After updating from spring-boot version 3.0.8 to 3.1.0 or 3.1.1 the application no longer loads the SSL certificates from the store.
Configuration:
FIPS compliant config as described in:
https://access.redhat.com/documentation/en-us/openjdk/17/html/configuring_openjdk_17_on_rhel_with_fips/openjdk-default-fips-configuration#key_store
Application is standalone tomcat embedded service.
Configuration file contents:
/path/to/application.properties
...........Clipped for Brevity
security.require-ssl=true
server.ssl.key-store-type=PKCS11
server.ssl.key-store-password=passwd
server.ssl.key-alias=Server-Cert
server.ssl.protocol=TLS
server.ssl.enabled-protocols=TLSv1.2
...........Clipped for Brevity
/etc/alternatives/jre_17/conf/security/java.security
...........Clipped for Brevity
security.provider.12=SunPKCS11 /etc/alternatives/jre_17/conf/security/nss.cfg
...........Clipped for Brevity
/etc/alternatives/jre_17/conf/security/nss.cfg
name = NSSfips
nssLibraryDirectory = /usr/lib64
nssSecmodDirectory = /etc/pki/certs/nss
nssModule = fips
nssDbMode = readOnly
nssUseSecmod = true
This configuration has been working for almost 4 years without issue.
I understand there was an update that support for SSL bundles, however it also stated that current server.ssl support would continue to function.
Is there something I need to change in the configuration now to get it to load the certificates?
Steps taken to correct: I've tried to isolate loading of the certificates by enabling debug mode and using process trace utilities. However it seems to skip the configuration all together and starts the application without a certificate. No errors in the logs.
I was going to post an issue in the Github/spring-boot repository and it said to try here first.
