admin管理员组

文章数量:1125067

I am using JDK 23, Spring Boot 3.4.1 . I create trust materials follow .md and apply Spring Boot's SSLBundle feature ( )

keytool -genkeypair -alias server -keyalg RSA -keysize 4096 -validity 365 -dname "CN=Server,OU=Server,O=Examples,L=,S=CA,C=U" -keypass changeit -keystore server.p12 -storeType PKCS12 -storepass changeit

keytool -genkeypair -alias client -keyalg RSA -keysize 4096 -validity 365 -dname "CN=Client,OU=Server,O=Examples,L=,S=CA,C=U" -keypass changeit -keystore client.p12 -storeType PKCS12 -storepass changeit


keytool -exportcert -alias client -file client.cer -keystore client.p12 -storepass changeit

keytool -exportcert -alias server -file server.cer -keystore server.p12 -storepass changeit


keytool -importcert -keystore client-truststore.p12 -alias server-public -file server.cer -storepass changeit -noprompt

keytool -importcert -keystore server-truststore.p12 -alias client-public -file client.cer -storepass changeit -noprompt

But when I use SSLBundle, I always catch error

javax.ssl|INFO|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|AlpnExtension.java:179|No available application protocols
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|SessionTicketExtension.java:352|Stateless resumption supported
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.442 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.539 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.540 GMT+07:00|PreSharedKeyExtension.java:659|No session to resume.
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.540 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.544 GMT+07:00|ClientHello.java:638|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "E77AF343A88EC48D9F25215023BB546C7869E14F62486BB251DFBEFCC559C957",
  "session id"          : "711B47572621C39B1CA004852D4B8AEA3842721A552DD9DA68539EA0667DB0E9",
  "cipher suites"       : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=Server
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "named groups": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "session_ticket (35)": {
      <empty>
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "key_share (51)": {
      "client_shares": [  
        {
          "named group": x25519
          "key_exchange": {
            0000: F4 CE 71 61 2C DF B8 F3   B7 4B FE DB AD BA 2C 36  ..qa,....K....,6
            0010: 82 D9 C0 24 C8 E1 F1 B0   AB 9B 9E 41 F9 F4 85 78  ...$.......A...x
          }
        },
        {
          "named group": secp256r1
          "key_exchange": {
            0000: 04 57 EA 73 91 49 E3 54   40 19 77 63 A0 D9 08 7E  [email protected]....
            0010: E9 88 28 B4 C9 F3 DE 90   71 80 1A 82 7E 49 88 3D  ..(.....q....I.=
            0020: 82 34 62 A4 44 C6 F7 CA   37 7E 7E 84 89 83 DF 1C  .4b.D...7.......
            0030: 05 D8 64 3C 20 C4 FB EA   06 40 BB D9 E7 A8 59 10  ..d< [email protected].
            0040: E6 
          }
        },
      ]
    }
  ]
}
)
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|ServerHello.java:892|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "385B3637216A5EE39A33137C69C5D3F2037F524AC254CB4CED53FE4B87D3DC3D",
  "session id"          : "711B47572621C39B1CA004852D4B8AEA3842721A552DD9DA68539EA0667DB0E9",
  "cipher suite"        : "TLS_AES_256_GCM_SHA384(0x1302)",
  "compression methods" : "00",
  "extensions"          : [
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
    },
    "key_share (51)": {
      "server_share": {
        "named group": x25519
        "key_exchange": {
          0000: 50 FF BB 0F 35 37 8C 80   8E 3B D4 48 23 4E FD F9  P...57...;.H#N..
          0010: 3C 15 84 15 35 28 D9 39   49 2B FB 87 DD 6F 57 6D  <...5(.9I+...oWm
        }
      },
    }
  ]
}
)
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_versions
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|ServerHello.java:988|Negotiated protocol version: TLSv1.3
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: server_name
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: max_fragment_length
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: status_request
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: ec_point_formats
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: application_layer_protocol_negotiation
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: status_request_v2
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: extended_master_secret
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.632 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: session_ticket
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.632 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_versions
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:204|Consumed extension: key_share
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: renegotiation_info
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|PreSharedKeyExtension.java:922|Handling pre_shared_key absence.
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: status_request
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: ec_point_formats
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: status_request_v2
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: extended_master_secret
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: session_ticket
javax.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_versions
javax.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: key_share
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: renegotiation_info
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: pre_shared_key
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.639 GMT+07:00|SSLCipher.java:1836|KeyLimit read side: algorithm = AES/GCM/NoPadding:KEYUPDATE
countdown value = 137438953472
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.639 GMT+07:00|SSLCipher.java:1987|KeyLimit write side: algorithm = AES/GCM/NoPadding:KEYUPDATE
countdown value = 137438953472
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.640 GMT+07:00|ChangeCipherSpec.java:244|Consuming ChangeCipherSpec message
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|EncryptedExtensions.java:172|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
  "supported_groups (10)": {
    "named groups": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
  }
]
)
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: server_name
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: max_fragment_length
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_groups
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_groups
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|CertificateRequest.java:974|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate_request_context": "",
  "extensions": [
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    },
    "certificate_authorities (47)": {
      "certificate authorities": [
        CN=Client, OU=Server, O=Examples, L=, ST=CA, C=U]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    }
  ]
}
)
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:204|Consumed extension: signature_algorithms
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:204|Consumed extension: certificate_authorities
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:204|Consumed extension: signature_algorithms_cert
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:236|Populated with extension: signature_algorithms
javax.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: certificate_authorities
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:236|Populated with extension: signature_algorithms_cert
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.646 GMT+07:00|CertificateMessage.java:1143|Consuming server Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "00:fe:0f:1d:85:55:76:f1:12",
      "signature algorithm": "SHA384withRSA",
      "issuer"             : "CN=Server, OU=Server, O=Examples, L=, ST=CA, C=U",
      "not before"         : "2025-01-09 11:57:07.000 GMT+07:00",
      "not  after"         : "2026-01-09 11:57:07.000 GMT+07:00",
      "subject"            : "CN=Server, OU=Server, O=Examples, L=, ST=CA, C=U",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: 9D FB 7F 8F 60 53 4C A7   0B 4E E0 A7 A7 D2 97 9A  ....`SL..N......
          0010: 44 AD E6 84                                        D...
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
]
}
)
javax.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.646 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: status_request
javax.ssl|ERROR|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.652 GMT+07:00|TransportContext.java:375|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
    at java.base/sun.security.validator.Validator.validate(Validator.java:256)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1304)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1274)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205)
    at java.base/java.util.ArrayList.forEach(ArrayList.java:1597)
    at java.http/jdk.internal.httpmon.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1148)
    at java.http/jdk.internal.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:178)
    at java.http/jdk.internal.httpmon.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1143)
    at java.http/jdk.internal.httpmon.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1109)
    at java.http/jdk.internal.httpmon.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:508)
    at java.http/jdk.internal.httpmon.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:283)
    at java.http/jdk.internal.httpmon.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:182)
    at java.http/jdk.internal.httpmon.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
    at java.http/jdk.internal.httpmon.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:207)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1575)
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
    ... 26 more}

