Feign call 'SSLException: Unsupported or unrecognized SSL message' issue when calling b/w container apps using eureka

Question

Feign call 'SSLException: Unsupported or unrecognized SSL message' issue when calling b/w container apps using eureka

Chandrashekar, Anil (Cognizant) 40

Hi

I have deployed SpringBoot microservices as azure container apps and registered(binded) them with Eureka(managed Eureka Server for Spring in Azure Container Apps). I'm making inter microservices (making http calls b/w containers)calls using feign client and facing below SSL issue.

Appreciate any inputs to resolve this issue.

GET URL: http://abcservice/config?serviceName=xyzervice&tenantId=tenant1 2025-03-04T18:29:20.5689851Z stdout F 2025-03-04T18:29:20.568Z DEBUG 1 --- [crdservice] [io-8081-exec-10] c.c.t.p.feign.config.CustomFeignLogging  : [RouteConfigServiceClient#getRouteConfig] <--- ERROR SSLException: Unsupported or unrecognized SSL message (83ms) 2025-03-04T18:29:20.5704244Z stdout F 2025-03-04T18:29:20.569Z DEBUG 1 --- [crdservice] [io-8081-exec-10] c.c.t.p.feign.config.CustomFeignLogging  : [RouteConfigServiceClient#getRouteConfig] javax.net.ssl.SSLException: Unsupported or unrecognized SSL message 2025-03-04T18:29:20.5704820Z stdout F 	at java.base/sun.security.ssl.SSLSocketInputRecord.handleUnknownRecord(SSLSocketInputRecord.java:451) 2025-03-04T18:29:20.5704963Z stdout F 	at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:175) 2025-03-04T18:29:20.5705043Z stdout F 	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:111) 2025-03-04T18:29:20.5705068Z stdout F 	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1500) 2025-03-04T18:29:20.5705092Z stdout F 	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1415) 2025-03-04T18:29:20.5705116Z stdout F 	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450) 2025-03-04T18:29:20.5705137Z stdout F 	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:421) 2025-03-04T18:29:20.5705158Z stdout F 	at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:580)

Pravallika Kothaveeranna Gari 955 Reputation points Microsoft External Staff Moderator

2025-03-19T03:54:19.29+00:00

Chandrashekar, Anil (Cognizant) , It could be due to the fact that you are acccessing HTTP server, not an HTTPS server. Check if are using the correct port number for HTTPS.
Pravallika Kothaveeranna Gari 955 Reputation points Microsoft External Staff Moderator

2025-03-24T03:40:32.5+00:00

Chandrashekar, Anil (Cognizant), Just checking in to see if the provided information helped, Please let us know if you have further queries.
Chandrashekar, Anil (Cognizant) 40 Reputation points

2025-03-24T16:38:03.1133333+00:00
@Pravallika Kothaveeranna Gari Services are running on htttps only.

2 answers

Your answer

Pravallika Kothaveeranna Gari 955 Reputation points Microsoft External Staff Moderator

2025-03-19T03:54:19.29+00:00

Chandrashekar, Anil (Cognizant) , It could be due to the fact that you are acccessing HTTP server, not an HTTPS server. Check if are using the correct port number for HTTPS.
Pravallika Kothaveeranna Gari 955 Reputation points Microsoft External Staff Moderator

2025-03-24T03:40:32.5+00:00

Chandrashekar, Anil (Cognizant), Just checking in to see if the provided information helped, Please let us know if you have further queries.
Chandrashekar, Anil (Cognizant) 40 Reputation points

2025-03-24T16:38:03.1133333+00:00

@Pravallika Kothaveeranna Gari Services are running on htttps only.

Answer 1

Suwarna S Kale 3,391

Hello Chandrashekar, Anil,

Thank you for posting your question in the Microsoft Q&A forum.

When deploying Spring Boot microservices as Azure Container Apps and using Feign clients for inter-microservice communication, encountering SSL-related errors such as javax.net.ssl.SSLException: Unsupported or unrecognized SSL message can be challenging. This error typically occurs when there is a mismatch between the protocol (HTTP or HTTPS) being used by the Feign client and the target service.

The error message indicates that the Feign client is attempting to establish an HTTPS connection, but the target service (abcservice) is likely serving HTTP traffic. This mismatch causes the SSL handshake to fail, resulting in the SSLException. To resolve this issue, you need to ensure that the Feign client and the target service are aligned in terms of the protocol being used (HTTP or HTTPS).

By verifying the service URL, ensuring the correct protocol, and configuring the Feign client appropriately, you can resolve this issue. If the target service uses HTTPS, ensure that SSL certificates are properly configured and trusted by the Feign client.

