1. Atlassian Avatar Atlassian
  2. Project: Atlassian
  3. localstack
  4. Issues

KinesisClientLibrary can't connect to https SSL secure Kinesis endpoint

Issue #53 resolved
Jesus Menendez created an issue

Hi I have a docker image of localstack:0.6.0 running in my machine. I set the USE_SSL environment variable to true

I am trying to configure the Java KinesisClientLibrary SDK so it connects to the https endpoint

When the Worker starts it throws this error

#!

java.lang.RuntimeException: com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.amazonaws.services.kinesis.clientlibrary.lib.worker.Worker.initialize(Worker.java:458)
        at com.amazonaws.services.kinesis.clientlibrary.lib.worker.Worker.run(Worker.java:356)
        at java.lang.Thread.run(Thread.java:745)
Caused by: com.amazonaws.SdkClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleRetryableException(AmazonHttpClient.java:1069)
        at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1035)

......

Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)

This is the KCL configuration

kinesisClientLibConfig = new KinesisClientLibConfiguration(
            "test",
            "test"
            new DefaultAWSCredentialsProviderChain(),
            UUID.randomUUID().toString())
            .withCallProcessRecordsEvenForEmptyRecordList(false)
            .withIdleTimeBetweenReadsInMillis(500)
            .withMaxRecords(100)
            .withMetricsLevel(MetricsLevel.NONE)
            .withKinesisEndpoint("https://localhost:4568")
            .withRegion("eu-west-1")

I can connect to the endpoint via aws-cli and I can create and list streams no problem:

"aws kinesis list-streams --endpoint-url https://localhost:4568 --no-verify-ssl"

Comments (5)

  3. Waldemar Hummer Account Deactivated

    Thanks for reporting @jesuscastellano . There is a Java system property you can set to disable certificate validation: http://docs.aws.amazon.com/AWSJavaSDK/latest/javadoc/com/amazonaws/SDKGlobalConfiguration.html#DISABLE_CERT_CHECKING_SYSTEM_PROPERTY

    We also use it here: https://bitbucket.org/atlassian/localstack/src/master/localstack/utils/kinesis/java/com/atlassian/KinesisStarter.java?at=master&fileviewer=file-view-default#KinesisStarter.java-35

    Hope that helps

  6. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Votes
0
Watchers
1