Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
3.26.0
-
2
Description
Problem
If the keystore referenced by jetty-https.xml contains more than one server certificate for the same host name and no certificate alias is defined inside jetty-https.xml
OR the server certificate chosen requires SNI (i.e. has multiple domain names or employs domain wildcards), then default configuration and the configuration re-used from older NXRM versions will cause NXRM to not start.
2020-08-11 14:08:44.995:INFO:oejus.SslContextFactory:jetty-main-1: x509=X509@517dabeb(nexus_jetty,h=[example.com, node1.example.com],w=[]) for SslContextFactory@5467af50[provider=null,keyStore=file:///opt/nexus/nexus-3.26.0-04/nexus-3.26.0-04/etc/ssl/keystore.jks,trustStore=file:///opt/nexus/nexus-3.26.0-04/nexus-3.26.0-04/etc/ssl/keystore.jks] 2020-08-11 14:08:44,997+1000 ERROR [jetty-main-1] *SYSTEM org.sonatype.nexus.bootstrap.jetty.JettyServer - Failed to start java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1274) at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256) at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374) at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.eclipse.jetty.server.Server.doStart(Server.java:386) at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) at org.sonatype.nexus.bootstrap.jetty.JettyServer$JettyMainThread.run(JettyServer.java:274) 2020-08-11 14:08:45,004+1000 INFO [FelixStartLevel] *SYSTEM org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Destroyed 2020-08-11 14:08:45,005+1000 INFO [FelixStartLevel] *SYSTEM org.sonatype.nexus.repository.httpbridge.internal.ViewServlet - Destroyed
Diagnosis
NXRM upgraded the version of Eclipse Jetty it uses to version 9.4.30.v20200611.
The upgrade included an external change which causes this problem - related:
- https://github.com/eclipse/jetty.project/issues/4425
- https://github.com/eclipse/jetty.project/issues/4385
- https://github.com/eclipse/jetty.project/pull/4326
- https://github.com/eclipse/jetty.project/issues/3464 ( original code change )
- https://github.com/eclipse/jetty.project/commit/6fb243ff6c96714d997e71064c3e7b99d114d633
From https://github.com/eclipse/jetty.project/pull/4326#discussion_r352707837 :
Jetty version 9.4.16.v20190411 is the one that introduced the split for Server vs Client (which fixed client configs impacting server, and server configs impacting client, among which was SNI behaviors and EndpointIdentificationAlgorithm behaviors)
Server certificates that use SNI will cause a startup failure, unless the default config is changed.
WORKAROUND
Change below line inside of ${jetty.etc}/jetty-https.xml (add "$Server")
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory">
to
<New id="sslContextFactory" class="org.eclipse.jetty.util.ssl.SslContextFactory$Server">
Attachments
Issue Links
- is caused by
-
NEXUS-24327 Upgrade Jetty to 9.4.30.v20200611
-
- Closed
-
- mentioned in
-
Page Loading...