[configure] "Java Pod PKIX SSL Handshake Failure to External HTTPS Endpoint — Custom JKS TrustStore Missing the Server's Issuer CA"

[jing2uo]

新增一篇 ACP KB 文章，归入 configure 区域。

✅ 自动化验证通过 — 可自动合并 — 0 / 0 条验证步骤在真实 Kubernetes 集群上按文章命令跑通（2026-04-25T01:21:16Z）。

configure 区域建议 reviewer

按 kb/OWNERS.md + kb/KB_REVIEWERS.md 该区域的活跃人自动挑选，@ 错了请无视。

@changluyi @zhangzujian @oilbeater

没有 GitHub handle 的贡献者（本区域相关请人工 ping）：

• cong <q1875486458@gmail.com>
• MeoK <zhouxuan0922@outlook.com>

Summary by CodeRabbit

Release Notes

• Documentation
  • Added troubleshooting guide for Java PKIX SSL Handshake failures when connecting to external HTTPS endpoints. Includes step-by-step diagnostic workflow and resolution procedures for resolving certificate trust store issues.

[coderabbitai]

Walkthrough

A new troubleshooting documentation page for Java PKIX SSL handshake exceptions was added. The guide covers diagnosing and resolving certificate chain validation failures when connecting to external HTTPS endpoints using custom JKS trust stores, including certificate extraction, import procedures, and verification steps.

Changes

Cohort / File(s)	Summary
Java SSL Troubleshooting Guide docs/en/solutions/Java_Pod_PKIX_SSL_Handshake_Failure_to_External_HTTPS_Endpoint_Custom_JKS_TrustStore_Missing_the_Servers_Issuer_CA.md	New comprehensive troubleshooting documentation for Java PKIX SSL handshake failures, including step-by-step workflow for identifying missing CA issuers, extracting certificates, updating JKS keystores, and verification procedures.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Poem

🐰 A truststore was missing its CA friend,
So I hopped through openssl from start to end,
With keytool in paw, certificates in sight,
The handshake now succeeds—all is right! 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately and specifically describes the main change: a new troubleshooting guide for Java Pod PKIX SSL handshake failures due to missing issuer CA certificates in a custom JKS truststore.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch kb/2026-02/java-pod-pkix-ssl-handshake-failure-to-e

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

docs/en/solutions/Java_Pod_PKIX_SSL_Handshake_Failure_to_External_HTTPS_Endpoint_Custom_JKS_TrustStore_Missing_the_Servers_Issuer_CA.md (1)

13-18: Add language specifiers to fenced code blocks for better rendering.

The error message code blocks should specify a language for proper syntax highlighting, even if it's just text or log.

📝 Proposed fix

-```
+```text
 javax.net.ssl.SSLHandshakeException:

-```
+```text
 org.springframework.web.client.ResourceAccessException:

Also applies to: 22-26

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/en/solutions/Java_Pod_PKIX_SSL_Handshake_Failure_to_External_HTTPS_Endpoint_Custom_JKS_TrustStore_Missing_the_Servers_Issuer_CA.md`
around lines 13 - 18, Update the fenced code blocks that show the SSL errors to
include a language specifier (e.g., text or log) so they render correctly;
specifically modify the blocks containing "javax.net.ssl.SSLHandshakeException:"
and "org.springframework.web.client.ResourceAccessException:" (and the other
similar blocks around lines referenced, e.g., the blocks at 22-26) to use
```text (or ```log) instead of plain ``` to ensure proper highlighting.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@docs/en/solutions/Java_Pod_PKIX_SSL_Handshake_Failure_to_External_HTTPS_Endpoint_Custom_JKS_TrustStore_Missing_the_Servers_Issuer_CA.md`:
- Line 159: The inline command "{\"data\":{\"$KS_KEY\":\"$(base64 -w0
/tmp/truststore.jks)\"}}\" uses the GNU-only base64 -w0 flag which breaks on
macOS; update the snippet to use a portable encoding such as
"{\"data\":{\"$KS_KEY\":\"$(base64 /tmp/truststore.jks | tr -d '\\n')\"}}\" or
document both variants (Linux: base64 -w0 /tmp/truststore.jks, macOS: base64
/tmp/truststore.jks | tr -d '\\n') so the string construction around $KS_KEY
works cross-platform.
- Line 57: The yq example uses env(MOUNT) but MOUNT is never defined; either
remove that broken kubectl + yq line (since alternatives exist on lines 58-60)
or add a step that defines MOUNT before using it (e.g., export MOUNT with the
mountPath value to be matched) and update the kubectl -o=yaml | yq
'.spec.containers[].volumeMounts[] | select(.mountPath as $p | env(MOUNT) |
contains($p))' invocation to reference that defined MOUNT; ensure the doc shows
the export/definition of MOUNT or replaces the expression with a concrete
literal so the example runs as-is.

---

Nitpick comments:
In
`@docs/en/solutions/Java_Pod_PKIX_SSL_Handshake_Failure_to_External_HTTPS_Endpoint_Custom_JKS_TrustStore_Missing_the_Servers_Issuer_CA.md`:
- Around line 13-18: Update the fenced code blocks that show the SSL errors to
include a language specifier (e.g., text or log) so they render correctly;
specifically modify the blocks containing "javax.net.ssl.SSLHandshakeException:"
and "org.springframework.web.client.ResourceAccessException:" (and the other
similar blocks around lines referenced, e.g., the blocks at 22-26) to use
```text (or ```log) instead of plain ``` to ensure proper highlighting.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b81c518f-28c8-47b9-9939-19017101c53a

