- edited description
KinesisClientLibrary can't connect to https SSL secure Kinesis endpoint
Hi I have a docker image of localstack:0.6.0 running in my machine. I set the USE_SSL environment variable to true
I am trying to configure the Java KinesisClientLibrary SDK so it connects to the https endpoint
When the Worker starts it throws this error
#!
java.lang.RuntimeException: com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazonaws.services.kinesis.clientlibrary.lib.worker.Worker.initialize(Worker.java:458)
at com.amazonaws.services.kinesis.clientlibrary.lib.worker.Worker.run(Worker.java:356)
at java.lang.Thread.run(Thread.java:745)
Caused by: com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1069)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1035)
......
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
This is the KCL configuration
kinesisClientLibConfig = new KinesisClientLibConfiguration(
"test",
"test"
new DefaultAWSCredentialsProviderChain(),
UUID.randomUUID().toString())
.withCallProcessRecordsEvenForEmptyRecordList(false)
.withIdleTimeBetweenReadsInMillis(500)
.withMaxRecords(100)
.withMetricsLevel(MetricsLevel.NONE)
.withKinesisEndpoint("https://localhost:4568")
.withRegion("eu-west-1")
I can connect to the endpoint via aws-cli and I can create and list streams no problem:
"aws kinesis list-streams --endpoint-url https://localhost:4568 --no-verify-ssl"
Comments (5)
-
Account Deactivated reporter -
Account Deactivated reporter - edited description
- changed title to KinesisClientLibrary can't connect to https SSL secure Kinesis endpoint
-
Account Deactivated Thanks for reporting @jesuscastellano . There is a Java system property you can set to disable certificate validation: http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/SDKGlobalConfiguration.html#DISABLE_CERT_CHECKING_SYSTEM_PROPERTY
We also use it here: https://bitbucket.org/atlassian/localstack/src/master/localstack/utils/kinesis/java/com/atlassian/KinesisStarter.java?at=master&fileviewer=file-view-default#KinesisStarter.java-35
Hope that helps
-
Account Deactivated Closing this issue, assuming that the workaround using the Java system property works. If the problem persists, please open a ticket here: https://github.com/localstack/localstack Thanks
-
Account Deactivated - changed status to resolved
- Log in to comment