I am running a local Spring boot app that uses oauth2.0 and ssl.
I am using a zerossl signed certificate which is stored in /src/main/resources, and I've imported into the keychain in the project resources.
I am able to retrieve a token and call the /oauth/check_token endpoint manually, however when I try to hit any other endpoint I get the following error:
.o.s.r.w.BearerTokenAuthenticationFilter : Authentication request for failed!
org.springframework.security.authentication.AuthenticationServiceException: I/O error on POST request for "https://localhost:8443/oauth/check_token": PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target;
nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
application.properties:
# The format used for the keystore. It could be set to JKS in case it is a JKS file
server.ssl.key-store-type=PKCS12
# The path to the keystore containing the certificate
server.ssl.key-store=classpath:demo.p12
# The password used to generate the certificate
server.ssl.key-store-password=*****
# The alias mapped to the certificate
server.ssl.key-alias=demo
server.ssl.enabled=true
security.oauth2.resource.token-info-uri=https://localhost:8443/oauth/check_token
security.oauth2.client.registered-redirect-uri=https://localhost:8443/test
spring.security.oauth2.resourceserver.opaquetoken.introspection-uri=https://localhost:8443/oauth/check_token
Stepping through the code it looks like when the NimbusOpaqueTokenIntrospector tries to check the token by calling POST https://localhost:8443/oauth/check_token it is not even hitting the endpoint (I placed a breakpoint in CheckTokenEndpoint controller) and getting the above KPIX error. I've tried using a custom RestTemplate that specifies the SSL context but I'm still seeing the same error.
If you are still struggling with this, I also experienced the same issue and also tried to install the Valid certificate into my JDK ca-certs. That was actually the correct solution except that even though both the RootCa and ActualDomain certs were installed as trusted certs in JDK ca-certs, there was an intermediate certificate issued just recently that I had left out. I installed the intermediate certificate as a trusted cert into the JDK ca-certs and the TLS certificate is no more.