You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Paul Kelly (Jira)" <ji...@apache.org> on 2020/09/01 20:02:00 UTC

[jira] [Commented] (NIFI-7730) Jetty server does not start up when a keystore with multiple certificates is used

    [ https://issues.apache.org/jira/browse/NIFI-7730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17188789#comment-17188789 ] 

Paul Kelly commented on NIFI-7730:
----------------------------------

We are also seeing this error after upgrading to 1.12.0.  We only have one cert in both the key store and trust store, but the cert in the key store has multiple Subject Alternative Names.  We were able to get around it by generating new certs with only one SAN (matching the CN) specified.

> Jetty server does not start up when a keystore with multiple certificates is used
> ---------------------------------------------------------------------------------
>
>                 Key: NIFI-7730
>                 URL: https://issues.apache.org/jira/browse/NIFI-7730
>             Project: Apache NiFi
>          Issue Type: Bug
>            Reporter: Kotaro Terada
>            Assignee: Kotaro Terada
>            Priority: Blocker
>             Fix For: 1.13.0
>
>          Time Spent: 2h 20m
>  Remaining Estimate: 0h
>
> In the newer Jetty version (which is recently upgraded on the main branch), Jetty's `SslContextFactory()` has been deprecated, and we can use `SslContextFactory.Server()` or `SslContextFactory.Client()` instead. If we use `SslContextFactory()`, Jetty server does not start when we use keystores with multiple certificates, with the following error log.
> In addition to that, we can remove `setEndpointIdentificationAlgorithm(null);` since it will be executed in the constructor of `SslContextFactory.Server()` if we replace with it.
>  (See: [https://github.com/eclipse/jetty.project/blob/jetty-9.4.26.v20200117/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L2204])
>  
> {code:java}
> 2020-08-07 19:50:32,299 INFO [main] o.e.jetty.util.ssl.SslContextFactory x509=X509@3aac31b7(nifi-key,h=[****],w=[****]) for SslContextFactory@57def953[provider=null,keyStore=file:///****/keystore.jks,trustStore=file:///****/truststore.jks]
> 2020-08-07 19:50:32,308 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
> java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
>         at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
>         at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
>         at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
>         at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
>         at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.eclipse.jetty.server.Server.doStart(Server.java:385)
>         at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
>         at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1060)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:160)
>         at org.apache.nifi.NiFi.<init>(NiFi.java:72)
>         at org.apache.nifi.NiFi.main(NiFi.java:303)
> 2020-08-07 19:50:32,309 INFO [Thread-1] org.apache.nifi.NiFi Initiating shutdown of Jetty web server...
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)