Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-7318

Fisheye fails to start with wildcard certificate

    XMLWordPrintable

Details

    Description

      Issue Summary

      Fisheye 4.8.4 bundles new Jetty libraries version 9.4.30, and when a wildcard certificate is used the application fails to start.

      Steps to Reproduce

      1. Make sure to be using Fisheye 4.8.4 configured to use a wildcard certificate
      2. Try starting the application

      Expected Results

      Fisheye should be able to read the wildcard certificate.

      Actual Results

      The application will fail to start, and the below exception is thrown in the atlassian-fisheye.log file when the instance is started in debug mode (by adding the --debug flag):

      2020-09-15 09:05:25,293 INFO  [main ] org.eclipse.jetty.server.handler.ContextHandler ContextHandler-doStart - Started c.c.f.w.j.FishEyeWebApplicationContext@3daf7722{Fisheye WebApp,/,file:///opt/atlassian/crucible/fecru-4.8.4/content/,AVAILABLE}{/opt/atlassian/crucible/fecru-4.8.4/content}
2020-09-15 09:05:25,300 INFO  [main ] org.eclipse.jetty.server.AbstractConnector AbstractConnector-doStart - Started LocalConnector@1ae8bcbc{HTTP/1.1, (http/1.1)}
2020-09-15 09:05:25,347 INFO  [main ] org.eclipse.jetty.server.AbstractConnector AbstractConnector-doStart - Started ServerConnector@479ceda0{HTTP/1.1, (http/1.1)}{0.0.0.0:8060}
2020-09-15 09:05:25,349 INFO  [main ] org.eclipse.jetty.util.ssl.SslContextFactory SslContextFactory-load - x509=X509@521a8a9b(fisheye,h=[crucible2.colsa.com, colsa.com],w=[colsa.com]) for SslContextFactory@7a5c6d8[provider=null,keyStore=file:///var/atlassian/application/crucible/crucible_new.jks,trustStore=file:///var/atlassian/application/crucible/crucible_new.jks]
2020-09-15 09:05:25,353 DEBUG [main ] fisheye Run-mainImpl - startup stacktrace
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1274) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.Server.doStart(Server.java:386) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at com.cenqua.fisheye.web.WebServer.start(WebServer.java:327) [fisheye.jar:?]
	at com.cenqua.fisheye.ctl.Run.mainImpl(Run.java:236) [fisheye.jar:?]
	at com.cenqua.fisheye.ctl.Run.main(Run.java:55) [fisheye.jar:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [?:1.8.0_261]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [?:1.8.0_261]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [?:1.8.0_261]
	at java.lang.reflect.Method.invoke(Method.java:498) [?:1.8.0_261]
	at com.cenqua.fisheye.FishEyeCtl.mainImpl(FishEyeCtl.java:101) [fisheyeboot.jar:?]
	at com.cenqua.fisheye.FishEyeCtl.main(FishEyeCtl.java:44) [fisheyeboot.jar:?]
2020-09-15 09:05:25,361 ERROR [main ] fisheye Run-logStartupException - Could not start server: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1274) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.Server.doStart(Server.java:386) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at com.cenqua.fisheye.web.WebServer.start(WebServer.java:327) [fisheye.jar:?]
	at com.cenqua.fisheye.ctl.Run.mainImpl(Run.java:236) [fisheye.jar:?]
	at com.cenqua.fisheye.ctl.Run.main(Run.java:55) [fisheye.jar:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [?:1.8.0_261]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [?:1.8.0_261]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [?:1.8.0_261]
	at java.lang.reflect.Method.invoke(Method.java:498) [?:1.8.0_261]
	at com.cenqua.fisheye.FishEyeCtl.mainImpl(FishEyeCtl.java:101) [fisheyeboot.jar:?]
	at com.cenqua.fisheye.FishEyeCtl.main(FishEyeCtl.java:44) [fisheyeboot.jar:?]
2020-09-15 09:05:25,392 INFO  [Thread-1 ] fisheye ShutdownService-stopImpl - Shutdown requested

      Workaround

      1. Use a Fisheye version up to 4.8.3, which uses the old Jetty libraries 9.4.19 and where the problem does not happen, or
      2. Do not use a wildcard certificate, or
      3. Switch to plain HTTP
      4. Terminate SSL at proxy level instead of directly in Fisheye

      Attachments

        Issue Links

          mentioned in

          Page Loading...

          Activity

            People

              aslaski Adam Slaski
              fkraemer Felipe Kraemer
              Votes:
              17 Vote for this issue
              Watchers:
              30 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 5m
                  5m