)

Can Spring Boot's SSLBundle work with certificates without CA (just mutual authenticated, not CA)?

I am using JDK 23, Spring Boot 3.4.1 . I create trust materials follow https://github.com/kirilarsov/mtls/blob/main/README.md and apply Spring Boot's SSLBundle feature (https://spring.io/blog/2023/06/07/securing-spring-boot-applications-with-ssl )

keytool -genkeypair -alias server -keyalg RSA -keysize 4096 -validity 365 -dname "CN=Server,OU=Server,O=Examples,L=,S=CA,C=U" -keypass changeit -keystore server.p12 -storeType PKCS12 -storepass changeit

keytool -genkeypair -alias client -keyalg RSA -keysize 4096 -validity 365 -dname "CN=Client,OU=Server,O=Examples,L=,S=CA,C=U" -keypass changeit -keystore client.p12 -storeType PKCS12 -storepass changeit


keytool -exportcert -alias client -file client.cer -keystore client.p12 -storepass changeit

keytool -exportcert -alias server -file server.cer -keystore server.p12 -storepass changeit


keytool -importcert -keystore client-truststore.p12 -alias server-public -file server.cer -storepass changeit -noprompt

keytool -importcert -keystore server-truststore.p12 -alias client-public -file client.cer -storepass changeit -noprompt