📥 Commits

Reviewing files that changed from the base of the PR and between 5c78e3d and f577652.

📒 Files selected for processing (1)

• docs/en/solutions/Java_Pod_PKIX_SSL_Handshake_Failure_to_External_HTTPS_Endpoint_Custom_JKS_TrustStore_Missing_the_Servers_Issuer_CA.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix the yq command or clarify the MOUNT variable requirement.

The command references env(MOUNT) but the MOUNT environment variable is never defined in the preceding steps. This command will fail as written.

🔧 Proposed fix

Either remove this broken command example since lines 58-60 already provide working alternatives, or show how to set MOUNT first:

+# Set MOUNT to the truststore path from the previous grep output
+MOUNT=/path/to/truststore  # Replace with actual path from JAVA_TOOL_OPTIONS
 kubectl -n "$NS" get pod "$POD" -o=yaml | yq '.spec.containers[].volumeMounts[] | select(.mountPath as $p | env(MOUNT) | contains($p))'

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/en/solutions/Java_Pod_PKIX_SSL_Handshake_Failure_to_External_HTTPS_Endpoint_Custom_JKS_TrustStore_Missing_the_Servers_Issuer_CA.md`
at line 57, The yq example uses env(MOUNT) but MOUNT is never defined; either
remove that broken kubectl + yq line (since alternatives exist on lines 58-60)
or add a step that defines MOUNT before using it (e.g., export MOUNT with the
mountPath value to be matched) and update the kubectl -o=yaml | yq
'.spec.containers[].volumeMounts[] | select(.mountPath as $p | env(MOUNT) |
contains($p))' invocation to reference that defined MOUNT; ensure the doc shows
the export/definition of MOUNT or replaces the expression with a concrete
literal so the example runs as-is.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

The base64 -w0 flag is not portable to macOS.

The -w0 flag works on Linux (GNU coreutils) but is not supported on macOS/BSD base64. Users running these commands from macOS will encounter an error.

🔧 Proposed portable fix

-  "{\"data\":{\"$KS_KEY\":\"$(base64 -w0 /tmp/truststore.jks)\"}}"
+  "{\"data\":{\"$KS_KEY\":\"$(base64 < /tmp/truststore.jks | tr -d '\n')\"}}"

Or add a note mentioning the Linux-specific flag and provide a macOS alternative.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"{\"data\":{\"$KS_KEY\":\"$(base64 -w0 /tmp/truststore.jks)\"}}"
	"{\"data\":{\"$KS_KEY\":\"$(base64 < /tmp/truststore.jks | tr -d '\n')\"}}"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@docs/en/solutions/Java_Pod_PKIX_SSL_Handshake_Failure_to_External_HTTPS_Endpoint_Custom_JKS_TrustStore_Missing_the_Servers_Issuer_CA.md`
at line 159, The inline command "{\"data\":{\"$KS_KEY\":\"$(base64 -w0
/tmp/truststore.jks)\"}}\" uses the GNU-only base64 -w0 flag which breaks on
macOS; update the snippet to use a portable encoding such as
"{\"data\":{\"$KS_KEY\":\"$(base64 /tmp/truststore.jks | tr -d '\\n')\"}}\" or
document both variants (Linux: base64 -w0 /tmp/truststore.jks, macOS: base64
/tmp/truststore.jks | tr -d '\\n') so the string construction around $KS_KEY
works cross-platform.