nifi-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Paul Kelly (Jira)" <j...@apache.org>
Subject [jira] [Commented] (NIFI-7730) Jetty server does not start up when a keystore with multiple certificates is used
Date Tue, 01 Sep 2020 20:02:00 GMT

    [ https://issues.apache.org/jira/browse/NIFI-7730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17188789#comment-17188789
] 

Paul Kelly commented on NIFI-7730:
----------------------------------

We are also seeing this error after upgrading to 1.12.0.  We only have one cert in both the
key store and trust store, but the cert in the key store has multiple Subject Alternative
Names.  We were able to get around it by generating new certs with only one SAN (matching
the CN) specified.

> Jetty server does not start up when a keystore with multiple certificates is used
> ---------------------------------------------------------------------------------
>
>                 Key: NIFI-7730
>                 URL: https://issues.apache.org/jira/browse/NIFI-7730
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Kotaro Terada
>            Assignee: Kotaro Terada
>            Priority: Blocker
>             Fix For: 1.13.0
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> In the newer Jetty version (which is recently upgraded on the main branch), Jetty's `SslContextFactory()`
has been deprecated, and we can use `SslContextFactory.Server()` or `SslContextFactory.Client()`
instead. If we use `SslContextFactory()`, Jetty server does not start when we use keystores
with multiple certificates, with the following error log.
> In addition to that, we can remove `setEndpointIdentificationAlgorithm(null);` since
it will be executed in the constructor of `SslContextFactory.Server()` if we replace with
it.
>  (See: [https://github.com/eclipse/jetty.project/blob/jetty-9.4.26.v20200117/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L2204])
>  
> {code:java}
> 2020-08-07 19:50:32,299 INFO [main] o.e.jetty.util.ssl.SslContextFactory x509=X509@3aac31b7(nifi-key,h=[****],w=[****])
for SslContextFactory@57def953[provider=null,keyStore=file:///****/keystore.jks,trustStore=file:///****/truststore.jks]
> 2020-08-07 19:50:32,308 WARN [main] org.apache.nifi.web.server.JettyServer Failed to
start web server... shutting down.
> java.lang.IllegalStateException: KeyStores with multiple certificates are not supported
on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server
or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
>         at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:385)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1060)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:160)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:72)
>         at org.apache.nifi.NiFi.main(NiFi.java:303)
> 2020-08-07 19:50:32,309 INFO [Thread-1] org.apache.nifi.NiFi Initiating shutdown of Jetty
web server...
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message