[ https://issues.apache.org/jira/browse/KUDU-1876?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Todd Lipcon updated KUDU-1876: ------------------------------ Labels: newbie (was: ) > Poor error messages and behavior when webserver TLS is misconfigured > -------------------------------------------------------------------- > > Key: KUDU-1876 > URL: https://issues.apache.org/jira/browse/KUDU-1876 > Project: Kudu > Issue Type: Bug > Components: security, supportability > Affects Versions: 1.3.0 > Reporter: Adar Dembo > Labels: newbie > > I was playing around with Cloudera Manager's upcoming webserver TLS support > and found a couple cases where misconfigurations led to confusing error > messages and other weird behavior. I focused on *webserver_private_key_file*, > *webserver_certificate_file*, and *webserver_private_key_password_cmd*. > *webserver_private_key_file* is unset, but *webserver_certificate_file* and > *webserver_private_key_password_cmd* are set: the server crashes (good) but > with a fairly inscrutable error message: > {noformat} > I0213 18:49:50.606950 2265 webserver.cc:144] Webserver: Enabling HTTPS > support > I0213 18:49:50.607322 2265 webserver.cc:293] Webserver: set_ssl_option: > cannot open /etc/adar_kudu_tls/cert.pem: error:0906D06C:PEM > routines:PEM_read_bio:no start line > W0213 18:49:50.607375 2265 net_util.cc:293] Failed to bind to 0.0.0.0:8051. > Trying to use lsof to find any processes listening on the same port: > I0213 18:49:50.607393 2265 net_util.cc:296] $ export PATH=$PATH:/usr/sbin ; > lsof -n -i 'TCP:8051' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:8051' > -sTCP:LISTEN | grep p | cut -f 2 -dp) ; do while [ $pid -gt 1 ] ; do ps h > -fp $pid ; stat=($(</proc/$pid/stat)) ; pid=${stat[3]} ; done ; done > W0213 18:49:50.632638 2265 net_util.cc:303] > F0213 18:49:50.632704 2265 master_main.cc:71] Check failed: _s.ok() Bad > status: Network error: Webserver: Could not start on address 0.0.0.0:8051 > {noformat} > *webserver_private_key_file*, *webserver_certificate_file*, and > *webserver_private_key_password_cmd* are all set, but the password command > script yields the wrong password: the server crashes (good) but the error > message is inscrutable: > {noformat} > I0213 18:35:34.581714 32633 webserver.cc:293] Webserver: set_ssl_option: > cannot open /etc/adar_kudu_tls/cert.pem: error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt > W0213 18:35:34.581794 32633 net_util.cc:293] Failed to bind to 0.0.0.0:8051. > Trying to use lsof to find any processes listening on the same port: > I0213 18:35:34.581811 32633 net_util.cc:296] $ export PATH=$PATH:/usr/sbin ; > lsof -n -i 'TCP:8051' -sTCP:LISTEN ; for pid in $(lsof -F p -n -i 'TCP:8051' > -sTCP:LISTEN | grep p | cut -f 2 -dp) ; do while [ $pid -gt 1 ] ; do ps h > -fp $pid ; stat=($(</proc/$pid/stat)) ; pid=${stat[3]} ; done ; done > W0213 18:35:34.605216 32633 net_util.cc:303] > F0213 18:35:34.605254 32633 master_main.cc:71] Check failed: _s.ok() Bad > status: Network error: Webserver: Could not start on address 0.0.0.0:8051 > {noformat} > *webserver_private_key_file* and *webserver_private_key_password_cmd* are > set, but *webserver_certificate_file* is not: the server starts up (probably > bad?) and any attempt to access the webui on the https port yields a "This > site can’t provide a secure connection" message in the browser with > ERR_SSL_PROTOCOL_ERROR as the error code. I only tested with Chromium. -- This message was sent by Atlassian JIRA (v6.4.14#64029)