We Keep Coding

Spring config server renew vault token auth

I am using spring config server with 2 backends : git and vault (for secrets), and i have a clients apps that connect to the config server to get distant configuration (git and vault).
I have this configuration:
config server
server:
port: 8888
spring:
profiles:
active: git, vault
cloud:
config:
server:
vault:
host: hostName
kvVersion: 1
order: 1
backend: secret/cad
scheme: https
port: 443
git:
order: 2
uri: git#gitlab.git_repo
ignoreLocalSshSettings: true
force-pull: true
deleteUntrackedBranches: true
privateKey: key
and client side
spring:
application:
name: my_app_name
cloud:
vault:
config:
uri: http://localhost:8888
token: s.token
fail-fast: true
With this way I have to change the token for every client every day (token expire 24h). Is there a way to renew the token with this configuration or there is another way to authenticate to the vault?

spring.cloud.vault:
config.lifecycle:
enabled: true
min-renewal: 10s
expiry-threshold: 1440m
lease-endpoints: Legacy
1440 minutes = 24h
Reference: https://cloud.spring.io/spring-cloud-vault/reference/html/#vault-lease-renewal

Eureka service UP, SBA DOWN

I user SBA as discovery client (spring-boot-admin.version 2.1.5) to Eureka server. I see a registered application UP in Eureka server, but the same is DOWN on SBA.SBA app
These is my application.yml
spring:
application:
name: spring-boot-admin-sample-eureka
profiles:
active:
- secure
server:
port : 8091
tag::configuration-eureka[]
eureka: #<1>
instance:
leaseRenewalIntervalInSeconds: 10
statusPageUrlPath: /actuator/info
health-check-url-path: /actuator/health
metadata-map:
startup: ${random.int} #needed to trigger info and endpoint update after restart
management.context-path: /monitor-client/actuator
client:
registryFetchIntervalSeconds: 5
registerWithEureka: false
serviceUrl:
defaultZone: http://localhost:8761/ServicesRepository/eureka
management:
endpoints:
web:
exposure:
include: "*" #<2>
endpoint:
health:
show-details: ALWAYS
security:
enabled: false
end::configuration-eureka[]
spring:
profiles: insecure
spring:
profiles: secure
security:
user:
name: "user"
password: "password"
eureka:
instance:
metadata-map:
user.name: "user" #These two are needed so that the server
user.password: "password" #can access the protected client endpoints
spring:
boot:
admin:
client:
username: user
password: password
instance:
metadata:
user.name: user
user.password: password
Always show details in Health check section
management:
endpoint:
health:
show-details: "ALWAYS"
endpoints:
web:
exposure:
include: "*"

