I have a quarkus-graphql, quarkus-restservice and a openliberty restservice running in openshift in different namespaces. Quarkus-graphql is accessing the restservices using RestClient. In all the applications tls.key and tls.crt are created by the penshift Service resource annotation service.alpha.openshift.io/serving-cert-secret-name: app-certs and added to the container as a volume. All apps have a initContainer in which keystore.jsk key is created from the above tls key and crt.
The apps are build "./mvnw clean package" then pushed to the openshift docker-registry and then attached template is processed using openshift oc command which deploys the application to openshift.
When I try to access the RestClient from graphql getting below error
{"timestamp":"2020-07-14T16:38:35.699Z","sequence":2534,"loggerClassName":"io.smallrye.graphql.SmallRyeGraphQLServerLogging_$logger","loggerName":"io.smallrye.graphql","level":"ERROR","message":"SRGQL012000: Data Fetching Error","threadName":"vert.x-worker-thread-4","threadId":31,"mdc":{"spanId":"bff570a4999237ef","traceId":"ce2fa5ea28bfe42b","sampled":"false"},"ndc":"","hostName":"graphql-mp-1-qxbjq","processName":"app.jar","processId":1,"exception":{"refId":1,"exceptionType":"javax.ws.rs.ProcessingException","message":"RESTEASY004655: Unable to invoke request: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target","frames":[{"class":"org.jboss.resteasy.client.jaxrs.engines.ManualClosingApacheHttpClient43Engine","method":"invoke","line":287},{"class":"org.jboss.resteasy.client.jaxrs.internal.ClientInvocation","method":"invoke","line":488},{"class":"org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker","method":"invokeSync","line":149},{"class":"org.jboss.resteasy.client.jaxrs.internal.proxy.ClientInvoker","method":"invoke","line":112},{"class":"org.jboss.resteasy.client.jaxrs.internal.proxy.ClientProxy","method":"invoke","line":76},{"class":"com.sun.proxy.$Proxy57","method":"getUserDetails"},{"class":"jdk.internal.reflect.NativeMethodAccessorImpl","method":"invoke0"},{"class":"jdk.internal.reflect.NativeMethodAccessorImpl","method":"invoke","line":62},{"class":"jdk.internal.reflect.DelegatingMethodAccessorImpl","method":"invoke","line":43},{"class":"java.lang.reflect.Method","method":"invoke","line":566},{"class":"org.jboss.resteasy.microprofile.client.ProxyInvocationHandler","method":"invoke","line":144},{"class":"com.sun.proxy.$Proxy58","method":"getUserDetails"},{"class":"com.bcbsnc.EntityResource","method":"getQuarkusUserDetails","line":112},{"class":"com.bcbsnc.EntityResource_Subclass","method":"getQuarkusUserDetails$$superaccessor6","line":1464},{"class":"com.bcbsnc.EntityResource_Subclass$$function$$6","method":"apply","line":33},{"class":"io.quarkus.arc.impl.AroundInvokeInvocationContext","method":"proceed","line":54},{"class":"io.smallrye.faulttolerance.FaultToleranceInterceptor","method":"lambda$syncFlow$5","line":204},{"class":"io.smallrye.faulttolerance.core.InvocationContext","method":"call","line":20},{"class":"io.smallrye.faulttolerance.core.Invocation","method":"apply","line":24},{"class":"io.smallrye.faulttolerance.core.retry.Retry","method":"apply","line":50},{"class":"io.smallrye.faulttolerance.core.GeneralMetricsRecorder","method":"apply","line":17},{"class":"io.smallrye.faulttolerance.FaultToleranceInterceptor","method":"syncFlow","line":206},{"class":"io.smallrye.faulttolerance.FaultToleranceInterceptor","method":"interceptCommand","line":159}
Applicaton properties
quarkus.http.ssl-port=9443
quarkus.http.ssl.certificate.file=/var/run/secrets/openshift.io/app-certs/tls.crt
quarkus.http.ssl.certificate.key-file=/var/run/secrets/openshift.io/app-certs/tls.key
quarkus.http.ssl.certificate.key-store-file=/var/run/secrets/java.io/keystores/keystore.jks
quarkus.http.ssl.certificate.key-store-password=${KEYSTORE_PASSWORD:${DEFAULTVALUE}}
quarkus.http.insecure-requests=redirect
com.bcbsnc.dao.QuarkusService/mp-rest/url=<restService Endpoint>
com.bcbsnc.dao.QuarkusService/mp-rest/scope=javax.inject.Singleton
I have opened an issue https://github.com/quarkusio/quarkus/issues/10727 but appreciate if anybody has run into this issue and resolved it
Raj
Our Openshift team had added a new certificate, once I added this cert to the calling app, issue was fixed.