Skip to content

[BUG] It is trying to connect to www.example.com in container #48357

New issue
New issue
Open
Open
[BUG] It is trying to connect to www.example.com in container#48357
Labels
customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-triageWorkflow: This is a new issue that needs to be triaged to the appropriate team.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that
@Guillaume-Lebegue

Description

@Guillaume-Lebegue
Guillaume-Lebegue
opened on Mar 10, 2026

Describe the bug
I made a Quarkus program that uses OpenAIOkHttpClient to call the azure api.
The program works well when used in dev mode, but when I use it in a container, it seems to try to connect to www.example.com instead of baseurl and throws an error about not finding the certificate.

Exception or Stack Trace

2026-03-10 15:30:24,570 INFO  [app.infrastructure.openai.OpenAiService] (executor-thread-1) Starting client
2026-03-10 15:30:24,570 INFO  [app.infrastructure.openai.OpenAiService] (executor-thread-1) Getting client cred, clientid: ****, clientsecret: ****, tenantid: ****
2026-03-10 15:30:24,571 INFO  [app.infrastructure.openai.OpenAiService] (executor-thread-1) Getting bearer token supplier
�2026-03-10 15:30:24,574 INFO  [app.infrastructure.openai.OpenAiService] (executor-thread-1) Getting bearer token credential
2026-03-10 15:30:24,574 INFO  [app.infrastructure.openai.OpenAiService] (executor-thread-1) Starting OpenAI client, apitoken: ****, endpoint: https://****.cognitiveservices.azure.com/
�2026-03-10 15:30:24,818 ERROR [com.azure.core.http.netty.NettyAsyncHttpClient] (executor-thread-1) javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
�2026-03-10 15:30:24,818 ERROR [app.application.ContentUnderstandingOutputConsumer] (executor-thread-1) java.io.UncheckedIOException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
2026-03-10 15:30:24,818 WARN  [reactor.netty.http.client.HttpClientConnect] (reactor-http-epoll-3) [dead729e, L:/10.89.0.19:50308 - R:www.example.com/104.18.26.120:443] The connection observed an error: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1939)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:862)
        at java.base/javax.net.ssl.SSLEngine.wrap(SSLEngine.java:564)
        at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1148)
        at io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:992)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1555)
        at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1390)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1430)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:545)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:484)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
        at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:805)
        at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:425)
        at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:405)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:1583)
�Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
        at java.base/sun.security.validator.Validator.validate(Validator.java:256)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
        at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkServerTrusted(EnhancingX509ExtendedTrustManager.java:69)
�       at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:240)
�       at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:846)
        at io.netty.internal.tcnative.CertificateVerifierTask.runTask(CertificateVerifierTask.java:36)
        at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:48)
        at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:42)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.runAndResetNeedTask(ReferenceCountedOpenSslEngine.java:1545)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.access$700(ReferenceCountedOpenSslEngine.java:94)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine$TaskDecorator.run(ReferenceCountedOpenSslEngine.java:1517)
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541)
        ... 22 more
�Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
        ... 37 more