Please refer below Microsoft and Spring documentation for further information on above:

https://learn.microsoft.com/en-us/azure/container-apps/ingress-overview

https://docs.spring.io/spring-cloud-openfeign/docs/current/reference/html/

https://docs.spring.io/spring-boot/how-to/webserver.html#howto.webserver.configure-ssl

https://learn.microsoft.com/en-us/azure/app-service/troubleshoot-domain-ssl-certificates

If the above answer helped, please do not forget to "Accept Answer" as this may help other community members to refer the info if facing a similar issue. Your contribution to the Microsoft Q&A community is highly appreciated.

Chandrashekar, Anil (Cognizant) 40 Reputation points

2025-03-06T01:38:42.6733333+00:00

Hi Suwarna,

Thank you for your response.

Both the source and target microservices(containers) are running with same protocol and both the services are registered in eureka. Below env variables are setup at both source and target microservices(containers).

-Deureka.instance.securePortEnabled=true

-Deureka.client.securePortEnabled=true

-Deureka.instance.nonSecurePortEnabled=false

Also, pls note that we are using managed Eureka Server for Spring in Azure Container Apps for service discovery.

In a typical Linux vm, we do install SSL certs and https calls would be taken care of. However, in case of container apps how does the SSL certificate setup/installation/configuration has to happen? This being first time we are moving the microservices to azure container app and non availability of documentation explaining SSL configuration facing difficulties.

Thanks in advance.
Venkatesan S 2,820 Reputation points Microsoft External Staff Moderator

2025-03-17T16:25:18.67+00:00
Hi Chandrashekar, Anil (Cognizant)

Check regarding SSL configuration.

Check the effective URL in Eureka:

Access the Eureka dashboard and check if the registered service URLs are https:// or http://.

If they are registered as http://, Feign will try to connect over HTTPS incorrectly.

Verify Azure Container Apps TLS Configuration:

Azure Container Apps automatically manage TLS termination, meaning:

Traffic coming from the outside is HTTPS.

Internal container-to-container communication within the environment might still use HTTP unless explicitly configured.

Check if inter-container traffic is encrypted: Run the following command:

az containerapp ingress show --name <your-container-app-name> --resource-group <your-rg>

If transport is set to Http, you may need to explicitly configure TLS termination and use HTTPS internally.

Please let us know in the comments sections if the issue is resolved or still persists. We will be glad to assist you with the further resolution.

Please do reconsider to UPVOTE the survey, wherever the information provided helps you, this can be beneficial to other community members.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-27T07:05:45.2966667+00:00

Hello Anil, hope the above solution provided by Venkatesan S resolved your query.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-03-28T09:42:12.4933333+00:00

Hello Anil, following up on this. Hope the above solution provided by Venkatesan S resolved your query.
Chandrashekar, Anil (Cognizant) 40 Reputation points

2025-04-01T19:09:51.95+00:00

We went ahead used http traffic only for inter container communication as based on azure documentation that says, traffic within container environment is encrypted which was what we were looking for our use case. Thank you all for your help.
Arko 4,150 Reputation points Microsoft External Staff Moderator

2025-04-02T07:22:35.5033333+00:00

Hello Chandrashekar, Anil (Cognizant), Thank you for confirming that your issue is resolved now. Based on the entire conversation you had so far with the MS QnA community. I have collated the information into an answer for the community to refer to incase someone is having similar use case as yours. Kindly accept the answer and feel free to add any additional points to the answer for the betterment of the community. Thanks.

Answer 2

The issue was related to a javax.net.ssl.SSLException: Unsupported or unrecognized SSL message during inter-microservice communication using Feign clients in Azure Container Apps. This occurred when attempting HTTPS calls between microservices registered with Eureka.

Root Cause: The error typically arises when there's a protocol mismatch i.e., when one service is expecting an HTTPS request but receives plain HTTP traffic, or vice versa. Despite configuring both source and target services with HTTPS endpoints, the Feign client encountered SSL handshake failures.

After investigation and guidance from the community, it was decided to use HTTP (instead of HTTPS) for communication between microservices inside the same Azure Container Apps environment. This decision was based on Azure documentation which states that internal traffic within Azure Container Apps is automatically encrypted, even when using HTTP. Therefore, as confirmed by the user-

“We went ahead used http traffic only for inter container communication as based on azure documentation that says, traffic within container environment is encrypted which was what we were looking for our use case. Thank you all for your help.”

switching to HTTP resolved the SSLException, and met the OP's security requirements due to the built-in encryption of Azure’s internal container environment. Thank you.

Share via

Feign call 'SSLException: Unsupported or unrecognized SSL message' issue when calling b/w container apps using eureka

2 answers

Your answer