I can not activate a new user with the url in mail. Page not found

When I register a new user :
- I receive a mail with activation link to activate this new user
- I tested in localhost and it works
- Deploy on production
- I tested and the link in production but it didn't find page
I updated my application-prod.yml application-dev.yml to receive the mails.
I changed my app.yml to remove the port 8080 in production with :
ports:
- 80:8080
My app.yml :
version: '2'
services:
mariage-app:
image: mylogin/mariage
environment:
- _JAVA_OPTIONS=-Xmx512m -Xms256m
- SPRING_PROFILES_ACTIVE=prod,swagger
- SPRING_DATASOURCE_URL=jdbc:mysql://mariage-mysql:3306/mariage?useUnicode=true&characterEncoding=utf8&useSSL=false
- JHIPSTER_SLEEP=10 # gives time for the database to boot before the application
ports:
- 80:8080
mariage-mysql:
extends:
file: mysql.yml
service: mariage-mysql
´´´
My application-prod.yml
´´´
# ===================================================================
# Spring Boot configuration for the "prod" profile.
#
# This configuration overrides the application.yml file.
#
# More information on profiles: https://www.jhipster.tech/profiles/
# More information on configuration properties: https://www.jhipster.tech/common-application-properties/
# ===================================================================
# ===================================================================
# Standard Spring Boot properties.
# Full reference is available at:
# http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
# ===================================================================
logging:
level:
ROOT: INFO
ch.ricreate.mariage: INFO
io.github.jhipster: INFO
spring:
devtools:
restart:
enabled: false
livereload:
enabled: false
datasource:
type: com.zaxxer.hikari.HikariDataSource
url: jdbc:mysql://localhost:3306/mariage?useUnicode=true&characterEncoding=utf8&useSSL=false&useLegacyDatetimeCode=false&serverTimezone=UTC
username: username
password: password
hikari:
poolName: Hikari
auto-commit: false
data-source-properties:
cachePrepStmts: true
prepStmtCacheSize: 250
prepStmtCacheSqlLimit: 2048
useServerPrepStmts: true
jpa:
database-platform: org.hibernate.dialect.MySQL5InnoDBDialect
database: MYSQL
show-sql: false
properties:
hibernate.id.new_generator_mappings: true
hibernate.connection.provider_disables_autocommit: true
hibernate.cache.use_second_level_cache: true
hibernate.cache.use_query_cache: false
hibernate.generate_statistics: true
hibernate.cache.region.factory_class: com.hazelcast.hibernate.HazelcastCacheRegionFactory
hibernate.cache.hazelcast.instance_name: mariage
hibernate.cache.use_minimal_puts: true
hibernate.cache.hazelcast.use_lite_member: true
liquibase:
contexts: prod
mail:
host: smtp.mymail.ch
port: 587
username: mymail#mymail.ch
password: password
tls: true
properties.mail.smtp:
auth: true
starttls.enable: true
ssl.trust: smtp.mymail.ch
thymeleaf:
cache: true
# ===================================================================
# To enable TLS in production, generate a certificate using:
# keytool -genkey -alias mariage -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore keystore.p12 -validity 3650
#
# You can also use Let's Encrypt:
# https://maximilian-boehm.com/hp2121/Create-a-Java-Keystore-JKS-from-Let-s-Encrypt-Certificates.htm
#
# Then, modify the server.ssl properties so your "server" configuration looks like:
#
# server:
# port: 443
# ssl:
# key-store: classpath:config/tls/keystore.p12
# key-store-password: password
# key-store-type: PKCS12
# key-alias: mariage
# # The ciphers suite enforce the security by deactivating some old and deprecated SSL cipher, this list was tested against SSL Labs (https://www.ssllabs.com/ssltest/)
# ciphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 ,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 ,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_RSA_WITH_CAMELLIA_256_CBC_SHA,TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA,TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
# ===================================================================
server:
port: 8080
compression:
enabled: true
mime-types: text/html,text/xml,text/plain,text/css, application/javascript, application/json
min-response-size: 1024
# ===================================================================
# JHipster specific properties
#
# Full reference is available at: https://www.jhipster.tech/common-application-properties/
# ===================================================================
jhipster:
http:
version: V_1_1 # To use HTTP/2 you will need SSL support (see above the "server.ssl" configuration)
cache: # Used by the CachingHttpHeadersFilter
timeToLiveInDays: 1461
cache: # Cache configuration
hazelcast: # Hazelcast distributed cache
time-to-live-seconds: 3600
backup-count: 1
management-center: # Full reference is available at: http://docs.hazelcast.org/docs/management-center/3.9/manual/html/Deploying_and_Starting.html
enabled: false
update-interval: 3
url:
security:
authentication:
jwt:
# This token must be encoded using Base64 and be at least 256 bits long (you can type `openssl rand -base64 64` on your command line to generate a 512 bits one)
# As this is the PRODUCTION configuration, you MUST change the default key, and store it securely:
# - In the JHipster Registry (which includes a Spring Cloud Config server)
# - In a separate `application-prod.yml` file, in the same folder as your executable WAR file
# - In the `JHIPSTER_SECURITY_AUTHENTICATION_JWT_BASE64_SECRET` environment variable
base64-secret: MY BASE 64 KEY...
# Token is valid 24 hours
token-validity-in-seconds: 86400
token-validity-in-seconds-for-remember-me: 2592000
mail: # specific JHipster mail property, for standard properties see MailProperties
from: mymail#mymail
base-url: http://www.mydomain.ch
metrics:
logs: # Reports metrics in the logs
enabled: false
report-frequency: 60 # in seconds
logging:
logstash: # Forward logs to logstash over a socket, used by LoggingConfiguration
enabled: false
host: localhost
port: 5000
queue-size: 512
# ===================================================================
# Application specific properties
# Add your own application properties here, see the ApplicationProperties class
# to have type-safe configuration, like in the JHipsterProperties above
#
# More documentation is available at:
# https://www.jhipster.tech/common-application-properties/
# ===================================================================
# application:
I have this error messages :
3www.mydomain.ch/:13 GET http://www.mydomain.ch/main.3f34c02a7b8ec7cd9bd5.js net::ERR_ABORTED 404 (Not Found)
(index):1 Refused to apply style from 'http://www.mydomain.ch/styles.676f69d3635eaaafa540.css' because its MIME type ('application/json') is not a supported stylesheet MIME type, and strict MIME checking is enabled.
2www.mydomain.ch/:13 GET http://www.mydomain.ch/polyfills.9d3a8743be9f041e6ba8.js net::ERR_ABORTED 404 (Not Found)

