You are viewing a plain text version of this content. The canonical link for it is here.

Posted to api@directory.apache.org by Michael Barkdoll <ma...@gmail.com> on 2019/04/26 00:39:41 UTC

NPE in ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

Hopefully, I'm now posting this issue to the correct mailing list.  I
previously sent this information to the dev@directory.apache.org list
without a better understanding of the mailing list structure.

I'm getting a Null Pointer Exception (NPE) in my Apache Guacamole Docker
Container upon ldap authentication attempt maybe in 1 in 20 attempts, the
project's PR [1] which I've built using github repo [2] which git clones
the latest directory ldap api from their github repo [3].  Mina should be
version 2.1.2, since the pom.xml [4] references 2.0.0.AM3-SNAPSHOT from the
local m2 repo.  Here is what I see in the logs for the NPE:

ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

java.lang.NullPointerException: null
at
org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:689)

You can see complete output of the error log at:
[5] [6] [7]

Please let me know, if I can provide additional information, thank you for
your help.

[1] https://github.com/apache/guacamole-client/pull/345
[2] https://github.com/michaelbarkdoll/guacamole-client/tree/jira/234
[3] https://github.com/apache/directory-ldap-api
[4]
https://github.com/michaelbarkdoll/guacamole-client/blob/jira/234/extensions/guacamole-auth-ldap/pom.xml

Error logs:
[5] https://github.com/apache/guacamole-client/files/3115534/error2.txt
[6] https://github.com/apache/guacamole-client/files/3115581/error3.txt
[7] https://github.com/apache/guacamole-client/files/3115614/error4.txt

Michael Barkdoll

Re: NPE in ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

Posted by Emmanuel Lecharny <el...@apache.org>.

Le ven. 26 avr. 2019 à 17:07, Michael Barkdoll <ma...@gmail.com> a
écrit :

> The ldap server is active directory 2016.
>
> The code that is using the directory ldap api is from a tomcat .WAR (apache
> guacamole) [1].  I forked [1] and customized the jira/234 PR to support
> ldap and nginx websocket load balancing in this repo [2] according to
> apache guacamole's documentation.   I'm using docker swarm to set up an
> overlay network between an nginx reverse proxy to two separate apache
> guacamole tomcat servlets.  The nginx reverse proxy nginx.conf file is
> provided here [3].
>
> You're correct that userX log entries are successful ldap login attempts
> that I do to the tomcat .WAR and then I immediately logout and back in
> another time until the error occurs.  What would be causing the handshake
> to not end?



Let’s assume it’s a handshake error: can you run the test adding
-Djavax.net.debug=all ? ( warning: verbosity expected...)

>
>
> [1] https://github.com/apache/guacamole-client
> [2] https://github.com/michaelbarkdoll/guacamole-client/tree/jira/234
> [3]
> https://gist.github.com/michaelbarkdoll/d78614635fa0432ab08100d05f1a4919
>
> Michael Barkdoll
>
>
>
> On Fri, Apr 26, 2019 at 12:26 AM Stefan Seelmann <ma...@stefan-seelmann.de>
> wrote:
>
> > On 4/26/19 7:09 AM, Emmanuel Lecharny wrote:
> > >> ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL
> context
> > >>
> > >> java.lang.NullPointerException: null
> > >> at
> > >>
> > >>
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:689)
> > >
> > >
> > > It seems, from the code, that the connection times out. The NPE is
> > > infortunate -and we will fix it- but it’s just masking the real cause:
> > the
> > > handshake never ends.
> > >
> > > What is the scenario you are running?
> >
> > Especially, which LDAP server do you use?
> >
> > In error3.txt and error4.txt I see multiple logs messages "User "userX"
> > successfully authenticated". Does that mean in those cases the
> > connection to LDAP worked and it only fails randomly? It seems there are
> > multiple threads involved, so maybe it's a concurrency issue...
> >
> >
> >
> >
> >
>
-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: NPE in ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

Posted by Michael Barkdoll <ma...@gmail.com>.

Well, I'm not convinced it is fixed now :(  I hardcoded the /etc/hosts file
on all my docker containers and swarm nodes for the ad.uni.edu to an ip
address that is known to be working for ldap ssl.  The NPE took more login
attempts to come up, but it still arrived.  At least I'm not seeing
additional errors in the logs about no route to host though...  Sorry, I
had deleted some of my PR comments about the issue, since I thought it was
just an error on my end.  But, now I not certain what the cause might be at
this point.

/etc/nsswitch.conf has files as the source of truth before dns, so I don't
think the handshake issue is routing based anymore.  I've also run the
script against the server quite extensively and I'm not seeing any failed
connections now...  I think it must be something to do with this NPE.

Michael Barkdoll


On Fri, Apr 26, 2019 at 11:50 AM Emmanuel Lecharny <el...@apache.org>
wrote:

> Good to see you have found the root cause of your issue. May I ask you to
> fill a JIRA for the NPE so that we don’t forget to fix it?
>
> Many thanks!
>
> Le ven. 26 avr. 2019 à 17:55, Michael Barkdoll <ma...@gmail.com> a
> écrit :
>
> > I tried removing the valid=10s from the docker swarm dns resolver to see
> if
> > it makes a difference, but I still received an error [1] after several
> ldap
> > successfully logins.  I noticed this error states:
> >
> > org.apache.mina.core.RuntimeIoException: Failed to get the session.
> > Caused by: java.net.NoRouteToHostException: No route to host
> >
> > So, I made a bash script to check if there was any routing issues.
> >
> > ```
> > while true; do
> > nc -w 3 -z -v ad.uni.edu 636; echo $?
> > sleep 1;
> > done
> > ```
> > Output:
> > Warning: inverse host lookup failed for 10.10.0.19: Unknown host
> > ad.uni.edu [10.10.0.19] 636 (?) : No route to host
> >
> > I think one of the servers in the DNS entry is bad! I had hard coded
> Apache
> > Guacmaole to only connect to a good one, but I think the Apache Ldap is
> > doing a bind with the DNS entry provided by the ldap-user-base-dn:
> > dc=ad,dc=uni,dc=edu in apache guacamole.  I'm going to email our windows
> > folks and see if they can get that server out of the DNS entry since I
> > think it is the cause.
> >
> > [1]
> > https://gist.github.com/michaelbarkdoll/bc8ae3b13b1a20dd4ac259d6c20c011c
> >
> > Michael Barkdoll
> >
> >
> > On Fri, Apr 26, 2019 at 10:06 AM Michael Barkdoll <ma...@gmail.com>
> > wrote:
> >
> > > The ldap server is active directory 2016.
> > >
> > > The code that is using the directory ldap api is from a tomcat .WAR
> > > (apache guacamole) [1].  I forked [1] and customized the jira/234 PR to
> > > support ldap and nginx websocket load balancing in this repo [2]
> > according
> > > to apache guacamole's documentation.   I'm using docker swarm to set up
> > an
> > > overlay network between an nginx reverse proxy to two separate apache
> > > guacamole tomcat servlets.  The nginx reverse proxy nginx.conf file is
> > > provided here [3].
> > >
> > > You're correct that userX log entries are successful ldap login
> attempts
> > > that I do to the tomcat .WAR and then I immediately logout and back in
> > > another time until the error occurs.  What would be causing the
> handshake
> > > to not end?
> > >
> > > [1] https://github.com/apache/guacamole-client
> > > [2] https://github.com/michaelbarkdoll/guacamole-client/tree/jira/234
> > > [3]
> > >
> https://gist.github.com/michaelbarkdoll/d78614635fa0432ab08100d05f1a4919
> > >
> > > Michael Barkdoll
> > >
> > >
> > >
> > > On Fri, Apr 26, 2019 at 12:26 AM Stefan Seelmann <
> > mail@stefan-seelmann.de>
> > > wrote:
> > >
> > >> On 4/26/19 7:09 AM, Emmanuel Lecharny wrote:
> > >> >> ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL
> > context
> > >> >>
> > >> >> java.lang.NullPointerException: null
> > >> >> at
> > >> >>
> > >> >>
> > >>
> >
> org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:689)
> > >> >
> > >> >
> > >> > It seems, from the code, that the connection times out. The NPE is
> > >> > infortunate -and we will fix it- but it’s just masking the real
> cause:
> > >> the
> > >> > handshake never ends.
> > >> >
> > >> > What is the scenario you are running?
> > >>
> > >> Especially, which LDAP server do you use?
> > >>
> > >> In error3.txt and error4.txt I see multiple logs messages "User
> "userX"
> > >> successfully authenticated". Does that mean in those cases the
> > >> connection to LDAP worked and it only fails randomly? It seems there
> are
> > >> multiple threads involved, so maybe it's a concurrency issue...
> > >>
> > >>
> > >>
> > >>
> > >>
> >
> --
> Regards,
> Cordialement,
> Emmanuel Lécharny
> www.iktek.com
>

Re: NPE in ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

Posted by Emmanuel Lecharny <el...@apache.org>.

Good to see you have found the root cause of your issue. May I ask you to
fill a JIRA for the NPE so that we don’t forget to fix it?

Many thanks!

Le ven. 26 avr. 2019 à 17:55, Michael Barkdoll <ma...@gmail.com> a
écrit :

> I tried removing the valid=10s from the docker swarm dns resolver to see if
> it makes a difference, but I still received an error [1] after several ldap
> successfully logins.  I noticed this error states:
>
> org.apache.mina.core.RuntimeIoException: Failed to get the session.
> Caused by: java.net.NoRouteToHostException: No route to host
>
> So, I made a bash script to check if there was any routing issues.
>
> ```
> while true; do
> nc -w 3 -z -v ad.uni.edu 636; echo $?
> sleep 1;
> done
> ```
> Output:
> Warning: inverse host lookup failed for 10.10.0.19: Unknown host
> ad.uni.edu [10.10.0.19] 636 (?) : No route to host
>
> I think one of the servers in the DNS entry is bad! I had hard coded Apache
> Guacmaole to only connect to a good one, but I think the Apache Ldap is
> doing a bind with the DNS entry provided by the ldap-user-base-dn:
> dc=ad,dc=uni,dc=edu in apache guacamole.  I'm going to email our windows
> folks and see if they can get that server out of the DNS entry since I
> think it is the cause.
>
> [1]
> https://gist.github.com/michaelbarkdoll/bc8ae3b13b1a20dd4ac259d6c20c011c
>
> Michael Barkdoll
>
>
> On Fri, Apr 26, 2019 at 10:06 AM Michael Barkdoll <ma...@gmail.com>
> wrote:
>
> > The ldap server is active directory 2016.
> >
> > The code that is using the directory ldap api is from a tomcat .WAR
> > (apache guacamole) [1].  I forked [1] and customized the jira/234 PR to
> > support ldap and nginx websocket load balancing in this repo [2]
> according
> > to apache guacamole's documentation.   I'm using docker swarm to set up
> an
> > overlay network between an nginx reverse proxy to two separate apache
> > guacamole tomcat servlets.  The nginx reverse proxy nginx.conf file is
> > provided here [3].
> >
> > You're correct that userX log entries are successful ldap login attempts
> > that I do to the tomcat .WAR and then I immediately logout and back in
> > another time until the error occurs.  What would be causing the handshake
> > to not end?
> >
> > [1] https://github.com/apache/guacamole-client
> > [2] https://github.com/michaelbarkdoll/guacamole-client/tree/jira/234
> > [3]
> > https://gist.github.com/michaelbarkdoll/d78614635fa0432ab08100d05f1a4919
> >
> > Michael Barkdoll
> >
> >
> >
> > On Fri, Apr 26, 2019 at 12:26 AM Stefan Seelmann <
> mail@stefan-seelmann.de>
> > wrote:
> >
> >> On 4/26/19 7:09 AM, Emmanuel Lecharny wrote:
> >> >> ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL
> context
> >> >>
> >> >> java.lang.NullPointerException: null
> >> >> at
> >> >>
> >> >>
> >>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:689)
> >> >
> >> >
> >> > It seems, from the code, that the connection times out. The NPE is
> >> > infortunate -and we will fix it- but it’s just masking the real cause:
> >> the
> >> > handshake never ends.
> >> >
> >> > What is the scenario you are running?
> >>
> >> Especially, which LDAP server do you use?
> >>
> >> In error3.txt and error4.txt I see multiple logs messages "User "userX"
> >> successfully authenticated". Does that mean in those cases the
> >> connection to LDAP worked and it only fails randomly? It seems there are
> >> multiple threads involved, so maybe it's a concurrency issue...
> >>
> >>
> >>
> >>
> >>
>
-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com

Re: NPE in ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

Posted by Michael Barkdoll <ma...@gmail.com>.

I tried removing the valid=10s from the docker swarm dns resolver to see if
it makes a difference, but I still received an error [1] after several ldap
successfully logins.  I noticed this error states:

org.apache.mina.core.RuntimeIoException: Failed to get the session.
Caused by: java.net.NoRouteToHostException: No route to host

So, I made a bash script to check if there was any routing issues.

```
while true; do
nc -w 3 -z -v ad.uni.edu 636; echo $?
sleep 1;
done
```
Output:
Warning: inverse host lookup failed for 10.10.0.19: Unknown host
ad.uni.edu [10.10.0.19] 636 (?) : No route to host

I think one of the servers in the DNS entry is bad! I had hard coded Apache
Guacmaole to only connect to a good one, but I think the Apache Ldap is
doing a bind with the DNS entry provided by the ldap-user-base-dn:
dc=ad,dc=uni,dc=edu in apache guacamole.  I'm going to email our windows
folks and see if they can get that server out of the DNS entry since I
think it is the cause.

[1] https://gist.github.com/michaelbarkdoll/bc8ae3b13b1a20dd4ac259d6c20c011c

Michael Barkdoll


On Fri, Apr 26, 2019 at 10:06 AM Michael Barkdoll <ma...@gmail.com>
wrote:

> The ldap server is active directory 2016.
>
> The code that is using the directory ldap api is from a tomcat .WAR
> (apache guacamole) [1].  I forked [1] and customized the jira/234 PR to
> support ldap and nginx websocket load balancing in this repo [2] according
> to apache guacamole's documentation.   I'm using docker swarm to set up an
> overlay network between an nginx reverse proxy to two separate apache
> guacamole tomcat servlets.  The nginx reverse proxy nginx.conf file is
> provided here [3].
>
> You're correct that userX log entries are successful ldap login attempts
> that I do to the tomcat .WAR and then I immediately logout and back in
> another time until the error occurs.  What would be causing the handshake
> to not end?
>
> [1] https://github.com/apache/guacamole-client
> [2] https://github.com/michaelbarkdoll/guacamole-client/tree/jira/234
> [3]
> https://gist.github.com/michaelbarkdoll/d78614635fa0432ab08100d05f1a4919
>
> Michael Barkdoll
>
>
>
> On Fri, Apr 26, 2019 at 12:26 AM Stefan Seelmann <ma...@stefan-seelmann.de>
> wrote:
>
>> On 4/26/19 7:09 AM, Emmanuel Lecharny wrote:
>> >> ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context
>> >>
>> >> java.lang.NullPointerException: null
>> >> at
>> >>
>> >>
>> org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:689)
>> >
>> >
>> > It seems, from the code, that the connection times out. The NPE is
>> > infortunate -and we will fix it- but it’s just masking the real cause:
>> the
>> > handshake never ends.
>> >
>> > What is the scenario you are running?
>>
>> Especially, which LDAP server do you use?
>>
>> In error3.txt and error4.txt I see multiple logs messages "User "userX"
>> successfully authenticated". Does that mean in those cases the
>> connection to LDAP worked and it only fails randomly? It seems there are
>> multiple threads involved, so maybe it's a concurrency issue...
>>
>>
>>
>>
>>

Re: NPE in ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

Posted by Michael Barkdoll <ma...@gmail.com>.

The ldap server is active directory 2016.

The code that is using the directory ldap api is from a tomcat .WAR (apache
guacamole) [1].  I forked [1] and customized the jira/234 PR to support
ldap and nginx websocket load balancing in this repo [2] according to
apache guacamole's documentation.   I'm using docker swarm to set up an
overlay network between an nginx reverse proxy to two separate apache
guacamole tomcat servlets.  The nginx reverse proxy nginx.conf file is
provided here [3].

You're correct that userX log entries are successful ldap login attempts
that I do to the tomcat .WAR and then I immediately logout and back in
another time until the error occurs.  What would be causing the handshake
to not end?

[1] https://github.com/apache/guacamole-client
[2] https://github.com/michaelbarkdoll/guacamole-client/tree/jira/234
[3] https://gist.github.com/michaelbarkdoll/d78614635fa0432ab08100d05f1a4919

Michael Barkdoll

On Fri, Apr 26, 2019 at 12:26 AM Stefan Seelmann <ma...@stefan-seelmann.de>
wrote:

> On 4/26/19 7:09 AM, Emmanuel Lecharny wrote:
> >> ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context
> >>
> >> java.lang.NullPointerException: null
> >> at
> >>
> >>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:689)
> >
> >
> > It seems, from the code, that the connection times out. The NPE is
> > infortunate -and we will fix it- but it’s just masking the real cause:
> the
> > handshake never ends.
> >
> > What is the scenario you are running?
>
> Especially, which LDAP server do you use?
>
> In error3.txt and error4.txt I see multiple logs messages "User "userX"
> successfully authenticated". Does that mean in those cases the
> connection to LDAP worked and it only fails randomly? It seems there are
> multiple threads involved, so maybe it's a concurrency issue...
>
>
>
>
>

Re: NPE in ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

Posted by Stefan Seelmann <ma...@stefan-seelmann.de>.

On 4/26/19 7:09 AM, Emmanuel Lecharny wrote:
>> ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context
>>
>> java.lang.NullPointerException: null
>> at
>>
>> org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:689)
> 
> 
> It seems, from the code, that the connection times out. The NPE is
> infortunate -and we will fix it- but it’s just masking the real cause: the
> handshake never ends.
> 
> What is the scenario you are running?

Especially, which LDAP server do you use?

In error3.txt and error4.txt I see multiple logs messages "User "userX"
successfully authenticated". Does that mean in those cases the
connection to LDAP worked and it only fails randomly? It seems there are
multiple threads involved, so maybe it's a concurrency issue...

Re: NPE in ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context

Posted by Emmanuel Lecharny <el...@apache.org>.

Hi!

Le ven. 26 avr. 2019 à 02:40, Michael Barkdoll <ma...@gmail.com> a
écrit :

> Hopefully, I'm now posting this issue to the correct mailing list.  I
> previously sent this information to the dev@directory.apache.org list
> without a better understanding of the mailing list structure.
>
> I'm getting a Null Pointer Exception (NPE) in my Apache Guacamole Docker
> Container upon ldap authentication attempt maybe in 1 in 20 attempts, the
> project's PR [1] which I've built using github repo [2] which git clones
> the latest directory ldap api from their github repo [3].  Mina should be
> version 2.1.2, since the pom.xml [4] references 2.0.0.AM3-SNAPSHOT from the
> local m2 repo.  Here is what I see in the logs for the NPE:
>
> ERR_04122_SSL_CONTEXT_INIT_FAILURE Failed to initialize the SSL context
>
> java.lang.NullPointerException: null
> at
>
> org.apache.directory.ldap.client.api.LdapNetworkConnection.connect(LdapNetworkConnection.java:689)


It seems, from the code, that the connection times out. The NPE is
infortunate -and we will fix it- but it’s just masking the real cause: the
handshake never ends.

What is the scenario you are running?



>
> You can see complete output of the error log at:
> [5] [6] [7]
>
> Please let me know, if I can provide additional information, thank you for
> your help.
>
> [1] https://github.com/apache/guacamole-client/pull/345
> [2] https://github.com/michaelbarkdoll/guacamole-client/tree/jira/234
> [3] https://github.com/apache/directory-ldap-api
> [4]
>
> https://github.com/michaelbarkdoll/guacamole-client/blob/jira/234/extensions/guacamole-auth-ldap/pom.xml
>
> Error logs:
> [5] https://github.com/apache/guacamole-client/files/3115534/error2.txt
> [6] https://github.com/apache/guacamole-client/files/3115581/error3.txt
> [7] https://github.com/apache/guacamole-client/files/3115614/error4.txt
>
> Michael Barkdoll
>
-- 
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com