Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SslBundle can no longer open store file locations without using a 'file:' prefix #43274

Closed
ibmmqmet opened this issue Nov 23, 2024 · 7 comments
Closed
Assignees
Labels
type: regression A regression from a previous release
Milestone

Comments

@ibmmqmet
Copy link
Contributor

I am getting an exception with the SslBundles not being able to load the keystore. This worked fine with Spring Boot 3.3.6 (and previous levels). The file key.jks is in my current directory, from where the app is being run via gradle bootRun.

Configuration:

spring:
  jms:
    cache:
      enabled: true
  ssl:
    bundle:
      jks:
        ibmmq:
          truststore:
            location: "key.jks"
            password: "passw0rd"
            type: "JKS"
          keystore:
            location: "key.jks"
            password: "passw0rd"
            type: "JKS"

Exception stack:

Failed to instantiate [org.springframework.jms.connection.CachingConnectionFactory]: Factory method 'cachingJmsConnectionFactory' threw exception with message: Could not load SSL context: Unable to create key store: Could not load store from 'key.jks'
        at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
        at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:645)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1351)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1181)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:563)
        at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:523)
        at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:336)
        at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:288)
        at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:334)
        at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:199)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1122)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1093)
        at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1030)
        at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:987)
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752)
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:318)
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1361)

with the root of the exception stack being

Caused by: java.lang.IllegalStateException: Could not load store from 'key.jks'
        at org.springframework.boot.ssl.jks.JksSslStoreBundle.loadKeyStore(JksSslStoreBundle.java:140)
        at org.springframework.boot.ssl.jks.JksSslStoreBundle.createKeyStore(JksSslStoreBundle.java:107)
        ... 39 common frames omitted
Caused by: java.io.FileNotFoundException: class path resource [key.jks] cannot be opened because it does not exist
        at org.springframework.core.io.ClassPathResource.getInputStream(ClassPathResource.java:215)
        at org.springframework.boot.ssl.jks.JksSslStoreBundle.loadKeyStore(JksSslStoreBundle.java:135)
        ... 40 common frames omitted
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 23, 2024
@wilkinsona
Copy link
Member

Thanks for the report. It may be due to #42835, but I cannot be certain as the problem does not reproduce if I try to recreate what you've described above. Most likely because nothing's using the SSL bundle that you've configured.

By specifying only key.jks as the location, it's ambiguous how that resource should be loaded. An attempt is being made to load it using the classpath and this failed. That makes sense as, judging by what you have described, key.jks will not be on the classpath. You could try file:key.jks instead to make it clear that you want to load the store from the file system.

If the above does not help and/or you'd like us to spend some time investigating further, please spend some time providing a complete yet minimal sample that reproduces the problem. You can share it with us by pushing it to a separate repository on GitHub or by zipping it up and attaching it to this issue.

@wilkinsona wilkinsona added the status: waiting-for-feedback We need additional information before we can continue label Nov 23, 2024
@ibmmqmet
Copy link
Contributor Author

Adding file: does get it to work. I don't remember seeing that syntax in the original docs, and I based it on finding other examples of using raw filenames for keystores in Spring Boot projects. But perhaps I missed this being different.

Thanks for the quick response.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Nov 23, 2024
@wilkinsona
Copy link
Member

Thanks for confirming that it works with the file: prefix. I'm going to re-open this as I'd like us to look at whether we can restore the old behavior in this area and also keep the benefits of the recent changes around resource loading.

@wilkinsona wilkinsona reopened this Nov 25, 2024
@wilkinsona wilkinsona removed the status: feedback-provided Feedback has been provided label Nov 25, 2024
silvestre added a commit to cloudfoundry/app-autoscaler-release that referenced this issue Nov 25, 2024
…ler configuration

# Issue

When updating to Spring Boot 3.4.0 the certs would no longer be found.
This is due to [Spring Boot 3.4.0 searching in the classpath first](spring-projects/spring-boot#43274).

# Fix

Prefix all paths with `file:`.
renovate bot added a commit to cloudfoundry/app-autoscaler-release that referenced this issue Nov 25, 2024
…rter-parent to v3.4.0 (#3362)

* fix(deps): update dependency org.springframework.boot:spring-boot-starter-parent to v3.4.0

* fix(config): update certificate paths to use `file:` prefix in scheduler configuration

# Issue

When updating to Spring Boot 3.4.0 the certs would no longer be found.
This is due to [Spring Boot 3.4.0 searching in the classpath first](spring-projects/spring-boot#43274).

# Fix

Prefix all paths with `file:`.

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Silvestre Zabala <silvestre.zabala@sap.com>
@NYPD
Copy link

NYPD commented Nov 25, 2024

I ran into a similar issue, but with a different error message:

***************************
APPLICATION FAILED TO START
***************************

Description:

The content of 'keystore.location' from bundle 'myBundle' is not watchable'. Only 'file:' resources are watchable, but '/usr/temp/certs/my-dev-keystore-pkcs12.p12' has been set

Action:

Update your application to correct the invalid configuration:
Either use a watchable resource, or disable bundle reloading by setting reload-on-update = false on the bundle.
spring.ssl.bundle.jks:
  myBundle:
    reload-on-updates: true
    keystore:
      location: /usr/temp/certs/my-dev-keystore-pkcs12.p12
      password: superSecretPassword
      type: "PKCS12"

Adding file: in front of my location worked as well.

@darchangels13
Copy link

This introduced a breaking change for me. While adding the file: prefix does allow the spring context to stand up, an unrelated 3rd party library is reading the same SSL properties and unfortunately doesn't handle the prefix properly.

At this time I'm considering whether I have to override the third party with a nearly-but-not-quite-duplicative value or figure out how to restore the original behavior.

@philwebb philwebb changed the title Spring Boot 3.4.0: SslBundle cannot open store SslBundle can no longer open store file locations without using a 'file:' prefix Dec 2, 2024
@philwebb philwebb added type: regression A regression from a previous release and removed status: waiting-for-triage An issue we've not yet triaged labels Dec 2, 2024
@philwebb philwebb added this to the 3.4.x milestone Dec 2, 2024
@philwebb philwebb self-assigned this Dec 3, 2024
@philwebb philwebb modified the milestones: 3.4.x, 3.4.1 Dec 3, 2024
MichiBaum added a commit to MichiBaum/Microservices that referenced this issue Dec 20, 2024
Fix: spring-projects/spring-boot#43274

Upgraded Spring Boot and Spring Boot Admin versions in `pom.xml` to 3.4.1 for latest fixes and improvements. Adjusted the keystore file path in `application-prod.yml` to remove the redundant `file:` prefix for better compatibility.
@72wildcard

This comment was marked as outdated.

@philwebb

This comment was marked as outdated.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type: regression A regression from a previous release
Projects
None yet
Development

No branches or pull requests

7 participants