Spring Boot application failed to start with custom URL

dev-99389476 · April 26, 2021, 1:03pm

Hi

I have configured a custom URL, https://login.icomsec.biz/ and it is able to display the login page.

Unfortunately the Spring Boot application failed to start with this error:

`Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [org.springframework.security.oauth2.client.registration.InMemoryClientRegistrationRepository]: Factory method ‘clientRegistrationRepository’ threw exception; nested exception is java.lang.IllegalArgumentException: Unable to resolve Configuration with the provided Issuer of “https://login.icomsec.biz/oauth2/default”
…

Caused by: org.springframework.web.client.ResourceAccessException: I/O error on GET request for “https://login.icomsec.biz/oauth2/default/.well-known/openid-configuration”: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target; nested exception is javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target`

Am I missing any configuration here?

andrea · April 26, 2021, 5:52pm

What CA are you using? That PKIX error usually implies something is up with the TLS handshake.

If you haven’t done so already, can you ensure that you have added the cert chain for your site as part of the Custom URL Domain configuration you have in Okta and retest?

dev-99389476 · April 27, 2021, 12:40am

I’m using Let’s Encrypt certificate.

You’re right, it is working now after I added the chain certificate. I did not add the chain certificate simply because the field is marked as optional (?).

To conclude this issue, we have to update the certificate, private key and the chain certificate using
/etc/letsencrypt/live/…/cert.pem
/etc/letsencrypt/live/…/privkey.pem
/etc/letsencrypt/live/…/chain.pem

Thank you very much!

andrea · April 27, 2021, 3:53pm

Perfect! We’ve seen that the cert chain often needs to be added for certain integrations, namely those that involve a backend server making requests to Okta.

system · April 28, 2021, 3:54pm

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.