Did you change the template templates/mail/activationEmail.html ?

Can't save data with postgreSQL in prod profile

When i launch my server with prod profile, I can connect with admin admin in my JHipster application, but I can't save any data when I want to create a new object (I have an InternalServerError). However in dev profile with the same database (PostgreSQL) it's working well.
Moreover I don't know how to get logs when using prod profile to understand the problem.
I can add the configuration file for the prod profile
# ===================================================================
# Spring Boot configuration for the "prod" profile.
#
# This configuration overrides the application.yml file.
# ===================================================================
# ===================================================================
# Standard Spring Boot properties.
# Full reference is available at:
# http://docs.spring.io/spring-boot/docs/current/reference/html/common-application-properties.html
# ===================================================================
spring:
devtools:
restart:
enabled: false
livereload:
enabled: false
datasource:
url: jdbc:postgresql://localhost:5432/vraiJhipster
name:
username: vraiJhipster
password:
jpa:
database-platform: com.mycompany.myapp.domain.util.FixedPostgreSQL82Dialect
database: POSTGRESQL
show_sql: false
properties:
hibernate.cache.use_second_level_cache: true
hibernate.cache.use_query_cache: false
hibernate.generate_statistics: false
hibernate.cache.region.factory_class: org.hibernate.cache.ehcache.SingletonEhCacheRegionFactory
data:
elasticsearch:
cluster-name:
cluster-nodes: localhost:9300
mail:
host: localhost
port: 25
username:
password:
thymeleaf:
cache: true
liquibase:
contexts: prod
server:
port: 8080
compression:
enabled: true
mime-types: text/html,text/xml,text/plain,text/css, application/javascript, application/json
min-response-size: 1024
# ===================================================================
# JHipster specific properties
# ===================================================================
jhipster:
http:
cache: # Used by the CachingHttpHeadersFilter
timeToLiveInDays: 1461
cache: # Hibernate 2nd level cache, used by CacheConfiguration
timeToLiveSeconds: 3600
ehcache:
maxBytesLocalHeap: 256M
security:
rememberMe:
# security key (this key should be unique for your application, and kept secret)
key: *****************************************
mail: # specific JHipster mail property, for standard properties see MailProperties
from: vraiJhipster#localhost
metrics: # DropWizard Metrics configuration, used by MetricsConfiguration
jmx.enabled: true
spark:
enabled: false
host: localhost
port: 9999
graphite:
enabled: false
host: localhost
port: 2003
prefix: vraiJhipster
logs: # Reports Dropwizard metrics in the logs
enabled: false
reportFrequency: 60 # in seconds
logging:
logstash: # Forward logs to logstash over a socket, used by LoggingConfiguration
enabled: false
host: localhost
port: 5000
queueSize: 512
swagger: # swagger is disabled. It can be disabled by pasing 'no-swagger' profile at run time as well
enabled: false
Thank you.
If you need something about my configuration you can ask it.