But when I use SSLBundle, I always catch error

javax.net.ssl|INFO|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|AlpnExtension.java:179|No available application protocols
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.441 GMT+07:00|SessionTicketExtension.java:352|Stateless resumption supported
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.442 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: cookie
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.539 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.540 GMT+07:00|PreSharedKeyExtension.java:659|No session to resume.
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.540 GMT+07:00|SSLExtensions.java:272|Ignore, context unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.544 GMT+07:00|ClientHello.java:638|Produced ClientHello handshake message (
"ClientHello": {
  "client version"      : "TLSv1.2",
  "random"              : "E77AF343A88EC48D9F25215023BB546C7869E14F62486BB251DFBEFCC559C957",
  "session id"          : "711B47572621C39B1CA004852D4B8AEA3842721A552DD9DA68539EA0667DB0E9",
  "cipher suites"       : "[TLS_AES_256_GCM_SHA384(0x1302), TLS_AES_128_GCM_SHA256(0x1301), TLS_CHACHA20_POLY1305_SHA256(0x1303), TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384(0xC02C), TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256(0xC02B), TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA9), TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384(0xC030), TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCA8), TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F), TLS_DHE_RSA_WITH_AES_256_GCM_SHA384(0x009F), TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256(0xCCAA), TLS_DHE_DSS_WITH_AES_256_GCM_SHA384(0x00A3), TLS_DHE_RSA_WITH_AES_128_GCM_SHA256(0x009E), TLS_DHE_DSS_WITH_AES_128_GCM_SHA256(0x00A2), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384(0xC024), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384(0xC028), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(0xC023), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256(0xC027), TLS_DHE_RSA_WITH_AES_256_CBC_SHA256(0x006B), TLS_DHE_DSS_WITH_AES_256_CBC_SHA256(0x006A), TLS_DHE_RSA_WITH_AES_128_CBC_SHA256(0x0067), TLS_DHE_DSS_WITH_AES_128_CBC_SHA256(0x0040), TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA(0xC00A), TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA(0xC014), TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA(0xC009), TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA(0xC013), TLS_DHE_RSA_WITH_AES_256_CBC_SHA(0x0039), TLS_DHE_DSS_WITH_AES_256_CBC_SHA(0x0038), TLS_DHE_RSA_WITH_AES_128_CBC_SHA(0x0033), TLS_DHE_DSS_WITH_AES_128_CBC_SHA(0x0032), TLS_RSA_WITH_AES_256_GCM_SHA384(0x009D), TLS_RSA_WITH_AES_128_GCM_SHA256(0x009C), TLS_RSA_WITH_AES_256_CBC_SHA256(0x003D), TLS_RSA_WITH_AES_128_CBC_SHA256(0x003C), TLS_RSA_WITH_AES_256_CBC_SHA(0x0035), TLS_RSA_WITH_AES_128_CBC_SHA(0x002F), TLS_EMPTY_RENEGOTIATION_INFO_SCSV(0x00FF)]",
  "compression methods" : "00",
  "extensions"          : [
    "server_name (0)": {
      type=host_name (0), value=Server
    },
    "status_request (5)": {
      "certificate status type": ocsp
      "OCSP status request": {
        "responder_id": <empty>
        "request extensions": {
          <empty>
        }
      }
    },
    "supported_groups (10)": {
      "named groups": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
    },
    "ec_point_formats (11)": {
      "formats": [uncompressed]
    },
    "status_request_v2 (17)": {
      "cert status request": {
        "certificate status type": ocsp_multi
        "OCSP status request": {
          "responder_id": <empty>
          "request extensions": {
            <empty>
          }
        }
      }
    },
    "extended_master_secret (23)": {
      <empty>
    },
    "session_ticket (35)": {
      <empty>
    },
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "supported_versions (43)": {
      "versions": [TLSv1.3, TLSv1.2]
    },
    "psk_key_exchange_modes (45)": {
      "ke_modes": [psk_dhe_ke]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, dsa_sha256, ecdsa_sha1, rsa_pkcs1_sha1, dsa_sha1]
    },
    "key_share (51)": {
      "client_shares": [  
        {
          "named group": x25519
          "key_exchange": {
            0000: F4 CE 71 61 2C DF B8 F3   B7 4B FE DB AD BA 2C 36  ..qa,....K....,6
            0010: 82 D9 C0 24 C8 E1 F1 B0   AB 9B 9E 41 F9 F4 85 78  ...$.......A...x
          }
        },
        {
          "named group": secp256r1
          "key_exchange": {
            0000: 04 57 EA 73 91 49 E3 54   40 19 77 63 A0 D9 08 7E  [email protected]....
            0010: E9 88 28 B4 C9 F3 DE 90   71 80 1A 82 7E 49 88 3D  ..(.....q....I.=
            0020: 82 34 62 A4 44 C6 F7 CA   37 7E 7E 84 89 83 DF 1C  .4b.D...7.......
            0030: 05 D8 64 3C 20 C4 FB EA   06 40 BB D9 E7 A8 59 10  ..d< [email protected].
            0040: E6 
          }
        },
      ]
    }
  ]
}
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|ServerHello.java:892|Consuming ServerHello handshake message (
"ServerHello": {
  "server version"      : "TLSv1.2",
  "random"              : "385B3637216A5EE39A33137C69C5D3F2037F524AC254CB4CED53FE4B87D3DC3D",
  "session id"          : "711B47572621C39B1CA004852D4B8AEA3842721A552DD9DA68539EA0667DB0E9",
  "cipher suite"        : "TLS_AES_256_GCM_SHA384(0x1302)",
  "compression methods" : "00",
  "extensions"          : [
    "supported_versions (43)": {
      "selected version": [TLSv1.3]
    },
    "key_share (51)": {
      "server_share": {
        "named group": x25519
        "key_exchange": {
          0000: 50 FF BB 0F 35 37 8C 80   8E 3B D4 48 23 4E FD F9  P...57...;.H#N..
          0010: 3C 15 84 15 35 28 D9 39   49 2B FB 87 DD 6F 57 6D  <...5(.9I+...oWm
        }
      },
    }
  ]
}
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_versions
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.630 GMT+07:00|ServerHello.java:988|Negotiated protocol version: TLSv1.3
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: server_name
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: max_fragment_length
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: status_request
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: status_request_v2
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.631 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.632 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: session_ticket
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.632 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_versions
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:204|Consumed extension: key_share
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:175|Ignore unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|PreSharedKeyExtension.java:922|Handling pre_shared_key absence.
