Can you try the workaround described in https://github.com/apache/cloudstack/issues/8637?
-Wei 在 2024年2月14日星期三,Jorge Luiz Correa <[email protected]> 写道: > Hello! > > I've upgraded from 4.17.2 to 4.19.0. I'm using Ubuntu Server 22.04.3 LTS, > Java 11.0.21 (no changes with upgrade). I'm using a LDAP server to > authenticate users, with SSL. > > After the upgrade users can't authenticate anymore. The errors at the end > of this message could be found in management.log. I've read it could be a > problem accessing the keystore file. > > I've already tried to > - regenerate the keystore (with default parameters) > - check the password with keytool, everything is ok (no changes from > 4.17.2, it was working) > - change permissions from cloud.jks > - put https.keystore.password between '...' in server.properties > > I appreciate any help where I can try something to restore the ldap > authentication with SSL. > > Thank you! > > ---- errors in management.log > > > *2024-02-14 15:43:58,248 DEBUG [o.a.c.l.LdapManagerImpl] > (qtp1753127384-22:ctx-cfc59ea9) (logid:c7732509) ldap > Exception:javax.naming.CommunicationException: ldapserver.mydomain:636 > [Root exception is java.net.SocketException: > java.security.NoSuchAlgorithmException: Error constructing implementation > (algorithm: Default, provider: SunJSSE, class: > sun.security.ssl.SSLContextImpl$DefaultSSLContext)]* > at > java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:252) > at > java.naming/com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) > at > java.naming/com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1616) > at java.naming/com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java: > 2847) > at java.naming/com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:348) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxFromUrl( > LdapCtxFactory.java:266) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURL( > LdapCtxFactory.java:226) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs( > LdapCtxFactory.java:284) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance( > LdapCtxFactory.java:185) > at > java.naming/com.sun.jndi.ldap.LdapCtxFactory.getInitialContext( > LdapCtxFactory.java:115) > at > java.naming/javax.naming.spi.NamingManager.getInitialContext( > NamingManager.java:730) > at > java.naming/javax.naming.InitialContext.getDefaultInitCtx( > InitialContext.java:305) > at > java.naming/javax.naming.InitialContext.init(InitialContext.java:236) > at > java.naming/javax.naming.ldap.InitialLdapContext.<init>( > InitialLdapContext.java:154) > at > org.apache.cloudstack.ldap.LdapContextFactory.createInitialDirContext( > LdapContextFactory.java:62) > at > org.apache.cloudstack.ldap.LdapContextFactory.createBindContext( > LdapContextFactory.java:51) > at > org.apache.cloudstack.ldap.LdapContextFactory.createBindContext( > LdapContextFactory.java:45) > at > org.apache.cloudstack.ldap.LdapManagerImpl.getUser( > LdapManagerImpl.java:314) > at > org.apache.cloudstack.ldap.LdapAuthenticator.authenticate( > LdapAuthenticator.java:229) > at > org.apache.cloudstack.ldap.LdapAuthenticator.authenticate( > LdapAuthenticator.java:84) > at > com.cloud.user.AccountManagerImpl.getUserAccount( > AccountManagerImpl.java:2656) > at > com.cloud.user.AccountManagerImpl.authenticateUser( > AccountManagerImpl.java:2494) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native > Method) > at > java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke( > NativeMethodAccessorImpl.java:62) > at > java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke( > DelegatingMethodAccessorImpl.java:43) > at java.base/java.lang.reflect.Method.invoke(Method.java:566) > at > org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection > (AopUtils.java:344) > at > org.springframework.aop.framework.ReflectiveMethodInvocation. > invokeJoinpoint(ReflectiveMethodInvocation.java:198) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( > ReflectiveMethodInvocation.java:163) > at > org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke( > ExposeInvocationInterceptor.java:97) > at > org.springframework.aop.framework.ReflectiveMethodInvocation.proceed( > ReflectiveMethodInvocation.java:186) > at > org.springframework.aop.framework.JdkDynamicAopProxy. > invoke(JdkDynamicAopProxy.java:215) > at com.sun.proxy.