Hi,
I upgraded my Nexus OSS Repository Manager to version 3.26.0.04.
Since that, I am getting an error message when starting jetty in Nexus:
2020-08-11 11:04:58,965+0000 ERROR [jetty-main-1] *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server
or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
My jetty-https.xml looks like the following:
<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">
<!--
==== HTTPS ====
Set the following inside nexus.properties:
application-port-ssl: the port to listen for https connections
-->
<Ref refid="httpConfig">
<Set name="secureScheme">https</Set>
<Set name="securePort"><Property name="application-port-ssl" /></Set>
</Ref>
<New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
<Arg><Ref refid="httpConfig"/></Arg>
<Call name="addCustomizer">
<Arg>
<New id="secureRequestCustomizer" class="org.eclipse.jetty.server.SecureRequestCustomizer">
<!-- 7776000 seconds = 90 days -->
<Set name="stsMaxAge"><Property name="jetty.https.stsMaxAge" default="7776000"/></Set>
<Set name="stsIncludeSubDomains"><Property name="jetty.https.stsIncludeSubDomains" default="false"/></Set>
<Set name="sniHostCheck"><Property name="jetty.https.sniHostCheck" default="false"/></Set>
</New>
</Arg>
</Call>
</New>
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
<Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
<Set name="KeyStorePassword">REDACTED</Set>
<Set name="KeyManagerPassword">REDACTED</Set>
<Set name="TrustStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
<Set name="TrustStorePassword">REDACTED</Set>
<Set name="EndpointIdentificationAlgorithm"></Set>
<Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
<Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
<Set name="ExcludeCipherSuites">
<Array type="String">
<Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
<Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
<Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
<Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
<Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
</Array>
</Set>
</New>
<Call name="addConnector">
<Arg>
<New id="httpsConnector" class="org.eclipse.jetty.server.ServerConnector">
<Arg name="server"><Ref refid="Server" /></Arg>
<Arg name="acceptors" type="int"><Property name="jetty.https.acceptors" default="-1"/></Arg>
<Arg name="selectors" type="int"><Property name="jetty.https.selectors" default="-1"/></Arg>
<Arg name="factories">
<Array type="org.eclipse.jetty.server.ConnectionFactory">
<Item>
<New class="org.sonatype.nexus.bootstrap.jetty.InstrumentedConnectionFactory">
<Arg>
<New class="org.eclipse.jetty.server.SslConnectionFactory">
<Arg name="next">http/1.1</Arg>
<Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
</New>
</Arg>
</New>
</Item>
<Item>
<New class="org.eclipse.jetty.server.HttpConnectionFactory">
<Arg name="config"><Ref refid="httpsConfig" /></Arg>
</New>
</Item>
</Array>
</Arg>
<Set name="host"><Property name="application-host" /></Set>
<Set name="port"><Property name="application-port-ssl" /></Set>
<Set name="idleTimeout"><Property name="jetty.https.timeout" default="30000"/></Set>
<Set name="soLingerTime"><Property name="jetty.https.soLingerTime" default="-1"/></Set>
<Set name="acceptorPriorityDelta"><Property name="jetty.https.acceptorPriorityDelta" default="0"/></Set>
<Set name="acceptQueueSize"><Property name="jetty.https.acceptQueueSize" default="0"/></Set>
</New>
</Arg>
</Call>
</Configure>
But jetty is still not starting. I stops with the above error message.
Any ideas what I could do?
Best regards,
rforberger