[jira] [Commented] (NIFI-7730) Jetty server does not start up when a keystore with multiple certificates is used

Sat, 29 Aug 2020 13:08:37 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-7730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17187099#comment-17187099
 ] 

Chad Zobrisky commented on NIFI-7730:
-------------------------------------

I ran into this issue on 1.12 and cannot resolve it. The one installation I've 
made sure has one certificate in both the keystore and truststore and it will 
not start.

 

I've tried both PKCS12 and JKS formats with single certs and nifi will not 
start with the error above.

> Jetty server does not start up when a keystore with multiple certificates is 
> used
> ---------------------------------------------------------------------------------
>
>                 Key: NIFI-7730
>                 URL: https://issues.apache.org/jira/browse/NIFI-7730
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Kotaro Terada
>            Assignee: Kotaro Terada
>            Priority: Blocker
>             Fix For: 1.13.0
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> In the newer Jetty version (which is recently upgraded on the main branch), 
> Jetty's `SslContextFactory()` has been deprecated, and we can use 
> `SslContextFactory.Server()` or `SslContextFactory.Client()` instead. If we 
> use `SslContextFactory()`, Jetty server does not start when we use keystores 
> with multiple certificates, with the following error log.
> In addition to that, we can remove 
> `setEndpointIdentificationAlgorithm(null);` since it will be executed in the 
> constructor of `SslContextFactory.Server()` if we replace with it.
>  (See: 
> [https://github.com/eclipse/jetty.project/blob/jetty-9.4.26.v20200117/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L2204])
>  
> {code:java}
> 2020-08-07 19:50:32,299 INFO [main] o.e.jetty.util.ssl.SslContextFactory 
> x509=X509@3aac31b7(nifi-key,h=[****],w=[****]) for 
> SslContextFactory@57def953[provider=null,keyStore=file:///****/keystore.jks,trustStore=file:///****/truststore.jks]
> 2020-08-07 19:50:32,308 WARN [main] org.apache.nifi.web.server.JettyServer 
> Failed to start web server... shutting down.
> java.lang.IllegalStateException: KeyStores with multiple certificates are not 
> supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. 
> (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or 
> org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at 
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at 
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
>         at 
> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at 
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:385)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1060)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:160)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:72)
>         at org.apache.nifi.NiFi.main(NiFi.java:303)
> 2020-08-07 19:50:32,309 INFO [Thread-1] org.apache.nifi.NiFi Initiating 
> shutdown of Jetty web server...
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to