Authentication issue with client certificate and custom authority

akka-http
(Emmanuel Guiton) #1

Hello,

Using the 2.7 Play Framework, I am trying to set up an HTTPS server with client authentication. The authentication always fails with unable to find valid certification path to requested target .

The client certificate is signed by a custom certificate authority that uses a self-signed certificate. In my setup, this custom CA is the only CA that the server should trust.

In application.conf I added the following configuration to set up the HTTPS server and to replace the default trust store with the custom CA certificate.

play {
  server {
    https {
      keyStore {
        path = "/path/to/store",
        password = "password",
        type = "PKCS12"
      }
      needClientAuth = true
    }
  }
}

ssl-config {
  trustManager = {
    stores = [
      { type = "PEM", path = "path/to/ca/certificate" }
    ]
  }
}

With debug enabled, when the application is initializing, I see the custom CA certificate is loaded :

adding as trusted cert:
  Subject: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
  Issuer:  EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
  Valid from Wed Jul 06 15:38:40 CEST 2005 until Tue Jul 01 15:38:40 CEST 2025

However, I also see the following lines a little further in the logs :

trustStore is: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
trustStore type is : jks
trustStore provider is : 
init truststore

I did not expect nor want the server to use the default JRE trust store. Why isn’t it disabled ?

When the client connects, I see in the logs that its certificate is correctly read :

chain [0] = [
Subject: EMAILADDRESS=devnull@mydomain.com, CN=My User, OU="User#41183", O=MyOrg, C=FR
Validity: [From: Thu Jan 11 10:17:12 CET 2018, To: Tue Jan 10 10:17:12 CET 2023]
Issuer: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
]
chain [1] = [
Subject: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
Validity: [From: Wed Jul 06 15:38:40 CEST 2005, To: Tue Jul 01 15:38:40 CEST 2025]
Issuer: EMAILADDRESS=ca@mydomain.com, CN=CustAuth, O=MyOrg, L=City, ST=12345, C=FR
]

The client issuer matches the previously loaded custom CA certificate. However, the following error is thrown :

application-akka.actor.default-dispatcher-2, fatal error: 46: General SSLEngine problem
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

I also noticed that if I import the custom CA certificate into the default trust store, the authentication is working. I start suspecting that the trust store configuration is overridden by the default configuration.
What else could I do wrong ?

(I first posted my question on Stackoverflow https://stackoverflow.com/questions/55494730/unable-to-validate-client-certificate-with-akka-http-server-play-framework)