I found the problem it was actually elasticSearch. When I use JHipster in production mode, the default configuration use elasticSearch on port 9300. But I hadn't any elasticSearch running on my computer. So I copy pasted the elasticSearch configuration from dev profile to prod profile.
data:
elasticsearch:
cluster-name:
cluster-nodes:
properties:
path:
logs: target/elasticsearch/log
data: target/elasticsearch/data

Using spring config server with git causing security group issue

I am now trying to set up using spring config server / spring config client and eureka server to do service discovery together. when I was using local file system to save configuration, everything is fine, but as soon as I change to gitHub to save configuration, I can not start spring config client, and I got this error message:
com.netflix.discovery.DiscoveryClient : Can't get a response from http://user:{cipher}AQBdTe9vjgOqANyfi+Ke5HYmhFJnuvsGJ+8FOqLgdMdFInJkVRzy9XngylNp9KlX2lwPI13jT7ceDjBs9w4B6A15akQTHHP1q9rWwMcLtVCCKGFgvXSgQF+WWIItxBmIDGG4bSgDYZ6XQWl66T84PxjTBygErpmAjn+X2BWdtWtVmjXzpMQMaHGpiyLPoGIQYF4j9ZGpl16Jx79+j6et6LStksrT3WxQuanhZwIkqZ827+2mlUB3kd5ocW7R0vC3JMGVZlGNfqYQwJIhSJ19lrq4gxm/zbGroYonW3QSHTiRlhlvOdovEua/0dCl6+s0iEHYZCBllr7jikEWmS5Px7U2TG8/eQkjR8pUbSN6OE+OI2ZZUCNOT+mi75ZeeN1OtdQ=#localhost:8761/eureka/null
Can't contact any eureka nodes - possibly a security group issue?
java.lang.IllegalArgumentException: Illegal character in authority at index 7: http://user:{cipher}AQBdTe9vjgOqANyfi+Ke5HYmhFJnuvsGJ+8FOqLgdMdFInJkVRzy9XngylNp9KlX2lwPI13jT7ceDjBs9w4B6A15akQTHHP1q9rWwMcLtVCCKGFgvXSgQF+WWIItxBmIDGG4bSgDYZ6XQWl66T84PxjTBygErpmAjn+X2BWdtWtVmjXzpMQMaHGpiyLPoGIQYF4j9ZGpl16Jx79+j6et6LStksrT3WxQuanhZwIkqZ827+2mlUB3kd5ocW7R0vC3JMGVZlGNfqYQwJIhSJ19lrq4gxm/zbGroYonW3QSHTiRlhlvOdovEua/0dCl6+s0iEHYZCBllr7jikEWmS5Px7U2TG8/eQkjR8pUbSN6OE+OI2ZZUCNOT+mi75ZeeN1OtdQ=#localhost:8761/eureka/
at java.net.URI.create(URI.java:852)
This is what I have:
In cofig server application.yml:
spring:
application:
name: spirent-config-server
cloud:
config:
server:
git:
uri: https://github.com/spring-cloud-samples/config-repo
#searchPaths: foo,bar*
server:
port: 8888
in config client:
bootstrap.properties:
spring.application.name= foo
spring.profiles.active= development
spring.cloud.config.uri= http://localhost:8888
and application.yml
eureka:
instance:
hostname: ${host.instance.name:frank1}
nonSecurePort: ${host.instance.port:8080}
metadataMap:
instanceId: ${host.instance.instanceid:frank_123}
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
server:
port: ${host.instance.port:8080}
Eureka Server:
application.yml
server:
port: 8761
eureka:
client:
registerWithEureka: false
fetchRegistry: false
server:
waitTimeInMsWhenSyncEmpty: 0
bootstrap.yml:
spring:
application:
name: eureka
cloud:
config:
uri: ${CONFIG_SERVER_URL:http://localhost:8888}
From the exception, it seemed it is because discoverClient is not working, anything special for the configuration?
But if I change from gitHub to local file storage for configuration, everything is fine.
Thanks for your suggestion in advance.
Based on the spring cloud document, I am doing like this:
In application.yml of config server:
spring:
application:
name: spirent-config-server
cloud:
config:
server:
git:
uri: https://github.com/spring-cloud-samples/config-repo
#searchPaths: foo,bar*
encrypt:
key: abc
server:
port: 8888
In application.yml of Eureka Server:
server:
port: 8761
eureka:
instance:
hostname: localhost
client:
registerWithEureka: false
fetchRegistry: false
serviceUrl:
