[jira] [Commented] (NIFI-7730) Jetty server does not start up when a keystore with multiple certificates is used

Tue, 01 Sep 2020 14:53:56 -0700 


    [ 
https://issues.apache.org/jira/browse/NIFI-7730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17188830#comment-17188830
 ] 

Andy LoPresto commented on NIFI-7730:
-------------------------------------

[~pkelly.nifi] [~czobrisky] Thanks for the additional info. I have verified 
that the fix I posted in PR 4498 addresses this issue as well: 

{code}
2020-09-01 14:49:28,475 INFO [main] o.e.jetty.server.handler.ContextHandler 
Started 
o.e.j.w.WebAppContext@376a0d86{nifi-error,/,file:///Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.13.0-SNAPSHOT-bin/nifi-1.13.0-SNAPSHOT/work/jetty/nifi-web-error-1.13.0-SNAPSHOT.war/webapp/,AVAILABLE}{./work/nar/framework/nifi-framework-nar-1.13.0-SNAPSHOT.nar-unpacked/NAR-INF/bundled-dependencies/nifi-web-error-1.13.0-SNAPSHOT.war}
2020-09-01 14:49:28,496 INFO [main] o.e.jetty.util.ssl.SslContextFactory 
x509=X509@4a9d0c6f(nifi-key,h=[multiple_san.nifi, other_san.nifi, 
third_san.nifi, fourth_san.nifi],w=[]) for 
Server@62509b77[provider=null,keyStore=file:///Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.13.0-SNAPSHOT-bin/nifi-1.13.0-SNAPSHOT/conf/keystore.jks,trustStore=file:///Users/alopresto/Workspace/nifi/nifi-assembly/target/nifi-1.13.0-SNAPSHOT-bin/nifi-1.13.0-SNAPSHOT/conf/truststore.jks]
2020-09-01 14:49:28,521 INFO [main] o.eclipse.jetty.server.AbstractConnector 
Started ServerConnector@35dab4eb{SSL,[ssl, http/1.1]}{multiple_san.nifi:9443}
2020-09-01 14:49:28,521 INFO [main] org.eclipse.jetty.server.Server Started 
@21295ms
2020-09-01 14:49:28,545 INFO [main] org.apache.nifi.nar.NarAutoLoader Starting 
NAR Auto-Loader for directory ./extensions ...
2020-09-01 14:49:28,546 INFO [main] org.apache.nifi.nar.NarAutoLoader NAR 
Auto-Loader started
2020-09-01 14:49:28,546 INFO [main] org.apache.nifi.web.server.JettyServer NiFi 
has started. The UI is available at the following URLs:
2020-09-01 14:49:28,546 INFO [main] org.apache.nifi.web.server.JettyServer 
https://multiple_san.nifi:9443/nifi
2020-09-01 14:49:28,547 INFO [main] org.apache.nifi.BootstrapListener 
Successfully initiated communication with Bootstrap
2020-09-01 14:49:28,548 INFO [main] org.apache.nifi.NiFi Controller 
initialization took 15489116842 nanoseconds (15 seconds).
{code}

With a keystore containing a single private key entry that does have multiple 
SAN entries:

{code}
 ✘  ..13.0-SNAPSHOT   NIFI-7730  keytool -list -v -keystore 
conf/keystore.jks         14:50:15
Enter keystore password:
Keystore type: jks
Keystore provider: SUN

Your keystore contains 1 entry

Alias name: nifi-key
Creation date: Sep 1, 2020
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: CN=multiple_san.nifi, OU=NIFI
Issuer: CN=localhost, OU=NIFI
Serial number: 1744ba3313f00000000
Valid from: Tue Sep 01 14:47:00 PDT 2020 until: Mon Dec 05 13:47:00 PST 2022
Certificate fingerprints:
         MD5:  30:8D:B5:9A:B1:15:F0:7C:31:14:32:68:AB:FA:E2:DA
         SHA1: 16:75:B5:ED:E5:92:61:34:92:40:B8:9E:9F:FA:3B:5A:0D:50:21:1D
         SHA256: 
B4:DD:EF:1D:12:FB:EA:D2:34:BE:2C:5D:90:E5:C1:B3:34:F3:7B:CF:F9:67:5F:42:FB:FB:AC:E7:75:8F:3E:6E
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

Extensions:

...

#5: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: multiple_san.nifi
  DNSName: other_san.nifi
  DNSName: third_san.nifi
  DNSName: fourth_san.nifi
]
{code}

> Jetty server does not start up when a keystore with multiple certificates is 
> used
> ---------------------------------------------------------------------------------
>
>                 Key: NIFI-7730
>                 URL: https://issues.apache.org/jira/browse/NIFI-7730
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Kotaro Terada
>            Assignee: Kotaro Terada
>            Priority: Blocker
>             Fix For: 1.13.0
>
>          Time Spent: 2h 40m
>  Remaining Estimate: 0h
>
> In the newer Jetty version (which is recently upgraded on the main branch), 
> Jetty's `SslContextFactory()` has been deprecated, and we can use 
> `SslContextFactory.Server()` or `SslContextFactory.Client()` instead. If we 
> use `SslContextFactory()`, Jetty server does not start when we use keystores 
> with multiple certificates, with the following error log.
> In addition to that, we can remove 
> `setEndpointIdentificationAlgorithm(null);` since it will be executed in the 
> constructor of `SslContextFactory.Server()` if we replace with it.
>  (See: 
> [https://github.com/eclipse/jetty.project/blob/jetty-9.4.26.v20200117/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L2204])
>  
> {code:java}
> 2020-08-07 19:50:32,299 INFO [main] o.e.jetty.util.ssl.SslContextFactory 
> x509=X509@3aac31b7(nifi-key,h=[****],w=[****]) for 
> SslContextFactory@57def953[provider=null,keyStore=file:///****/keystore.jks,trustStore=file:///****/truststore.jks]
> 2020-08-07 19:50:32,308 WARN [main] org.apache.nifi.web.server.JettyServer 
> Failed to start web server... shutting down.
> java.lang.IllegalStateException: KeyStores with multiple certificates are not 
> supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. 
> (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or 
> org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>         at 
> org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at 
> org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at 
> org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at 
> org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
>         at 
> org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at 
> org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:385)
>         at 
> org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1060)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:160)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:72)
>         at org.apache.nifi.NiFi.main(NiFi.java:303)
> 2020-08-07 19:50:32,309 INFO [Thread-1] org.apache.nifi.NiFi Initiating 
> shutdown of Jetty web server...
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to