Truststore system property value not taking into effect with micronaut, openjdk 17 - 'Inaccessible trust store'

Question

I want to use custom truststore with open jdk 17 and micronaut.

I want to access link similar to - https://gitlab.com/api/v4/feature_flags/unleash/42

I have added certificate belonging to the host to custom truststore.

I tried to setup custom truststore value using application.yml as well as VM arguments. I am also printing getProperty to ensure the truststore value has been updated when application is up.

Here are the 2 properties I am setting -

1. javax.net.ssl.trustStore
2. javax.net.ssl.trustStorePassword

However when I try to call the URL, I get error - sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

On enabling ssl debug logs, I see lines like below -

javax.net.ssl|DEBUG|17|restartedMain|2022-06-06 09:07:35.247 EST|TrustStoreManager.java:161|Inaccessible trust store: truststore.jks
javax.net.ssl|DEBUG|17|restartedMain|2021-06-06 09:07:35.248 EST|TrustStoreManager.java:112|trustStore is: C:\Program Files\Java\jdk-17.0.2\lib\security\cacerts

Any ideas on how this can be fixed?

How can I override TrustStoreManager path? Why is it saying Inaccessible trust store?

Note: I am on citrix VM machine, where I dont have permissions to add certs to default cacerts.

Answer 1

You should be able to configure your custom trust store via micronaut configuration properties. See https://docs.micronaut.io/latest/guide/configurationreference.html#io.micronaut.http.client.ServiceHttpClientConfiguration.ServiceSslClientConfiguration.DefaultTrustStoreConfiguration

e.g. in application.yaml:

micronaut:
  http:
    client:
      ssl:
        trust-store:
          path: file:/trustedcerts/custom-truststore.p12
          password: 123456
          type: PKCS12

If you use service-clients you can even configure it for each service seperately.