I have a Java environment (SpringBoot) running on docker-compose where I deploy on ec2 (aws). I have configured my database in Docummentdb (aws), it already runs in lambda and connects normally using SSL connection (JKS-TrustStore), however when trying to connect using the ec2 container, it is showing the following errors:
2020-10-13 00:28:11.534 INFO 6 --- [onaws.com:27017] org.mongodb.driver.cluster : Exception in monitor thread while connecting to server CONNECTION.us-east-1.docdb.amazonaws.com:27017
com.mongodb.MongoSocketWriteException: Exception sending message at com.mongodb.internal.connection.InternalStreamConnection.translateWriteException(InternalStreamConnection.java:551) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:433) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.InternalStreamConnection.sendCommandMessage(InternalStreamConnection.java:273) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.InternalStreamConnection.sendAndReceive(InternalStreamConnection.java:257) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.CommandHelper.sendAndReceive(CommandHelper.java:83) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.CommandHelper.executeCommand(CommandHelper.java:33) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initializeConnectionDescription(InternalStreamConnectionInitializer.java:105) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.InternalStreamConnectionInitializer.initialize(InternalStreamConnectionInitializer.java:62) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.InternalStreamConnection.open(InternalStreamConnection.java:129) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.DefaultServerMonitor$ServerMonitorRunnable.run(DefaultServerMonitor.java:117) ~[mongo-java-driver-3.12.7.jar!/:na] at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na] Caused by: javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:320) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:263) ~[na:na] at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:258) ~[na:na] at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:645) ~[na:na] at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:464) ~[na:na] at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:360) ~[na:na] at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na] at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:443) ~[na:na] at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:421) ~[na:na] at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:177) ~[na:na] at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:164) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1151) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1062) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:402) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:716) ~[na:na] at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:969) ~[na:na] at com.mongodb.internal.connection.SocketStream.write(SocketStream.java:99) ~[mongo-java-driver-3.12.7.jar!/:na] at com.mongodb.internal.connection.InternalStreamConnection.sendMessage(InternalStreamConnection.java:430) ~[mongo-java-driver-3.12.7.jar!/:na] ... 9 common frames omitted Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:439) ~[na:na] at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:306) ~[na:na] at java.base/sun.security.validator.Validator.validate(Validator.java:264) ~[na:na] at java.base/sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:313) ~[na:na] at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:222) ~[na:na] at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:129) ~[na:na] at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:629) ~[na:na] ... 23 common frames omitted Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) ~[na:na] at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) ~[na:na] at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297) ~[na:na] at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:434) ~[na:na] ... 29 common frames omitted
The same files used in the test lambda connection, are also being used in the main connection of my application, even after passing the full path of the .jks file, the error persists.
try to debug with -Djavax.net.debug=ssl,handshake you will have more info.
Check certificat chain, may be the validation is more restrictive on ec2 container ?
What's the setting of the keystore.type parameter in both lambda and ec2 java.security file ?