When applications post a API request with auth0_token to web service which is running in the java run-time server ,it will set up connection to below url ,
https://{customer_server_domain}/service/api/test – which is secured by token issued by Auth0 .
It always return 401 error caused by connection failed as there are certificates issues, I captured the log here , it indicates that certificate rejected.
Cannot establish connection to URL https://{auth0_custom_domain}:443/.well-known/jwks.json. Ensure that you have maintained valid server certificates for this URL in the trust store. See also note 2479773.
[EXCEPTION]
org.w3c.www.protocol.http.HttpException: Peer certificate rejected by ChainVerifier
iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier
at iaik.security.ssl.y.a(SourceFile:932)
at iaik.security.ssl.n.b(SourceFile:1066)
at iaik.security.ssl.n.a(SourceFile:1503)
at iaik.security.ssl.y.d(SourceFile:784)
at iaik.security.ssl.SSLTransport.startHandshake(SourceFile:569)
at iaik.security.ssl.SSLTransport.getOutputStream(SourceFile:648)
at iaik.security.ssl.SSLSocket.getOutputStream(SourceFile:391)
at org.w3c.www.protocol.http.HttpBasicConnection.a(SourceFile:463)
at org.w3c.www.protocol.http.HttpBasicServer.getConnection(SourceFile:449)
at org.w3c.www.protocol.http.HttpBasicServer.runRequest(SourceFile:1211)
at org.w3c.www.protocol.http.HttpManager.runRequest(SourceFile:1191)
at org.w3c.www.protocol.http.HttpURLConnection.connect(SourceFile:322)
at com.sap.engine.httpdsrclient.protocols.instrumented.https.DSRHttpsURLConnection.connect(DSRHttpsURLConnection.java:91)
at org.w3c.www.protocol.http.HttpURLConnection.a(SourceFile:178)
at org.w3c.www.protocol.http.HttpURLConnection.getInputStream(SourceFile:550)
at com.sap.engine.httpdsrclient.protocols.instrumented.https.DSRHttpsURLConnection.getInputStream(DSRHttpsURLConnection.java:123)
at com.auth0.jwk.UrlJwkProvider.getJwks(UrlJwkProvider.java:100)
at com.auth0.jwk.UrlJwkProvider.getAll(UrlJwkProvider.java:113)
at com.auth0.jwk.UrlJwkProvider.get(UrlJwkProvider.java:131)
at com.auth0.jwk.RateLimitedJwkProvider.get(RateLimitedJwkProvider.java:30)
at com.auth0.jwk.GuavaCachedJwkProvider$1.call(GuavaCachedJwkProvider.java:54)
at com.auth0.jwk.GuavaCachedJwkProvider$1.call(GuavaCachedJwkProvider.java:51)
at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:5058)
at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3708)
at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2416)
at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2299)
at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2212)
at com.google.common.cache.LocalCache.get(LocalCache.java:4147)
at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:5053)
at com.auth0.jwk.GuavaCachedJwkProvider.get(GuavaCachedJwkProvider.java:51)
at com.auth0.spring.security.api.JwtAuthenticationProvider.jwtVerifier(JwtAuthenticationProvider.java:89)
at com.auth0.spring.security.api.JwtAuthenticationProvider.authenticate(JwtAuthenticationProvider.java:57)
at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
//////////////////////////////////////////////////////////////////////////////////////////////////////////////////
I do installed certificates on this server ,and tested on server with openssl as below command
root@###:/home/root# openssl s_client -servername {auth0_custom_domain} -connect {auth0_customer_domain} :443 -showcerts
that prints out that certificates certificate information in console as below
CONNECTED(00000004)
depth=1 C = US, O = Let’s Encrypt, CN = Let’s Encrypt Authority X3
*verify error:num=20:unable to get local issuer certificate // don’t worry about this error as we haven’t specify the certificate here in command, but the certificates still have been found as below *
—
Certificate chain
0 s:/CN={auth0_custom_domain}
i:/C=US/O=Let’s Encrypt/CN=Let’s Encrypt Authority X3
-----BEGIN CERTIFICATE-----
############################
-----END CERTIFICATE-----
So my question is why the certificates is going to be wrong when the server try to connect to https://{custom_doman}/.well-known/jwks.json from API call however if I call the jwks url directly with openssl command it will be ok ?
Should I need to specify the certificate prior to connecting to https://{custom_doman}/.well-known/jwks.json on the server which is web service built by spring framework ?
Here are I just attached a piece of code related to auth0 security set up in SecurityJavaConfig.java
////////////////////////////////////////////////////////
@Value(value = “${auth0.apiAudience}”)
private String apiAudience;
@Value(value = “${auth0.issuer}”)
private String issuer;
@Override
protected void configure(final HttpSecurity http) throws Exception {
http.cors();
JwtWebSecurityConfigurer.forRS256(apiAudience, issuer).configure(http).authorizeRequests()
.antMatchers("/ume/public/**").permitAll().antMatchers("/ume/api/**").authenticated()
.antMatchers("/ume/api-scoped/**").hasAuthority("update:ume");
}
@Bean
CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOrigins(Arrays.asList("/**"));
configuration.setAllowedMethods(Arrays.asList("/**"));
configuration.setAllowCredentials(true);
configuration.addAllowedHeader("Authorization");
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
source.registerCorsConfiguration("/**", configuration);
return source;
}
////////////////////////////////////////////////
Could someone has any advice or clues help me to figure it out, Thanks !