daniwb opened a new issue #13070:
URL: https://github.com/apache/pulsar/issues/13070
**Is your feature request related to a problem? Please describe.**
Let's Encrypt creates default Certificates with EC256, unfortunately when
starting the Broker Service, it fails with the Information, that the Version of
the Certificate is 0.
When deploying RSA4096 Certificates it works flawlessly.
Also when disabling only the webServicePortTls but leave
brokerServicePortTls enabled, the Service is able to start.
I've checked the Documentation where it lists that key should only be in
PKCS8 format, but this is not needed
**Describe the solution you'd like**
Broker Service is able to start with EC256 Certificates.
**Describe alternatives you've considered**
As mentioned with RSA4096 I'm able to start the Service.
**Additional context**
Trying to start with ec256 (not reformated as pkcs8)
java.security.KeyManagementException: Private key loading error
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:468)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemFile(SecurityUtility.java:432)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.SecurityUtility.createSslContext(SecurityUtility.java:205)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:48)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:27)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.SslContextAutoRefreshBuilder.get(SslContextAutoRefreshBuilder.java:79)
[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.SecurityUtility$SslContextFactoryWithAutoRefresh.getSslContext(SecurityUtility.java:557)
[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.eclipse.jetty.util.ssl.SslContextFactory.newSSLEngine(SslContextFactory.java:1903)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:99)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at org.eclipse.jetty.server.Server.doStart(Server.java:401)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at org.apache.pulsar.broker.web.WebService.start(WebService.java:242)
[org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1]
at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:689)
[org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1]
at
org.apache.pulsar.PulsarBrokerStarter$BrokerStarter.start(PulsarBrokerStarter.java:259)
[org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1]
at
org.apache.pulsar.PulsarBrokerStarter.main(PulsarBrokerStarter.java:331)
[org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1]
Caused by: java.security.spec.InvalidKeySpecException:
java.security.InvalidKeyException: IOException : version mismatch: (supported:
00, parsed: 01
at
sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:252)
~[?:1.8.0_312]
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
~[?:1.8.0_312]
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
... 21 more
Caused by: java.security.InvalidKeyException: IOException : version
mismatch: (supported: 00, parsed: 01
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:351) ~[?:1.8.0_312]
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356) ~[?:1.8.0_312]
at
sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:130)
~[?:1.8.0_312]
at
sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:80)
~[?:1.8.0_312]
at
sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:357)
~[?:1.8.0_312]
at
sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:248)
~[?:1.8.0_312]
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
~[?:1.8.0_312]
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
Error Reformated as PKCS8
java.security.KeyManagementException: Private key loading error
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:468)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemFile(SecurityUtility.java:432)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.SecurityUtility.createSslContext(SecurityUtility.java:205)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:48)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:27)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.SslContextAutoRefreshBuilder.get(SslContextAutoRefreshBuilder.java:79)
[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.apache.pulsar.common.util.SecurityUtility$SslContextFactoryWithAutoRefresh.getSslContext(SecurityUtility.java:557)
[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
at
org.eclipse.jetty.util.ssl.SslContextFactory.newSSLEngine(SslContextFactory.java:1903)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:99)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at org.eclipse.jetty.server.Server.doStart(Server.java:401)
[org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
[org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604]
at org.apache.pulsar.broker.web.WebService.start(WebService.java:242)
[org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1]
at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:689)
[org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1]
at
org.apache.pulsar.PulsarBrokerStarter$BrokerStarter.start(PulsarBrokerStarter.java:259)
[org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1]
at
org.apache.pulsar.PulsarBrokerStarter.main(PulsarBrokerStarter.java:331)
[org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1]
Caused by: java.security.spec.InvalidKeySpecException:
java.security.InvalidKeyException: Invalid RSA private key
at
sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:252)
~[?:1.8.0_312]
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
~[?:1.8.0_312]
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
... 21 more
Caused by: java.security.InvalidKeyException: Invalid RSA private key
at
sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:285)
~[?:1.8.0_312]
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:343) ~[?:1.8.0_312]
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356) ~[?:1.8.0_312]
at
sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:130)
~[?:1.8.0_312]
at
sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:80)
~[?:1.8.0_312]
at
sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:357)
~[?:1.8.0_312]
at
sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:248)
~[?:1.8.0_312]
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
~[?:1.8.0_312]
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
... 21 more
Caused by: java.io.IOException: Version must be 0
at
sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:263)
~[?:1.8.0_312]
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:343) ~[?:1.8.0_312]
at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356) ~[?:1.8.0_312]
at
sun.security.rsa.RSAPrivateCrtKeyImpl.<init>(RSAPrivateCrtKeyImpl.java:130)
~[?:1.8.0_312]
at
sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:80)
~[?:1.8.0_312]
at
sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:357)
~[?:1.8.0_312]
at
sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:248)
~[?:1.8.0_312]
at java.security.KeyFactory.generatePrivate(KeyFactory.java:372)
~[?:1.8.0_312]
at
org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466)
~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]
Pulsar Broker Throws Error with: Version must be 0
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
