Hello,
Using the 2.7 Play Framework, I am trying to set up an HTTPS server with client authentication. The authentication always fails with unable to find valid certification path to requested target
.
The client certificate is signed by a custom certificate authority that uses a self-signed certificate. In my setup, this custom CA is the only CA that the server should trust.
In application.conf
I added the following configuration to set up the HTTPS server and to replace the default trust store with the custom CA certificate.
play {
server {
https {
keyStore {
path = "/path/to/store",
password = "password",
type = "PKCS12"
}
needClientAuth = true
}
}
}
ssl-config {
trustManager = {
stores = [
{ type = "PEM", path = "path/to/ca/certificate" }
]
}
}
With debug enabled, when the application is initializing, I see the custom CA certificate is loaded :
adding as trusted cert:
Subject: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
Issuer: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
Valid from Wed Jul 06 15:38:40 CEST 2005 until Tue Jul 01 15:38:40 CEST 2025
However, I also see the following lines a little further in the logs :
trustStore is: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is :
init truststore
I did not expect nor want the server to use the default JRE trust store. Why isn’t it disabled ?
When the client connects, I see in the logs that its certificate is correctly read :
chain [0] = [
Subject: EMAILADDRESS=devnull@mydomain.com, CN=My User, OU="User#41183", O=MyOrg, C=FR
Validity: [From: Thu Jan 11 10:17:12 CET 2018, To: Tue Jan 10 10:17:12 CET 2023]
Issuer: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
]
chain [1] = [
Subject: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
Validity: [From: Wed Jul 06 15:38:40 CEST 2005, To: Tue Jul 01 15:38:40 CEST 2025]
Issuer: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
]
The client issuer matches the previously loaded custom CA certificate. However, the following error is thrown :
application-akka.actor.default-dispatcher-2, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
I also noticed that if I import the custom CA certificate into the default trust store, the authentication is working. I start suspecting that the trust store configuration is overridden by the default configuration.
What else could I do wrong ?
(I first posted my question on Stackoverflow https://stackoverflow.com/questions/55494730/unable-to-validate-client-certificate-with-akka-http-server-play-framework)