$Proxy128.authenticateUser(Unknown Source) > at com.cloud.api.ApiServer.loginUser(ApiServer.java:1111) > at > com.cloud.api.auth.DefaultLoginAPIAuthenticatorCmd.authenticate( > DefaultLoginAPIAuthenticatorCmd.java:156) > at > com.cloud.api.ApiServlet.processRequestInContext(ApiServlet.java:257) > at com.cloud.api.ApiServlet$1.run(ApiServlet.java:154) > at > org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call( > DefaultManagedContext.java:55) > at > org.apache.cloudstack.managed.context.impl.DefaultManagedContext. > callWithContext(DefaultManagedContext.java:102) > at > org.apache.cloudstack.managed.context.impl.DefaultManagedContext. > runWithContext(DefaultManagedContext.java:52) > at com.cloud.api.ApiServlet.processRequest(ApiServlet.java:151) > at com.cloud.api.ApiServlet.doPost(ApiServlet.java:110) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:665) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:665) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:750) > at > org.eclipse.jetty.servlet.ServletHolder$NotAsync. > service(ServletHolder.java:1450) > at > org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:799) > at > org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:554) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle( > ScopedHandler.java:143) > at > org.eclipse.jetty.security.SecurityHandler.handle( > SecurityHandler.java:600) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:127) > at > org.eclipse.jetty.server.handler.ScopedHandler. > nextHandle(ScopedHandler.java:235) > at > org.eclipse.jetty.server.session.SessionHandler. > doHandle(SessionHandler.java:1624) > at > org.eclipse.jetty.server.handler.ScopedHandler. > nextHandle(ScopedHandler.java:233) > at > org.eclipse.jetty.server.handler.ContextHandler. > doHandle(ContextHandler.java:1440) > at > org.eclipse.jetty.server.handler.ScopedHandler. > nextScope(ScopedHandler.java:188) > at > org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:505) > at > org.eclipse.jetty.server.session.SessionHandler. > doScope(SessionHandler.java:1594) > at > org.eclipse.jetty.server.handler.ScopedHandler. > nextScope(ScopedHandler.java:186) > at > org.eclipse.jetty.server.handler.ContextHandler. > doScope(ContextHandler.java:1355) > at > org.eclipse.jetty.server.handler.ScopedHandler.handle( > ScopedHandler.java:141) > at > org.eclipse.jetty.server.handler.gzip.GzipHandler. > handle(GzipHandler.java:772) > at > org.eclipse.jetty.server.handler.HandlerCollection. > handle(HandlerCollection.java:146) > at > org.eclipse.jetty.server.handler.HandlerWrapper.handle( > HandlerWrapper.java:127) > at org.eclipse.jetty.server.Server.handle(Server.java:516) > at > org.eclipse.jetty.server.HttpChannel.lambda$handle$1(HttpChannel.java:487) > at > org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:732) > at org.eclipse.jetty.server.HttpChannel.handle( > HttpChannel.java:479) > at > org.eclipse.jetty.server.HttpConnection.onFillable( > HttpConnection.java:277) > at > org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded( > AbstractConnection.java:311) > at org.eclipse.jetty.io.FillInterest.fillable( > FillInterest.java:105) > at > org.eclipse.jetty.io.ChannelEndPoint$1.run(ChannelEndPoint.java:104) > at > org.eclipse.jetty.util.thread.QueuedThreadPool.runJob( > QueuedThreadPool.java:883) > at > org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run( > QueuedThreadPool.java:1034) > at java.base/java.lang.Thread.run(Thread.java:829) > > *Caused by: java.net.SocketException: > java.security.NoSuchAlgorithmException: Error constructing implementation > (algorithm: Default, provider: SunJSSE, class: > sun.security.ssl.SSLContextImpl$DefaultSSLContext)* at > java.base/javax.net.ssl.DefaultSSLSocketFactory.throwException( > SSLSocketFactory.java:263) > at > java.base/javax.net.ssl.DefaultSSLSocketFactory. > createSocket(SSLSocketFactory.java:277) > at > java.naming/com.sun.jndi.ldap.Connection.createSocket(Connection.java:321) > ... 