2026-03-10 15:30:24,821 WARN  [reactor.netty.http.client.HttpClientConnect] (reactor-http-epoll-3) [dead729e, L:/10.89.0.19:50308 ! R:www.example.com/104.18.26.120:443] The connection observed an error: io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:515)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:296)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1357)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:868)
        at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:805)
        at io.netty.channel.epoll.AbstractEpollChannel$AbstractEpollUnsafe$1.run(AbstractEpollChannel.java:425)
        at io.netty.util.concurrent.AbstractEventExecutor.runTask(AbstractEventExecutor.java:173)
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:166)
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:472)
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:405)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:998)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:1583)
Caused by: javax.net.ssl.SSLHandshakeException: General OpenSslEngine problem
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.handshakeException(ReferenceCountedOpenSslEngine.java:1939)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.wrap(ReferenceCountedOpenSslEngine.java:862)
        at java.base/javax.net.ssl.SSLEngine.wrap(SSLEngine.java:564)
        at io.netty.handler.ssl.SslHandler.wrap(SslHandler.java:1148)
        at io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:992)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1555)
        at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1390)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1430)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:545)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:484)
        ... 18 more
�Caused by: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:388)
        at java.base/sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:271)
        at java.base/sun.security.validator.Validator.validate(Validator.java:256)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:284)
        at java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:144)
        at io.netty.handler.ssl.EnhancingX509ExtendedTrustManager.checkServerTrusted(EnhancingX509ExtendedTrustManager.java:69)
�       at io.netty.handler.ssl.ReferenceCountedOpenSslClientContext$ExtendedTrustManagerVerifyCallback.verify(ReferenceCountedOpenSslClientContext.java:240)
�       at io.netty.handler.ssl.ReferenceCountedOpenSslContext$AbstractCertificateVerifier.verify(ReferenceCountedOpenSslContext.java:846)
        at io.netty.internal.tcnative.CertificateVerifierTask.runTask(CertificateVerifierTask.java:36)
        at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:48)
        at io.netty.internal.tcnative.SSLTask.run(SSLTask.java:42)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.runAndResetNeedTask(ReferenceCountedOpenSslEngine.java:1545)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.access$700(ReferenceCountedOpenSslEngine.java:94)
        at io.netty.handler.ssl.ReferenceCountedOpenSslEngine$TaskDecorator.run(ReferenceCountedOpenSslEngine.java:1517)
        at io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1695)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1541)
        ... 22 more
�Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:148)
        at java.base/sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:129)
        at java.base/java.security.cert.CertPathBuilder.build(CertPathBuilder.java:297)
        at java.base/sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:383)
        ... 37 more

To Reproduce
Run the code snippet in a container. I'm using the base registry.access.redhat.com/ubi9/openjdk-21:1.23

Code Snippet

private void startClient() {
    LOGGER.info("Starting client");
    LOGGER.infof("Getting client cred, clientid: %s, clientsecret: %s, tenantid: %s", azureConfig.clientId(), azureConfig.clientSecret(), azureConfig.tenantId());
    final ClientSecretCredential clientCred = new ClientSecretCredentialBuilder()
        .clientId(azureConfig.clientId())
        .clientSecret(azureConfig.clientSecret())
        .tenantId(azureConfig.tenantId())
        .build();
    LOGGER.info("Getting bearer token supplier");
    final Supplier<String> bearerTokenSupplier = AuthenticationUtil.getBearerTokenSupplier(
        clientCred, "https://cognitiveservices.azure.com/.default"
    );
    LOGGER.info("Getting bearer token credential");
    final Credential credential = BearerTokenCredential.create(bearerTokenSupplier);
    LOGGER.infof("Starting OpenAI client, apitoken: %s, endpoint: %s", openAiConfig.apiToken(), openAiConfig.endpoint());
    openAiClient = OpenAIOkHttpClient.builder()
        .apiKey(openAiConfig.apiToken())
        .baseUrl(openAiConfig.endpoint())
        .maxRetries(0)
        .credential(credential)
        .azureServiceVersion(AzureOpenAIServiceVersion.getV2024_10_21())
        .build();
    LOGGER.info("Done.");
  }

Expected behavior
The code should not try to call unexpected sites, and even less so, one not in the standard certificate list

Setup (please complete the following information):

  • OS: registry.access.redhat.com/ubi9/openjdk-21:1.23
  • Library/Libraries: [com.azure:azure-identity (from com.azure:azure-sdk-bom:1.3.4)]
  • Java version: 21
  • App Server/Environment: local podman
  • Frameworks: Quarkus:3.32.1

Additional context
I initially reported this problem in this issue openai-java. They found that

azure-sdk-for-java/sdk/identity/azure-identity/src/main/java/com/azure/identity/AuthenticationUtil.java

Lines 63 to 65 in bb97593

// This request will never need to go anywhere; it is simply to cause the policy to interact with
// the user's credential
HttpRequest req = new HttpRequest(HttpMethod.GET, "https://www.example.com");

Metadata

Metadata

Assignees

No one assigned

    Labels

    customer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-triageWorkflow: This is a new issue that needs to be triaged to the appropriate team.questionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions