Pem SslBundle - allow property source for keystore and truststore

[zbacjxx]

Current implementation allows us to specify a location.

Ideally we could also specify a property that contains the pem file e.g ${my.app.trust.cert}

This would allow us to inject certificates from external stores at deploy time in an externalised property file rather than bundling files into the app deployment e.g via /resources

[scottfrederick]

@zbacjxx It is currently possible to provide certificates as PEM content when configuring SSL bundles. An example of this is shown in the documentation:

spring:
  ssl:
    bundle:
      pem:
        mybundle:
          truststore:
            certificate: |
              -----BEGIN CERTIFICATE-----
              MIID1zCCAr+gAwIBAgIUNM5QQv8IzVQsgSmmdPQNaqyzWs4wDQYJKoZIhvcNAQEL
              BQAwezELMAkGA1UEBhMCWFgxEjAQBgNVBAgMCVN0YXRlTmFtZTERMA8GA1UEBwwI
              ...
              V0IJjcmYjEZbTvpjFKznvaFiOUv+8L7jHQ1/Yf+9c3C8gSjdUfv88m17pqYXd+Ds
              HEmfmNNjht130UyjNCITmLVXyy5p35vWmdf95U3uEbJSnNVtXH8qRmN9oK9mUpDb
              ngX6JBJI7fw7tXoqWSLHNiBODM88fUlQSho8
              -----END CERTIFICATE-----

If you have tried this and it is not working for you, please provide more details on your configuration so we can take a closer look.

[zbacjxx]

Hi Scott,

SslBundle is an amazing addition to the spring framework, thanks for the quick responseI

have tried the above however I get an error.

I am using spring boot 3.2.2 and application-{env}.properties not a yaml file

The following properties work

spring.ssl.bundle.pem.rest.keystore.certificate=/mnt/c/dev/certs/my-project/my-cert.pem
spring.ssl.bundle.pem.rest.keystore.private-key=/mnt/c/dev/certs/my-project/my-key.pem
spring.ssl.bundle.pem.rest.truststore.certificate=/mnt/c/dev/certs/ca-certificates.crt

however when I switch out the keystore.certificate with the following

"-----BEGIN CERTIFICATE-----
MIIHUjCCBjqgAwIBAgIEYiQNCjANBgkqhkiG9w0BAQsFADCBhDELMAkGA1UEBhMC\
Z2IxKTAnBgNVBAoTIFRoZSBSb3lhbCBCYW5rIG9mIFNjb3RsYW5kIEdyb3VwMR8w\
...
FJ+OwT2m9J1ZNLi9MEEfnP7i4TRKp9OA3tfJ6JS0/hgb4TiMclH5s+YZri4Q2PGu\
pVFBTQuLxxwTXJx6cPDVW0960f4lC7QtIhzDVa9dhhgug7qEUAFeEtFvpDcKtj3m\
N+HvO31+\
-----END CERTIFICATE-----"

I get the following exception (message only):

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'kafkaPostTestCLRApigee': Unsatisfied dependency expressed through field 'kafkaPostTemplate': Error creating bean with name 'sslRestTemplate' defined in class path resource [com/nwg/da/fraud/oids/api/configuration/CustomRestTemplateConfiguration.class]: Unsatisfied dependency expressed through method 'sslRestTemplate' parameter 1: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'sslRestTemplate' defined in class path resource [com/nwg/da/fraud/oids/api/configuration/CustomRestTemplateConfiguration.class]: Unsatisfied dependency expressed through method 'sslRestTemplate' parameter 1: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: java.io.UncheckedIOException: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: java.io.IOException: Error reading certificate or key from file '"-----BEGIN CERTIFICATE-----'
Caused by: java.io.FileNotFoundException: /home/zbacjxx/workspace/application/my-project/"-----BEGIN CERTIFICATE----- (No such file or directory)

Note: I have also remove the line endings so the cert is on a single line and I get a slightly different error (message only):

org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'kafkaPostTestCLRApigee': Unsatisfied dependency expressed through field 'kafkaPostTemplate': Error creating bean with name 'sslRestTemplate' defined in class path resource [com/nwg/da/fraud/oids/api/configuration/CustomRestTemplateConfiguration.class]: Unsatisfied dependency expressed through method 'sslRestTemplate' parameter 1: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Unable to register SSL bundle 'rest'
Caused by: org.springframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'sslRestTemplate' defined in class path resource [com/nwg/da/fraud/oids/api/configuration/CustomRestTemplateConfiguration.class]: Unsatisfied dependency expressed through method 'sslRestTemplate' parameter 1: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Unable to register SSL bundle 'rest'
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'sslBundleRegistry' defined in class path resource [org/springframework/boot/autoconfigure/ssl/SslAutoConfiguration.class]: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Unable to register SSL bundle 'rest'
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.boot.ssl.DefaultSslBundleRegistry]: Factory method 'sslBundleRegistry' threw exception with message: Unable to register SSL bundle 'rest'
Caused by: java.lang.IllegalStateException: Unable to register SSL bundle 'rest'
Caused by: java.lang.IllegalStateException: Missing certificates or unrecognized format

[wilkinsona]

@zbacjxx you don't appear to have formatted the multi-line string correctly. You can either use YAML and minimise the necessary formatting or you can include newlines in the value. This is shown in the documentation that Scott linked to above.

spring.ssl.bundle.pem.rest.keystore.certificate=\
-----BEGIN CERTIFICATE-----\n\
MIID1zCCAr+gAwIBAgIUNM5QQv8IzVQsgSmmdPQNaqyzWs4wDQYJKoZIhvcNAQEL\n\
BQAwezELMAkGA1UEBhMCWFgxEjAQBgNVBAgMCVN0YXRlTmFtZTERMA8GA1UEBwwI\n\
...\n\
V0IJjcmYjEZbTvpjFKznvaFiOUv+8L7jHQ1/Yf+9c3C8gSjdUfv88m17pqYXd+Ds\n\
HEmfmNNjht130UyjNCITmLVXyy5p35vWmdf95U3uEbJSnNVtXH8qRmN9oK9mUpDb\n\
ngX6JBJI7fw7tXoqWSLHNiBODM88fUlQSho8\n\
-----END CERTIFICATE-----\n

[zbacjxx]

ah - sorry I am an absolute idiot in that case as that works!

Mnay thanks for your time on this - I should have done a better job reading the docs (my quick googles didnt point me to the latest)

I did notice a ticket authored by your good self here (which led me to raise this ticket) on SslBundle usage for kafka - I have gone through the above docs and the kafka docs and I cant see any documentation on how to use the SslBundle on the KafkaTemplate as per the RestTemplate - Is this available?

[wilkinsona]

You can use spring.kafka.producer.ssl.bundle. This will configure SSL on the producer that's used by the template.

If you have any further questions, please follow up on Stack Overflow. As mentioned in the guidelines for contributing, we prefer to use GitHub issues only for bugs and enhancements.

[zbacjxx]

fair point and thanks again