In a reactive web app, SslBundle can no longer open store file locations without using a 'file:' prefix

[lauhin]

This is another issue related to #43274.

I am getting an exception with the SslBundles not being able to load the keystore using the reactive stack. This error occurs in SB 3.4.0, SB 3.4.1 and SB 3.4.2.

The configuration looks like this:

spring.ssl.bundle.jks.asa-server-ssl.key.alias=asa-server-ssl
spring.ssl.bundle.jks.asa-server-ssl.key.password=
spring.ssl.bundle.jks.asa-server-ssl.keystore.location=/jks/keystore.jks
spring.ssl.bundle.jks.asa-server-ssl.keystore.password=
spring.ssl.bundle.jks.asa-server-ssl.keystore.type=JKS

This is the exception I got:

java.io.FileNotFoundException: ReactiveWebContext resource [/jks/keystore.jks] cannot be opened because it does not exist
at org.springframework.boot.web.reactive.context.FilteredReactiveWebContextResource.getInputStream(FilteredReactiveWebContextResource.java:63)
at org.springframework.boot.ssl.jks.JksSslStoreBundle.loadKeyStore(JksSslStoreBundle.java:135) ... 27
common frames omitted Wrapped by: java.lang.IllegalStateException: Could not load store from '/jks/keystore.jks'
at org.springframework.boot.ssl.jks.JksSslStoreBundle.loadKeyStore(JksSslStoreBundle.java:140)
at org.springframework.boot.ssl.jks.JksSslStoreBundle.createKeyStore(JksSslStoreBundle.java:107) ... 26 common frames omitted
Wrapped by: java.lang.IllegalStateException: Unable to create key store: Could not load store from '/jks/keystore.jks'
at org.springframework.boot.ssl.jks.JksSslStoreBundle.createKeyStore(JksSslStoreBundle.java:112) at org.springframework.boot.ssl.jks.JksSslStoreBundle.lambda$new$0(JksSslStoreBundle.java:75)
at org.springframework.util.function.SingletonSupplier.get(SingletonSupplier.java:106) at org.springframework.boot.ssl.jks.JksSslStoreBundle.getKeyStore(JksSslStoreBundle.java:81)
at org.springframework.boot.ssl.DefaultSslManagerBundle.getKeyManagerFactory(DefaultSslManagerBundle.java:45)
at org.springframework.boot.web.embedded.netty.SslServerCustomizer.createSslContextSpec(SslServerCustomizer.java:115)
at org.springframework.boot.web.embedded.netty.SslServerCustomizer.createSslProvider(SslServerCustomizer.java:103)
at org.springframework.boot.web.embedded.netty.SslServerCustomizer.<init>(SslServerCustomizer.java:67)
at org.springframework.boot.web.embedded.netty.NettyReactiveWebServerFactory.customizeSslConfiguration(NettyReactiveWebServerFactory.java:177)
at org.springframework.boot.web.embedded.netty.NettyReactiveWebServerFactory.createHttpServer(NettyReactiveWebServerFactory.java:165)
at org.springframework.boot.web.embedded.netty.NettyReactiveWebServerFactory.getWebServer(NettyReactiveWebServerFactory.java:73)
at org.springframework.boot.web.reactive.context.WebServerManager.<init>(WebServerManager.java:50)
at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.createWebServer(ReactiveWebServerApplicationContext.java:96)
at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.onRefresh(ReactiveWebServerApplicationContext.java:81) ... 13 common frames omitted
Wrapped by: org.springframework.context.ApplicationContextException:
Unable to start reactive web server at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.onRefresh(ReactiveWebServerApplicationContext.java:84)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:621)
at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.refresh(ReactiveWebServerApplicationContext.java:66)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:752) at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:439)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:318) at org.springframework.boot.SpringApplication.run(SpringApplication.java:1361)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:1350) at be.liantis.zo.invoiceservice.InvoiceServiceApplicationKt.main(InvoiceServiceApplication.kt:21)
at jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:103) at java.lang.reflect.Method.invoke(Method.java:580)
at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:102) at org.springframework.boot.loader.launch.Launcher.launch(Launcher.java:64)
at org.springframework.boot.loader.launch.JarLauncher.main(JarLauncher.java:40)

When changing the property to spring.ssl.bundle.jks.asa-server-ssl.keystore.location=file:/jks/keystore.jks, the service starts up again.

BUT...
In spring boot admin, the service is still marked as DOWN because the same error is thrown (as warning) by the new SslHealthIndicator (https://docs.spring.io/spring-boot/api/java/org/springframework/boot/actuate/ssl/SslHealthIndicator.html):

It throws the same exception as above...

Disabling the SSL health indicator with management.health.ssl.enabled=false marks the service green again in spring boot admin. But I think that is not a proper option.

[q-thomaseastgate]

Just checked and can confirm this is still happening on SB 3.4.3 as well.

[nosan]

@snicoll
I'm not sure if you've already started working on this issue. I had a look at it today and
might have found a potential fix. However, I'm not entirely confident that it's 100% correct — you might already have
something similar or even better.

I've created a branch here: 3.4.x...nosan:spring-boot:43953,
which contains the suggested fix. I hope it will be helpful! 🙂

[snicoll]

Thanks for the ping @nosan. I did start working on it but had trouble in reproducing the problem in a unit test. I need to check what I did back then. I'll review your proposal and follow-up accordingly.

[snicoll]

@nosan this isn't what I had but yours look interesting. Can you submit a PR please?

[nosan]

Sure, @snicoll.

#44535

[snicoll]

Closing in favor of PR #44535