Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24867

NXRM may not start if HTTPS connector is configured to use a certificate that requires SNI

    XMLWordPrintable

    Details

    • Notability:
      2

      Description

      Problem

      If the keystore referenced by jetty-https.xml contains more than one server certificate for the same host name and no certificate alias is defined inside jetty-https.xml
      OR the server certificate chosen requires SNI (i.e. has multiple domain names or employs domain wildcards), then default configuration and the configuration re-used from older NXRM versions will cause NXRM to not start.

      2020-08-11 14:08:44.995:INFO:oejus.SslContextFactory:jetty-main-1: x509=X509@517dabeb(nexus_jetty,h=[example.com, node1.example.com],w=[]) for SslContextFactory@5467af50[provider=null,keyStore=file:///opt/nexus/nexus-3.26.0-04/nexus-3.26.0-04/etc/ssl/keystore.jks,trustStore=file:///opt/nexus/nexus-3.26.0-04/nexus-3.26.0-04/etc/ssl/keystore.jks]
      
      2020-08-11 14:08:44,997+1000 ERROR [jetty-main-1]  *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start
      java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
      	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1274)
      	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
      	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
      	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
      	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
      	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
      	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
      	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
      	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
      	at org.eclipse.jetty.server.Server.doStart(Server.java:386)
      	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
      	at org.sonatype.nexus.bootstrap.jetty.JettyServer$JettyMainThread.run(JettyServer.java:274)
      2020-08-11 14:08:45,004+1000 INFO  [FelixStartLevel]  *SYSTEM org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Destroyed
      2020-08-11 14:08:45,005+1000 INFO  [FelixStartLevel]  *SYSTEM org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Destroyed
      

      Diagnosis

      NXRM upgraded the version of Eclipse Jetty it uses to version 9.4.30.v20200611.
      The upgrade included an external change which causes this problem - related:

      From https://github.com/eclipse/jetty.project/pull/4326#discussion_r352707837 :

      Jetty version 9.4.16.v20190411 is the one that introduced the split for Server vs Client (which fixed client configs impacting server, and server configs impacting client, among which was SNI behaviors and EndpointIdentificationAlgorithm behaviors)

      Server certificates that use SNI will cause a startup failure, unless the default config is changed.

      WORKAROUND

      Change below line inside of ${jetty.etc}/jetty-https.xml (add "$Server")

       <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
      

      to

       <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
      

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              jsensharma Jay Kumar SenSharma
              Last Updated By:
              Florian Baumann
              Votes:
              5 Vote for this issue
              Watchers:
              13 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:
                Date of First Response:

                  tigCommentSecurity.panel-title

                    PagerDuty