[jira] [Commented] (NIFI-7730) Jetty server does not start up when a keystore with multiple certificates is used

Tue, 01 Sep 2020 13:02:52 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-7730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17188789#comment-17188789
 ] 

Paul Kelly commented on NIFI-7730:
----------------------------------

We are also seeing this error after upgrading to 1.12.0.  We only have one cert 
in both the key store and trust store, but the cert in the key store has 
multiple Subject Alternative Names.  We were able to get around it by 
generating new certs with only one SAN (matching the CN) specified.

> Jetty server does not start up when a keystore with multiple certificates is 
> used
> ---------------------------------------------------------------------------------
>
>                 Key: NIFI-7730
>                 URL: https://issues.apache.org/jira/browse/NIFI-7730
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Kotaro Terada
>            Assignee: Kotaro Terada
>            Priority: Blocker
>             Fix For: 1.13.0
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> In the newer Jetty version (which is recently upgraded on the main branch), 
> Jetty's `SslContextFactory()` has been deprecated, and we can use 
> `SslContextFactory.Server()` or `SslContextFactory.Client()` instead. If we 
> use `SslContextFactory()`, Jetty server does not start when we use keystores 
> with multiple certificates, with the following error log.
> In addition to that, we can remove 
> `setEndpointIdentificationAlgorithm(null);` since it will be executed in the 
> constructor of `SslContextFactory.Server()` if we replace with it.
>  (See: 
> [https://github.com/eclipse/jetty.project/blob/jetty-9.4.26.v20200117/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L2204])
>  
> {code:java}
> 2020-08-07 19:50:32,299 INFO [main] o.e.jetty.util.ssl.SslContextFactory 
> x509=X509@3aac31b7(nifi-key,h=[****],w=[****]) for 
> SslContextFactory@57def953[provider=null,keyStore=file:///****/keystore.jks,trustStore=file:///****/truststore.jks]
> 2020-08-07 19:50:32,308 WARN [main] org.apache.nifi.web.server.JettyServer 
> Failed to start web server... shutting down.
> java.lang.IllegalStateException: KeyStores with multiple certificates are not 
> supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. 
> (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or 
> org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at 
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at 
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
>         at 
> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at 
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:385)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1060)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:160)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:72)
>         at org.apache.nifi.NiFi.main(NiFi.java:303)
> 2020-08-07 19:50:32,309 INFO [Thread-1] org.apache.nifi.NiFi Initiating 
> shutdown of Jetty web server...
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to