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.633 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: ec_point_formats
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: session_ticket
javax.net.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_versions
javax.net.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: key_share
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: renegotiation_info
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.634 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.639 GMT+07:00|SSLCipher.java:1836|KeyLimit read side: algorithm = AES/GCM/NoPadding:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.639 GMT+07:00|SSLCipher.java:1987|KeyLimit write side: algorithm = AES/GCM/NoPadding:KEYUPDATE
countdown value = 137438953472
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.640 GMT+07:00|ChangeCipherSpec.java:244|Consuming ChangeCipherSpec message
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|EncryptedExtensions.java:172|Consuming EncryptedExtensions handshake message (
"EncryptedExtensions": [
  "supported_groups (10)": {
    "named groups": [x25519, secp256r1, secp384r1, secp521r1, x448, ffdhe2048, ffdhe3072, ffdhe4096, ffdhe6144, ffdhe8192]
  }
]
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:204|Consumed extension: supported_groups
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.643 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
javax.net.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: supported_groups
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:219|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|CertificateRequest.java:974|Consuming CertificateRequest handshake message (
"CertificateRequest": {
  "certificate_request_context": "",
  "extensions": [
    "signature_algorithms (13)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    },
    "certificate_authorities (47)": {
      "certificate authorities": [
        CN=Client, OU=Server, O=Examples, L=, ST=CA, C=U]
    },
    "signature_algorithms_cert (50)": {
      "signature schemes": [ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, ed25519, ed448, rsa_pss_rsae_sha256, rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pss_pss_sha256, rsa_pss_pss_sha384, rsa_pss_pss_sha512, rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512, ecdsa_sha1, rsa_pkcs1_sha1]
    }
  ]
}
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:204|Consumed extension: signature_algorithms
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.644 GMT+07:00|SSLExtensions.java:204|Consumed extension: certificate_authorities
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:204|Consumed extension: signature_algorithms_cert
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:236|Populated with extension: signature_algorithms
javax.net.ssl|WARNING|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:227|Ignore impact of unsupported extension: certificate_authorities
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.645 GMT+07:00|SSLExtensions.java:236|Populated with extension: signature_algorithms_cert
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.646 GMT+07:00|CertificateMessage.java:1143|Consuming server Certificate handshake message (
"Certificate": {
  "certificate_request_context": "",
  "certificate_list": [  
  {
    "certificate" : {
      "version"            : "v3",
      "serial number"      : "00:fe:0f:1d:85:55:76:f1:12",
      "signature algorithm": "SHA384withRSA",
      "issuer"             : "CN=Server, OU=Server, O=Examples, L=, ST=CA, C=U",
      "not before"         : "2025-01-09 11:57:07.000 GMT+07:00",
      "not  after"         : "2026-01-09 11:57:07.000 GMT+07:00",
      "subject"            : "CN=Server, OU=Server, O=Examples, L=, ST=CA, C=U",
      "subject public key" : "RSA",
      "extensions"         : [
        {
          ObjectId: 2.5.29.14 Criticality=false
          SubjectKeyIdentifier [
          KeyIdentifier [
          0000: 9D FB 7F 8F 60 53 4C A7   0B 4E E0 A7 A7 D2 97 9A  ....`SL..N......
          0010: 44 AD E6 84                                        D...
          ]
          ]
        }
      ]}
    "extensions": {
      <no extension>
    }
  },
]
}
)
javax.net.ssl|DEBUG|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.646 GMT+07:00|SSLExtensions.java:185|Ignore unavailable extension: status_request
javax.net.ssl|ERROR|E4|HttpClient-1-Worker-1|2025-01-09 17:24:11.652 GMT+07:00|TransportContext.java:375|Fatal (CERTIFICATE_UNKNOWN): PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target (
"throwable" : {
  sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
    at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
    at java.base/sun.security.validator.Validator.validate(Validator.java:256)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(CertificateMessage.java:1304)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(CertificateMessage.java:1203)
    at java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(CertificateMessage.java:1146)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:393)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:476)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1274)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(SSLEngineImpl.java:1260)
    at java.base/java.security.AccessController.doPrivileged(AccessController.java:714)
    at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(SSLEngineImpl.java:1205)
    at java.base/java.util.ArrayList.forEach(ArrayList.java:1597)
    at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.lambda$executeTasks$3(SSLFlowDelegate.java:1148)
    at java.net.http/jdk.internal.net.http.HttpClientImpl$DelegatingExecutor.execute(HttpClientImpl.java:178)
    at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.executeTasks(SSLFlowDelegate.java:1143)
    at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate.doHandshake(SSLFlowDelegate.java:1109)
    at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader.processData(SSLFlowDelegate.java:508)
    at java.net.http/jdk.internal.net.http.common.SSLFlowDelegate$Reader$ReaderDownstreamPusher.run(SSLFlowDelegate.java:283)
    at java.net.http/jdk.internal.net.http.common.SequentialScheduler$LockingRestartableTask.run(SequentialScheduler.java:182)
    at java.net.http/jdk.internal.net.http.common.SequentialScheduler$CompleteRestartableTask.run(SequentialScheduler.java:149)
    at java.net.http/jdk.internal.net.http.common.SequentialScheduler$SchedulableTask.run(SequentialScheduler.java:207)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642)
    at java.base/java.lang.Thread.run(Thread.java:1575)
  Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
    at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
    at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
    at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
    ... 26 more}

