1 kinesalite

I disable CBOR with environment variable:

AWS_CBOR_DISABLE: true

I create the dynamoClient like this:

dynamoClient = AmazonDynamoDBClientBuilder
                .standard()
                .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(
                        "http://localhost:4568",
                        "eu-central-1"
                ))
                .build();

I create the kinesisClient like this:

kinesisClient = AmazonKinesisClientBuilder
                .standard()
                .withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration(
                        "kinesalite:4567",
                        "eu-central-1"
                ))
                .build();

Then i create the config and worker

KinesisClientLibConfiguration config =
                new KinesisClientLibConfiguration(
                        CONFIG.applicationName,
                        CONFIG.streamName,
                        credentialsProvider,
                        CONFIG.workerId
                )
                        .withInitialPositionInStream(InitialPositionInStream.LATEST);

        final Worker worker = new Worker.Builder()
                .recordProcessorFactory(processorFactory)
                .config(config)
                .kinesisClient(kinesisClient)
                .dynamoDBClient(dynamoClient)
                .metricsFactory(new NullMetricsFactory())
                .build();

But i get errors and cant figure out what i'm missing:

INFO  [2017-12-18 15:25:39,847] com.amazonaws.services.kinesis.clientlibrary.lib.worker.Worker: Initialization attempt 1
INFO  [2017-12-18 15:25:39,847] com.amazonaws.services.kinesis.clientlibrary.lib.worker.Worker: Initializing LeaseCoordinator
INFO  [2017-12-18 15:25:39,866] com.amazonaws.services.kinesis.clientlibrary.lib.worker.Worker: Syncing Kinesis shard info
ERROR [2017-12-18 15:25:40,247] com.amazonaws.services.kinesis.clientlibrary.lib.worker.ShardSyncTask: Caught exception while sync'ing Kinesis shards and leases
! sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
...
! Causing: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
! at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:397) ~[na:1.8.0_151]
...
! Causing: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
@mhart
Copy link
Owner

mhart commented Dec 18, 2017

Any reason you're using the --ssl true flag? The endpoint you've passed in uses http:, not https:, so I doubt that will work – just remove that flag

@roek5803
Copy link
Author

Thanks for the respond @mhart !

Yes i'm using --ssl true because there is no way to disable the TLS connection in Java Kinesis Producer Library. But it would be nice if i could disable it. Then i could skip the ssl true flag.

https://github.com/awslabs/amazon-kinesis-producer/blob/master/java/amazon-kinesis-producer/src/main/java/com/amazonaws/services/kinesis/producer/KinesisProducerConfiguration.java

/**
     * Use a custom Kinesis endpoint.
     * 
     * <p>
     * Note this does not accept protocols or paths, only host names or ip addresses. There is no
     * way to disable TLS. The KPL always connects with TLS.
     * 
     * <p><b>Expected pattern</b>: ^([A-Za-z0-9-\\.]+)?$
     */
    public KinesisProducerConfiguration setKinesisEndpoint(String val) {
        if (!Pattern.matches("^([A-Za-z0-9-\\.]+)?$", val)) {
            throw new IllegalArgumentException("kinesisEndpoint must match the pattern ^([A-Za-z0-9-\\.]+)?$, got " + val);
        }
        kinesisEndpoint = val;
        return this;
    }

But for dynalite i do not use --ssl true so in the dynamoClient i use http, but for the kinesisClient it should be https per default. it is the same result if i would use https://kinesalite:4567

@TJC
Copy link

TJC commented Dec 19, 2017

I'm hitting this same issue -- is there any way to get the AWS KCL library to not verify the SSL certificate?

@TJC
Copy link

TJC commented Dec 19, 2017

java -Dcom.amazonaws.sdk.disableCertChecking

@roek5803
Copy link
Author

Thanks @TJC That works! 😃

@kojiromike kojiromike mentioned this issue Oct 7, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TJC @mhart @roek5803