Valter Henrique Valter Henrique - 1 month ago 12
Java Question

Can't use Amazon S3 API over SSL?

I'm trying to use Amazon S3 API to encrypt and upload a file.

public class AmazonS3 {

String KmsId = "my_id_comes_here";

private TransferManager getTransferManager() {
AWSCredentials awsCredentials = new ProfileCredentialsProvider().getCredentials();
KMSEncryptionMaterialsProvider materialProvider = new KMSEncryptionMaterialsProvider(KmsId);
AmazonS3EncryptionClient s3Client = new AmazonS3EncryptionClient(awsCredentials, materialProvider,
new CryptoConfiguration().withKmsRegion(Regions.EU_CENTRAL_1)).withRegion(Regions.EU_CENTRAL_1);
s3Client.setEndpoint("s3.eu-central-1.amazonaws.com");
TransferManager transferManager = new TransferManager(s3Client);
return transferManager;
}

public void upload(String bucket, String keyName, String filePath)
throws InterruptedException, NoSuchAlgorithmException, IOException, InvalidKeySpecException {

TransferManager transferManager = getTransferManager();
// TransferManager processes all transfers asynchronously, so this call will return immediately.
Upload upload = transferManager.upload(bucket, keyName, new File(filePath));

try {
// Or you can block and wait for the upload to finish
upload.waitForCompletion();
System.out.println("Upload complete.");
} catch (AmazonClientException amazonClientException) {
System.out.println("Unable to upload file, upload was aborted.");
amazonClientException.printStackTrace();
}
}


Which works fine if I don't pass my trustore as arguments to my application.

But, if I initialize my application with my trustore like this:

-Dspring.profiles.active="dev" -Djavax.net.debug=all -Djavax.net.ssl.trustStore=/usr/share/ca-certificates/anevis/java/activemq/client.ts -Djavax.net.ssl.trustStorePassword=changeit


It gives me this error:

com.amazonaws.AmazonClientException: Unable to execute HTTP request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:516)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:317)
at com.amazonaws.services.s3.AmazonS3Client.invoke(AmazonS3Client.java:3595)
at com.amazonaws.services.s3.AmazonS3Client.getObjectMetadata(AmazonS3Client.java:999)
at com.amazonaws.services.s3.transfer.TransferManager.doDownload(TransferManager.java:779)
at com.amazonaws.services.s3.transfer.TransferManager.download(TransferManager.java:691)
at com.anevis.documentengine.configuration.jms.AmazonS3.download(AmazonS3.java:57)
at com.anevis.documentengine.configuration.jms.S3UploadTest.testUpload(S3UploadTest.java:25)
at com.anevis.documentengine.configuration.jms.S3UploadTest.main(S3UploadTest.java:9)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:497)
at com.intellij.rt.execution.application.AppMain.main(AppMain.java:144)
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1949)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1509)
at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1062)
at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1403)
at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1387)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:535)
at org.apache.http.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:403)
at com.amazonaws.http.conn.ssl.SdkTLSSocketFactory.connectSocket(SdkTLSSocketFactory.java:128)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:177)
at org.apache.http.impl.conn.ManagedClientConnectionImpl.open(ManagedClientConnectionImpl.java:304)
at org.apache.http.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:611)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:446)
at org.apache.http.impl.client.AbstractHttpClient.doExecute(AbstractHttpClient.java:863)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)
at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:57)
at com.amazonaws.http.AmazonHttpClient.executeOneRequest(AmazonHttpClient.java:749)
at com.amazonaws.http.AmazonHttpClient.executeHelper(AmazonHttpClient.java:505)
... 13 more
Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:387)
at sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:292)
at sun.security.validator.Validator.validate(Validator.java:260)
at sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:229)
at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:124)
at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1491)
... 32 more
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:146)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:131)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:382)
... 38 more


How can I fix this error ?

Answer

Your trust store doesn't have the certificate authority that secures the AWS APIs. You need to create a new trust store that combines client.ts with the ones required for AWS. The easiest way to do this is to merge client.ts with the cacerts keystore from the JRE.

Example:

keytool -importkeystore -srckeystore client.ts -destkeystore combined.ts -srcstorepass changeit -deststorepass changeit
keytool -importkeystore -srckeystore $JAVA_HOME/jre/lib/security/cacerts -destkeystore combined.ts -srcstorepass changeit -deststorepass changeit

Then use combined.ts instead of client.ts.