defaultZone: http://${eureka.instance.hostname}:${server.port}/eureka/
server:
waitTimeInMsWhenSyncEmpty: 0
encrypt:
key: abc
And in application.yml of config client:
eureka:
instance:
hostname: ${host.instance.name:frank1}
nonSecurePort: ${host.instance.port:8080}
leaseRenewalIntervalInSeconds: 5 #default is 30, recommended to keep default
metadataMap:
#instanceId: ${host.instance.instanceid:frank_123}
instanceId: ${spring.application.name}:${spring.application.instance_id:${random.value}}
client:
serviceUrl:
defaultZone: http://localhost:8761/eureka/
server:
port: ${host.instance.port:8080}
encrypt:
key: abc
But, the problem is after I started Eureka an config server, it is fine, no exception, but after I started config client, I got this same exception:
Can't contact any eureka nodes - possibly a security group issue?
java.lang.IllegalArgumentException: Illegal character in authority at index 7: http://user:{cipher}AQBdTe9vjgOqANyfi+Ke5HYmhFJnuvsGJ+8FOqLgdMdFInJkVRzy9XngylNp9KlX2lwPI13jT7ceDjBs9w4B6A15akQTHHP1q9rWwMcLtVCCKGFgvXSgQF+WWIItxBmIDGG4bSgDYZ6XQWl66T84PxjTBygErpmAjn+X2BWdtWtVmjXzpMQMaHGpiyLPoGIQYF4j9ZGpl16Jx79+j6et6LStksrT3WxQuanhZwIkqZ827+2mlUB3kd5ocW7R0vC3JMGVZlGNfqYQwJIhSJ19lrq4gxm/zbGroYonW3QSHTiRlhlvOdovEua/0dCl6+s0iEHYZCBllr7jikEWmS5Px7U2TG8/eQkjR8pUbSN6OE+OI2ZZUCNOT+mi75ZeeN1OtdQ=#localhost:8761/eureka/
at java.net.URI.create(URI.java:852)
at com.sun.jersey.api.client.Client.resource(Client.java:433)
at com.netflix.discovery.DiscoveryClient.makeRemoteCall(DiscoveryClient.java:1091)
at com.netflix.discovery.DiscoveryClient.makeRemoteCall(DiscoveryClient.java:1060)
at com.netflix.discovery.DiscoveryClient.getAndStoreFullRegistry(DiscoveryClient.java:835)
Can anyone tell me where is my error? This only happened in using GIT as config server data source, but in local file data source, no error happened.
Thanks
These are my steps to try to resolve the key issues, but failed again:
download the "Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files" from Oracle, and follow instructions for installation (essentially replace the 2 policy files in the JRE lib/security directory with the ones that you downloaded).
Now if I run spring encrypt mysecret --key foo, it is successful, this means the JCE is installed correctly;
Creating a Key Store for Testing: using this:
https://github.com/spring-cloud/spring-cloud-config/blob/master/docs/src/main/asciidoc/spring-cloud-config.adoc#creating-a-key-store-for-testing
after updating the application.yml in my config server, the application.yml is this:
spring:
application:
name: spirent-config-server
cloud:
config:
server:
git:
uri: https://github.com/spring-cloud-samples/config-repo
#searchPaths: foo,bar*
encrypt:
keyStore:
location: classpath:/server.jks
password: letmein
alias: abc
secret: changeme
key: abc
server:
port: 8888
adding this to both eureka server and config client application.yml:
encrypt:
key: abc
Run everything:
Result is same nasty error
So what is wrong is my testing? Thanks for your help
It is my fault:
Changing application.yml to this:
spring:
application:
name: configserver
encrypt:
failOnError: false
keyStore:
#location: classpath:keystore.jks
#password: ${KEYSTORE_PASSWORD:foobar} # don't use a default in production
#alias: test
location: classpath:server.jks
password: letmein
alias: mytestkey
secret: changeme
And then using this command to generate the file resolving the issue completely:
keytool -genkeypair -alias mytestkey -keyalg RSA \
-dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" \
-keypass changeme -keystore server.jks -storepass letmein
Thanks