Uploaded image for project: 'Apache NiFi'
  1. Apache NiFi
  2. NIFI-7730

Jetty server does not start up when a keystore with multiple certificates is used

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Blocker
    • Resolution: Fixed
    • 1.12.0
    • 1.13.0, 1.12.1
    • None
    • None

    Description

      In the newer Jetty version (which is recently upgraded on the main branch), Jetty's `SslContextFactory()` has been deprecated, and we can use `SslContextFactory.Server()` or `SslContextFactory.Client()` instead. If we use `SslContextFactory()`, Jetty server does not start when we use keystores with multiple certificates, with the following error log.

      In addition to that, we can remove `setEndpointIdentificationAlgorithm(null);` since it will be executed in the constructor of `SslContextFactory.Server()` if we replace with it.
      (See: https://github.com/eclipse/jetty.project/blob/jetty-9.4.26.v20200117/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L2204)

       

      2020-08-07 19:50:32,299 INFO [main] o.e.jetty.util.ssl.SslContextFactory x509=X509@3aac31b7(nifi-key,h=[****],w=[****]) for SslContextFactory@57def953[provider=null,keyStore=file:///****/keystore.jks,trustStore=file:///****/truststore.jks]
2020-08-07 19:50:32,308 WARN [main] org.apache.nifi.web.server.JettyServer Failed to start web server... shutting down.
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
        at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1275)
        at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:92)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:320)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:231)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.server.Server.doStart(Server.java:385)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.apache.nifi.web.server.JettyServer.start(JettyServer.java:1060)
        at org.apache.nifi.NiFi.<init>(NiFi.java:160)
        at org.apache.nifi.NiFi.<init>(NiFi.java:72)
        at org.apache.nifi.NiFi.main(NiFi.java:303)
2020-08-07 19:50:32,309 INFO [Thread-1] org.apache.nifi.NiFi Initiating shutdown of Jetty web server...

      Attachments

        Issue Links

          is cloned by

          Bug - A problem which impairs or prevents the functions of the product. NIFI-8234 Jetty server does not start up when a keystore with multiple certificates is used on 1.13.0

          • Major - Major loss of function.
          • Resolved
          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. NIFI-7752 KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory

          • Major - Major loss of function.
          • Resolved

          Bug - A problem which impairs or prevents the functions of the product. NIFI-7756 NIFI 1.12.0 doesn't work with wildcard certificates

          • Major - Major loss of function.
          • Resolved
          is related to

          Bug - A problem which impairs or prevents the functions of the product. HBASE-27027 Deprecated jetty SslContextFactory cause HMaster startup failure due to multiple certificates in KeyStores

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #4471

          Web Link GitHub Pull Request #4498

          Activity

            People

              alopresto Andy LoPresto
              kotarot Kotaro Terada
              Votes:
              5 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 3h 10m
                  3h 10m