After Nexus OSS upgrade to 3.26.0.04, Jetty complains about multiple certificates in keystore using class org.eclipse.jetty.util.ssl.SslContextFactory

ronnyforberger · August 11, 2020, 11:14am

Hi,

I upgraded my Nexus OSS Repository Manager to version 3.26.0.04.

Since that, I am getting an error message when starting jetty in Nexus:

2020-08-11 11:04:58,965+0000 ERROR [jetty-main-1] *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server
or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

My jetty-https.xml looks like the following:


<?xml version="1.0"?>
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_0.dtd">
<Configure id="Server" class="org.eclipse.jetty.server.Server">

  <!--
  ==== HTTPS ====
  Set the following inside nexus.properties:
  application-port-ssl: the port to listen for https connections
  -->

  <Ref refid="httpConfig">
    <Set name="secureScheme">https</Set>
    <Set name="securePort"><Property name="application-port-ssl" /></Set>
  </Ref>

  <New id="httpsConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg>
        <New id="secureRequestCustomizer" class="org.eclipse.jetty.server.SecureRequestCustomizer">
          <!-- 7776000 seconds = 90 days -->
          <Set name="stsMaxAge"><Property name="jetty.https.stsMaxAge" default="7776000"/></Set>
          <Set name="stsIncludeSubDomains"><Property name="jetty.https.stsIncludeSubDomains" default="false"/></Set>
          <Set name="sniHostCheck"><Property name="jetty.https.sniHostCheck" default="false"/></Set>
        </New>
      </Arg>
    </Call>
  </New>

  <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
    <Set name="KeyStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
    <Set name="KeyStorePassword">REDACTED</Set>
    <Set name="KeyManagerPassword">REDACTED</Set>
    <Set name="TrustStorePath"><Property name="ssl.etc"/>/keystore.jks</Set>
    <Set name="TrustStorePassword">REDACTED</Set>
    <Set name="EndpointIdentificationAlgorithm"></Set>
    <Set name="NeedClientAuth"><Property name="jetty.ssl.needClientAuth" default="false"/></Set>
    <Set name="WantClientAuth"><Property name="jetty.ssl.wantClientAuth" default="false"/></Set>
    <Set name="ExcludeCipherSuites">
      <Array type="String">
        <Item>SSL_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_WITH_DES_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_WITH_DES_CBC_SHA</Item>
        <Item>SSL_RSA_EXPORT_WITH_RC4_40_MD5</Item>
        <Item>SSL_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA</Item>
        <Item>SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA</Item>
      </Array>
    </Set>
  </New>

  <Call  name="addConnector">
    <Arg>
      <New id="httpsConnector" class="org.eclipse.jetty.server.ServerConnector">
        <Arg name="server"><Ref refid="Server" /></Arg>
        <Arg name="acceptors" type="int"><Property name="jetty.https.acceptors" default="-1"/></Arg>
        <Arg name="selectors" type="int"><Property name="jetty.https.selectors" default="-1"/></Arg>
        <Arg name="factories">
          <Array type="org.eclipse.jetty.server.ConnectionFactory">
            <Item>
              <New class="org.sonatype.nexus.bootstrap.jetty.InstrumentedConnectionFactory">
                <Arg>
                  <New class="org.eclipse.jetty.server.SslConnectionFactory">
                    <Arg name="next">http/1.1</Arg>
                    <Arg name="sslContextFactory"><Ref refid="sslContextFactory"/></Arg>
                  </New>
                </Arg>
              </New>
            </Item>
            <Item>
              <New class="org.eclipse.jetty.server.HttpConnectionFactory">
                <Arg name="config"><Ref refid="httpsConfig" /></Arg>
              </New>
            </Item>
          </Array>
        </Arg>

        <Set name="host"><Property name="application-host" /></Set>
        <Set name="port"><Property name="application-port-ssl" /></Set>
        <Set name="idleTimeout"><Property name="jetty.https.timeout" default="30000"/></Set>
        <Set name="soLingerTime"><Property name="jetty.https.soLingerTime" default="-1"/></Set>
        <Set name="acceptorPriorityDelta"><Property name="jetty.https.acceptorPriorityDelta" default="0"/></Set>
        <Set name="acceptQueueSize"><Property name="jetty.https.acceptQueueSize" default="0"/></Set>
      </New>
    </Arg>
  </Call>

</Configure>

But jetty is still not starting. I stops with the above error message.

Any ideas what I could do?

Best regards,
rforberger

mpiggott · August 11, 2020, 1:48pm

As part of the release there was an upgrade to Jetty which is causing this, there is a work around in this ticket - https://issues.sonatype.org/browse/NEXUS-24867

ronnyforberger · August 11, 2020, 2:31pm

Thanks, I have tried to add

 <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">

but it doesn’t work for me. Startup still complains about several certificates in my keystore.
I need several certificates in my keystore.

mpiggott · August 11, 2020, 2:37pm

Did you add change it in both usages of SslContextFactory?

ronnyforberger · August 11, 2020, 2:41pm

I see only one usage of the class

Where do you mean to change both usages of SslContextFactory?

mpiggott · August 11, 2020, 2:59pm

You have a second reference inside of call

ronnyforberger · August 11, 2020, 3:39pm

Well I have one
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
and the second one
<New class="org.eclipse.jetty.server.SslConnectionFactory">

But this is not the same class. I only see one class of org.eclipse.jetty.util.ssl.SslContextFactory

mpiggott · August 11, 2020, 4:00pm

Ah apologies, I didn’t look closely enough at the config.

Could you post a full stack trace?

ronnyforberger · August 11, 2020, 4:05pm

Sure.

2020-08-11 15:33:05,856+0000 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.log.StdErrLog - 2020-08-11 15:33:05.856:INFO:oejs.AbstractConnector:jetty-main-1: Started ServerConnector@6d849944{HTTP/1.1, (http/1.1)}{0.0.0.0:8081}
2020-08-11 15:33:06,101+0000 ERROR [jetty-main-1] *SYSTEM org.eclipse.jetty.util.log.StdErrLog - 2020-08-11 15:33:06.080:INFO:oejus.SslContextFactory:jetty-main-1: x509=X509@22282bf8(1,h=[REDACTED],w=[REDACTED]) for SslContextFactory@3703b507[provider=null,keyStore=file:///nexus-data/etc/ssl/keystore.jks,trustStore=file:///nexus-data/etc/ssl/keystore.jks]
2020-08-11 15:33:06,138+0000 INFO  [elasticsearch[CCC0E1CA-E8EA679A-B5C50AE2-8164818D-115A8581][clusterService#updateTask][T#1]] *SYSTEM org.elasticsearch.cluster.metadata - [CCC0E1CA-E8EA679A-B5C50AE2-8164818D-115A8581] [249b4eac370437567a4ebb3a6b228081f7ecbc11] creating index, cause [api], templates [], shards [1]/[0], mappings [component]
2020-08-11 15:33:06,277+0000 ERROR [jetty-main-1] *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
        at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1274)
        at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
        at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
        at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
        at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
        at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
        at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.eclipse.jetty.server.Server.doStart(Server.java:386)
        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
        at org.sonatype.nexus.bootstrap.jetty.JettyServer$JettyMainThread.run(JettyServer.java:274)

plynch · August 11, 2020, 5:36pm

Suggest this convo be taken offline into https://issues.sonatype.org/browse/NEXUS-24871