Uploaded image for project: 'Dev - Nexus Repo'
  1. Dev - Nexus Repo
  2. NEXUS-24867

NXRM may not start if HTTPS connector is configured to use a certificate that requires SNI

    XMLWordPrintable

Details

    • 2

    Description

      Problem

      If the keystore referenced by jetty-https.xml contains more than one server certificate for the same host name and no certificate alias is defined inside jetty-https.xml
      OR the server certificate chosen requires SNI (i.e. has multiple domain names or employs domain wildcards), then default configuration and the configuration re-used from older NXRM versions will cause NXRM to not start.

      2020-08-11 14:08:44.995:INFO:oejus.SslContextFactory:jetty-main-1: x509=X509@517dabeb(nexus_jetty,h=[example.com, node1.example.com],w=[]) for SslContextFactory@5467af50[provider=null,keyStore=file:///opt/nexus/nexus-3.26.0-04/nexus-3.26.0-04/etc/ssl/keystore.jks,trustStore=file:///opt/nexus/nexus-3.26.0-04/nexus-3.26.0-04/etc/ssl/keystore.jks]

2020-08-11 14:08:44,997+1000 ERROR [jetty-main-1]  *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1274)
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256)
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374)
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.eclipse.jetty.server.Server.doStart(Server.java:386)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72)
	at org.sonatype.nexus.bootstrap.jetty.JettyServer$JettyMainThread.run(JettyServer.java:274)
2020-08-11 14:08:45,004+1000 INFO  [FelixStartLevel]  *SYSTEM org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Destroyed
2020-08-11 14:08:45,005+1000 INFO  [FelixStartLevel]  *SYSTEM org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Destroyed

      Diagnosis

      NXRM upgraded the version of Eclipse Jetty it uses to version 9.4.30.v20200611.
      The upgrade included an external change which causes this problem - related:

      From https://github.com/eclipse/jetty.project/pull/4326#discussion_r352707837 :

      Jetty version 9.4.16.v20190411 is the one that introduced the split for Server vs Client (which fixed client configs impacting server, and server configs impacting client, among which was SNI behaviors and EndpointIdentificationAlgorithm behaviors)

      Server certificates that use SNI will cause a startup failure, unless the default config is changed.

      WORKAROUND

      Change below line inside of ${jetty.etc}/jetty-https.xml (add "$Server")

       <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">

      to

       <New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">

      Attachments

        Issue Links

          is caused by

          Improvement - An improvement or enhancement to an existing feature or task. NEXUS-24327 Upgrade Jetty to 9.4.30.v20200611

          • Major - Major loss of function.
          • Closed
          mentioned in

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              jsensharma Jay Kumar SenSharma
              Michael Prescott Michael Prescott
              Votes:
              5 Vote for this issue
              Watchers:
              13 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                tigCommentSecurity.panel-title