KTOR self-signed certificate causes bad_certificate error

I have a microservice written in KTOR. For local testing, I’m using the ktor-network-tls-certificates-jvm:2.3.10 library to generate a self-signed certificate. If I make HTTPS requests using Insomnia, it works perfectly. However, when hitting it from a local web page, I get the following errors:

WARN  [2024-07-18 18:36:59,318] io.netty.handler.ssl.ApplicationProtocolNegotiationHandler: [id: 0x62661187, L:/127.0.0.1:9443 ! R:/127.0.0.1:64289] TLS handshake failed:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

WARN  [2024-07-18 18:36:59,318] io.netty.handler.ssl.ApplicationProtocolNegotiationHandler: [id: 0x8c47ffb0, L:/127.0.0.1:9443 ! R:/127.0.0.1:64290] TLS handshake failed:
javax.net.ssl.SSLHandshakeException: Received fatal alert: bad_certificate

(I haven’t included the stack traces, but can if you want)

I’m generating the certificate using the following code:

generateCertificate(
    keyStoreFile, // build/keystore.jks
    keyAlias = System.getenv("keyStoreAlias"), // sampleAlias
    keyPassword = System.getenv("keyStorePrivateKeyPassword"), // foobar
    jksPassword = keyStorePassword // 12345
)

Does anyone know what I’m doing wrong, and what exactly the error means? “bad_certificate” is very generic, and doesn’t tell me what’s wrong. :frowning:

But do you trust this certificate on the client side? I never used Insomnia, but if it is a tool for testing, then it is probable the security is disabled by default. Your web application is most probably secure by default, so it won’t accept a self-signed cert until you trust it explicitly or disable the security entirely.

You can use opensll s_client to debug problems with certs.

The problem with that theory is that I would expect the error to be on the client side, not the server side. I’m using https from both Insomnia and my web front end, so I think the behaviour should be the same.

Just to make it absolutely clear, the error logs I included above are from my KTOR server, NOT my web application. So requests to my KTOR server from Insomnia will work, but requests to my KTOR server from my web application cause an error in my KTOR server.

(Yes, Insomnia is a REST testing tool.)

Hi, did you find a solution? I am searching for one since two days. :grimacing:

No I think I gave up, in the end. :stuck_out_tongue: I wonder if it’s related to the error I get when hitting my KTOR server at all? When I start my KTOR server and hit it with HTTPS traffic, I get two stack traces related the certificate, but only on the first request, never after that. Also HTTPS traffic works, so I don’t really know what to make of it.