Okay, this might be a lengthy one.
So my objective is to fetch a secret from a KeyVault and print it in the console. It is a basic app that I am using to learn about Azure and Spring Boot.
So I created KeyVault and saved a secret value in there. But I was getting endless SSL Handshake errors. So someone suggested that I need a Private Endpoint to fetch the resource on my local laptop. So delved into it, read a lot of articles and guides. And now I am stuck in the same place. I still get SSL Handshake Errors.
I am on my company VPN and am trying via my company's proxy.
So here is what I did.
- I created a KeyVault and stored a secret key. I did my app registration in the azure active directory. I am using Vault based access for my key vault. My KeyVault looks like this.
Then I created a Virtual Network. Whose details look like this:
And the subnet page:
Then on the KeyVault Networking page:
And my Private Endpoint Page:
But with this setup I was getting ForbiddenByFirewall or something on those lines. So out of a hunch, I just added my local and proxy IP as the client IP on the Firewall section of the networking page.
And now I am back to getting SSL handshake errors. I am on the verge of giving up. Its been a week of reading and trying different things out.
My SpringBoot application properties look like this:
debug=false
spring.cloud.azure.keyvault.secret.property-sources[0].credential.client-id=My_CLIENT_ID
spring.cloud.azure.keyvault.secret.property-sources[0].credential.client-secret=MY-CLIENT_SECRET
spring.cloud.azure.keyvault.secret.property-sources[0].profile.tenant-id=MY_TENANT_ID
spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=https://keyvault-demo-testing.vault.azure.net/
spring.cloud.azure.keyvault.secret.property-sources[0].proxy.hostname=MY_COMPANY_PROXY
spring.cloud.azure.keyvault.secret.property-sources[0].proxy.port=8080
spring.cloud.azure.keyvault.secret.property-sources[0].proxy.password=password
spring.cloud.azure.keyvault.secret.property-sources[0].proxy.username=anonymous
spring.cloud.azure.keyvault.secret.property-sources[0].proxy.type=HTTP
spring.cloud.azure.keyvault.secret.property-sources[0].client.connect-timeout=20000
spring.datasource.url=jdbc:postgresql://localhost:5432/postgres
spring.datasource.username=postgres
spring.datasource.password=temp123
And the error that I get is:
2023-06-28 19:52:07.449 INFO 17988 --- [ restartedMain] o.a.c.c.C.[Tomcat].[localhost].[/] : Initializing Spring embedded WebApplicationContext
2023-06-28 19:52:07.449 INFO 17988 --- [ restartedMain] w.s.c.ServletWebServerApplicationContext : Root WebApplicationContext: initialization completed in 2551 ms
2023-06-28 19:52:08.014 INFO 17988 --- [ restartedMain] AbstractAzureServiceClientBuilderFactory : Will configure the default credential of type DefaultAzureCredential for class com.azure.identity.DefaultAzureCredentialBuilder.
2023-06-28 19:52:08.227 INFO 17988 --- [ restartedMain] o.s.b.d.a.OptionalLiveReloadServer : LiveReload server is running on port 35729
2023-06-28 19:52:08.232 INFO 17988 --- [ restartedMain] o.s.b.a.e.web.EndpointLinksResolver : Exposing 1 endpoint(s) beneath base path '/actuator'
2023-06-28 19:52:08.293 INFO 17988 --- [ restartedMain] o.s.b.w.embedded.tomcat.TomcatWebServer : Tomcat started on port(s): 8080 (http) with context path ''
2023-06-28 19:52:08.349 INFO 17988 --- [ restartedMain] c.example.demo.KeyvaultDemoApplication : Started KeyvaultDemoApplication in 13.215 seconds (JVM running for 14.61)
2023-06-28 19:52:08.422 INFO 17988 --- [ restartedMain] c.azure.identity.ChainedTokenCredential : Azure Identity => Attempted credential EnvironmentCredential is unavailable.
2023-06-28 19:52:08.422 ERROR 17988 --- [ restartedMain] c.a.identity.WorkloadIdentityCredential : WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/java/identity/workloadidentitycredential/troubleshoot
2023-06-28 19:52:08.440 INFO 17988 --- [ restartedMain] c.azure.identity.ChainedTokenCredential : Azure Identity => Attempted credential WorkloadIdentityCredential is unavailable.
2023-06-28 19:52:08.485 INFO 17988 --- [nPool-worker-19] c.azure.identity.ChainedTokenCredential : Azure Identity => Attempted credential ManagedIdentityCredential is unavailable.
2023-06-28 19:52:08.727 INFO 17988 --- [nPool-worker-19] c.azure.identity.ChainedTokenCredential : Azure Identity => Attempted credential AzureDeveloperCliCredential is unavailable.
2023-06-28 19:52:08.791 INFO 17988 --- [nPool-worker-19] c.azure.identity.ChainedTokenCredential : Azure Identity => Attempted credential SharedTokenCacheCredential is unavailable.
2023-06-28 19:52:08.951 ERROR 17988 --- [nPool-worker-19] c.a.i.i.WindowsCredentialAccessor : Element not found.
2023-06-28 19:52:08.952 INFO 17988 --- [nPool-worker-19] c.azure.identity.ChainedTokenCredential : Azure Identity => Attempted credential IntelliJCredential is unavailable.
2023-06-28 19:52:11.105 INFO 17988 --- [nPool-worker-19] com.azure.identity.AzureCliCredential : Azure Identity => getToken() result for scopes [https://vault.azure.net/.default]: SUCCESS
2023-06-28 19:52:11.105 INFO 17988 --- [nPool-worker-19] c.azure.identity.ChainedTokenCredential : Azure Identity => Attempted credential AzureCliCredential returns a token
2023-06-28 19:52:11.114 INFO 17988 --- [nPool-worker-19] c.a.c.implementation.AccessTokenCache : {"az.sdk.message":"Acquired a new access token."}
2023-06-28 19:52:21.928 ERROR 17988 --- [ restartedMain] c.a.c.http.netty.NettyAsyncHttpClient : io.netty.handler.ssl.SslHandshakeTimeoutException: handshake timed out after 10000ms
2023-06-28 19:52:21.939 WARN 17988 --- [ctor-http-nio-3] r.netty.http.client.HttpClientConnect : [b9fc19b5, L:/135.75.71.239:64554 - R:keyvault-demo-testing.vault.azure.net/20.62.134.229:443] The connection observed an error
io.netty.handler.ssl.SslHandshakeTimeoutException: handshake timed out after 10000ms
at io.netty.handler.ssl.SslHandler$7.run(SslHandler.java:2125) ~[netty-handler-4.1.92.Final.jar:4.1.92.Final]
at io.netty.util.concurrent.PromiseTask.runTask(PromiseTask.java:98) ~[netty-common-4.1.92.Final.jar:4.1.92.Final]
at io.netty.util.concurrent.ScheduledFutureTask.run(ScheduledFutureTask.java:153) ~[netty-common-4.1.92.Final.jar:4.1.92.Final]
at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:174) ~[netty-common-4.1.92.Final.jar:4.1.92.Final]
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:167) ~[netty-common-4.1.92.Final.jar:4.1.92.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:470) ~[netty-common-4.1.92.Final.jar:4.1.92.Final]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:569) ~[netty-transport-4.1.92.Final.jar:4.1.92.Final]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) ~[netty-common-4.1.92.Final.jar:4.1.92.Final]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.92.Final.jar:4.1.92.Final]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[netty-common-4.1.92.Final.jar:4.1.92.Final]
at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]