74 more > > *Caused by: java.security.NoSuchAlgorithmException: Error constructing > implementation (algorithm: Default, provider: SunJSSE, class: > sun.security.ssl.SSLContextImpl$DefaultSSLContext)* at > java.base/java.security.Provider$Service.newInstance(Provider.java:1901) > at > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:236) > at > java.base/sun.security.jca.GetInstance.getInstance(GetInstance.java:164) > ... 82 more > > *Caused by: java.security.KeyStoreException: problem accessing trust > store* > at > java.base/sun.security.ssl.TrustManagerFactoryImpl.engineInit( > TrustManagerFactoryImpl.java:73) > at > java.base/javax.net.ssl.TrustManagerFactory.init( > TrustManagerFactory.java:278) > at > java.base/sun.security.ssl.SSLContextImpl$DefaultManagersHolder. > getTrustManagers(SSLContextImpl.java:1036) > ... 92 more > > *Caused by: java.io.IOException: keystore password was incorrect* at > java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad( > PKCS12KeyStore.java:2092) > at > java.base/sun.security.util.KeyStoreDelegator.engineLoad( > KeyStoreDelegator.java:222) > at java.base/java.security.KeyStore.load(KeyStore.java:1479) > ... 98 more > > *Caused by: java.security.UnrecoverableKeyException: failed to decrypt > safe > contents entry: javax.crypto.BadPaddingException: Given final block not > properly padded. Such issues can arise if a bad key is used during > decryption.* at > java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad( > PKCS12KeyStore.java:2092) > at > java.base/sun.security.util.KeyStoreDelegator.engineLoad( > KeyStoreDelegator.java:222) > at java.base/java.security.KeyStore.load(KeyStore.java:1479) > ... 98 more > 2024-02-14 15:43:58,254 DEBUG [o.a.c.l.LdapAuthenticator] > (qtp1753127384-22:ctx-cfc59ea9) (logid:c7732509) No users matching: No > Ldap > User found for username: myuser in group: > cn=cloudstack-hpc,ou=app,ou=authorization of type: GROUP > > > -- > Jorge Luiz Corrêa > Embrapa Agricultura Digital > > echo "CkpvcmdlIEx1aXogQ29ycmVhCkFu > YWxpc3RhIGRlIFJlZGVzIGUgU2VndXJhbm > NhCkVtYnJhcGEgQWdyaWN1bHR1cmEgRGln > aXRhbCAtIE5USQpBdi4gQW5kcmUgVG9zZW > xsbywgMjA5IChCYXJhbyBHZXJhbGRvKQpD > RVAgMTMwODMtODg2IC0gQ2FtcGluYXMsIF > NQClRlbGVmb25lOiAoMTkpIDMyMTEtNTg4 > Mgpqb3JnZS5sLmNvcnJlYUBlbWJyYXBhLm > JyCgo="|base64 -d > > -- > __________________________ > Aviso de confidencialidade > > Esta mensagem da > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), empresa publica > federal regida pelo disposto na Lei Federal no. 5.851, de 7 de dezembro > de 1972, e enviada exclusivamente a seu destinatario e pode conter > informacoes confidenciais, protegidas por sigilo profissional. Sua > utilizacao desautorizada e ilegal e sujeita o infrator as penas da lei. > Se voce a recebeu indevidamente, queira, por gentileza, reenvia-la ao > emitente, esclarecendo o equivoco. > > Confidentiality note > > This message from > Empresa Brasileira de Pesquisa Agropecuaria (Embrapa), a government > company established under Brazilian law (5.851/72), is directed > exclusively to its addressee and may contain confidential data, > protected under professional secrecy rules. Its unauthorized use is > illegal and may subject the transgressor to the law's penalties. If you > are not the addressee, please send it back, elucidating the failure. >