)

Can Spring Boot's SSLBundle work with certificates without CA (just mutual authenticated, not CA)?

Share Improve this question asked 2 days ago Vy DoVy Do 52.3k69 gold badges250 silver badges376 bronze badges 0
Add a comment  | 

2 Answers 2

Reset to default 2

It is possible to have mutual tls without ca I think you are in the right direction, but missing some key parts in the command which is resulting you in having this issue.

I have the following commands which should do the trick for you.

Create the server identity

keytool -v -genkeypair -dname "CN=Server,OU=Server,O=Examples,L=,S=CA,C=U" -keystore server-identity.p12 -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias server -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth -ext SubjectAlternativeName:c=DNS:localhost,IP:127.0.0.1

Create the client identity

keytool -v -genkeypair -dname "CN=Client,OU=Server,O=Examples,L=,S=CA,C=U" -keystore client-identity.p12 -storepass secret -keypass secret -keyalg RSA -keysize 2048 -alias client -validity 3650 -deststoretype pkcs12 -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth

Export certificate of the server

keytool -v -exportcert -file server.cer -alias server -keystore server-identity.p12 -storepass secret -rfc

Export certificate of the client

keytool -v -exportcert -file client.cer -alias client -keystore client-identity.p12 -storepass secret -rfc

Create the server truststore with the certificate of the client

keytool -v -importcert -file client.cer -alias client -keystore server-truststore.p12 -storepass secret -noprompt

Create the client truststore with the certificate of the server

keytool -v -importcert -file server.cer -alias server -keystore client-truststore.p12 -storepass secret -noprompt

I think the main difference in the commands which I have used is the extension part, which is -ext KeyUsage=digitalSignature,dataEncipherment,keyEncipherment,keyAgreement -ext ExtendedKeyUsage=serverAuth,clientAuth other than that it looks quite similar.

Can you retry with the above steps and share your results?

Also here you can find some more information about these steps and a working example which I have built myself: https://github.com/Hakky54/mutual-tls-ssl

The short answer is yes. It is possible, you just need to add a way for the client to know that it can trust your certificate (or bypass checks).

You can either:

  • create a CA and add it to the root certificates list of the client then sign your certificate with it
  • add the self-signed certificate to the client directly in some kind of authorized list
  • tell the client to ignore the validation

Details on how to do it will depend on the client. It seems that your client is a java client so here is an example for a RestClient

本文标签: