You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Adam Turley (Jira)" <ji...@apache.org> on 2021/02/17 22:04:00 UTC

[jira] [Updated] (NIFI-8234) Jetty server does not start up when a keystore with multiple certificates is used on 1.13.0

     [ https://issues.apache.org/jira/browse/NIFI-8234?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Adam Turley updated NIFI-8234:
------------------------------
        Fix Version/s:     (was: 1.12.1)
                           (was: 1.13.0)
    Affects Version/s: 1.13.0
          Description: 
Seeing following Error in NiFi 1.13.0.  
{code:java}
2021-02-17 21:52:35,705 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
        at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
        at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.server.Server.doStart(Server.java:385)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1058)
        at org.apache.nifi.NiFi.<init>(NiFi.java:158)
        at org.apache.nifi.NiFi.<init>(NiFi.java:72)
        at org.apache.nifi.NiFi.main(NiFi.java:301)

{code}

  was:
In the newer Jetty version (which is recently upgraded on the main branch), Jetty's `SslContextFactory()` has been deprecated, and we can use `SslContextFactory.Server()` or `SslContextFactory.Client()` instead. If we use `SslContextFactory()`, Jetty server does not start when we use keystores with multiple certificates, with the following error log.

In addition to that, we can remove `setEndpointIdentificationAlgorithm(null);` since it will be executed in the constructor of `SslContextFactory.Server()` if we replace with it.
 (See: [https://github.com/eclipse/jetty.project/blob/jetty-9.4.26.v20200117/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L2204])

 
{code:java}
2020-08-07 19:50:32,299 INFO [main] o.e.jetty.util.ssl.SslContextFactory x509=X509@3aac31b7(nifi-key,h=[****],w=[****]) for SslContextFactory@57def953[provider=null,keyStore=file:///****/keystore.jks,trustStore=file:///****/truststore.jks]
2020-08-07 19:50:32,308 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
        at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
        at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.server.Server.doStart(Server.java:385)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1060)
        at org.apache.nifi.NiFi.<init>(NiFi.java:160)
        at org.apache.nifi.NiFi.<init>(NiFi.java:72)
        at org.apache.nifi.NiFi.main(NiFi.java:303)
2020-08-07 19:50:32,309 INFO [Thread-1] org.apache.nifi.NiFi Initiating shutdown of Jetty web server...
{code}

          Environment: Redhat Linux 7.9

> Jetty server does not start up when a keystore with multiple certificates is used on 1.13.0
> -------------------------------------------------------------------------------------------
>
>                 Key: NIFI-8234
>                 URL: https://issues.apache.org/jira/browse/NIFI-8234
>             Project: Apache NiFi
>          Issue Type: Bug
>    Affects Versions: 1.12.0, 1.13.0
>         Environment: Redhat Linux 7.9
>            Reporter: Adam Turley
>            Assignee: Andy LoPresto
>            Priority: Blocker
>
> Seeing following Error in NiFi 1.13.0.  
> {code:java}
> 2021-02-17 21:52:35,705 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
> java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
>         at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:385)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1058)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:158)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:72)
>         at org.apache.nifi.NiFi.main(NiFi.java:301)
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)