Uploaded image for project: 'FishEye'
  1. FishEye
  2. FE-7318

Fisheye fails to start with wildcard certificate

XMLWordPrintable

      Issue Summary

      Fisheye 4.8.4 bundles new Jetty libraries version 9.4.30, and when a wildcard certificate is used the application fails to start.

      Steps to Reproduce

      1. Make sure to be using Fisheye 4.8.4 configured to use a wildcard certificate
      2. Try starting the application

      Expected Results

      Fisheye should be able to read the wildcard certificate.

      Actual Results

      The application will fail to start, and the below exception is thrown in the atlassian-fisheye.log file when the instance is started in debug mode (by adding the --debug flag):

      2020-09-15 09:05:25,293 INFO  [main ] org.eclipse.jetty.server.handler.ContextHandler ContextHandler-doStart - Started c.c.f.w.j.FishEyeWebApplicationContext@3daf7722{Fisheye WebApp,/,file:///opt/atlassian/crucible/fecru-4.8.4/content/,AVAILABLE}{/opt/atlassian/crucible/fecru-4.8.4/content}
2020-09-15 09:05:25,300 INFO  [main ] org.eclipse.jetty.server.AbstractConnector AbstractConnector-doStart - Started LocalConnector@1ae8bcbc{HTTP/1.1, (http/1.1)}
2020-09-15 09:05:25,347 INFO  [main ] org.eclipse.jetty.server.AbstractConnector AbstractConnector-doStart - Started ServerConnector@479ceda0{HTTP/1.1, (http/1.1)}{0.0.0.0:8060}
2020-09-15 09:05:25,349 INFO  [main ] org.eclipse.jetty.util.ssl.SslContextFactory SslContextFactory-load - x509=X509@521a8a9b(fisheye,h=[crucible2.colsa.com, colsa.com],w=[colsa.com]) for SslContextFactory@7a5c6d8[provider=null,keyStore=file:///var/atlassian/application/crucible/crucible_new.jks,trustStore=file:///var/atlassian/application/crucible/crucible_new.jks]
2020-09-15 09:05:25,353 DEBUG [main ] fisheye Run-mainImpl - startup stacktrace
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1274) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.Server.doStart(Server.java:386) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at com.cenqua.fisheye.web.WebServer.start(WebServer.java:327) [fisheye.jar:?]
	at com.cenqua.fisheye.ctl.Run.mainImpl(Run.java:236) [fisheye.jar:?]
	at com.cenqua.fisheye.ctl.Run.main(Run.java:55) [fisheye.jar:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [?:1.8.0_261]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [?:1.8.0_261]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [?:1.8.0_261]
	at java.lang.reflect.Method.invoke(Method.java:498) [?:1.8.0_261]
	at com.cenqua.fisheye.FishEyeCtl.mainImpl(FishEyeCtl.java:101) [fisheyeboot.jar:?]
	at com.cenqua.fisheye.FishEyeCtl.main(FishEyeCtl.java:44) [fisheyeboot.jar:?]
2020-09-15 09:05:25,361 ERROR [main ] fisheye Run-logStartupException - Could not start server: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
	at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1274) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1256) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:374) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:245) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.server.Server.doStart(Server.java:386) [jetty-server-9.4.30.v20200611.jar:9.4.30.v20200611]
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:72) [jetty-util-9.4.30.v20200611.jar:9.4.30.v20200611]
	at com.cenqua.fisheye.web.WebServer.start(WebServer.java:327) [fisheye.jar:?]
	at com.cenqua.fisheye.ctl.Run.mainImpl(Run.java:236) [fisheye.jar:?]
	at com.cenqua.fisheye.ctl.Run.main(Run.java:55) [fisheye.jar:?]
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) [?:1.8.0_261]
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) [?:1.8.0_261]
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) [?:1.8.0_261]
	at java.lang.reflect.Method.invoke(Method.java:498) [?:1.8.0_261]
	at com.cenqua.fisheye.FishEyeCtl.mainImpl(FishEyeCtl.java:101) [fisheyeboot.jar:?]
	at com.cenqua.fisheye.FishEyeCtl.main(FishEyeCtl.java:44) [fisheyeboot.jar:?]
2020-09-15 09:05:25,392 INFO  [Thread-1 ] fisheye ShutdownService-stopImpl - Shutdown requested

      Workaround

      1. Use a Fisheye version up to 4.8.3, which uses the old Jetty libraries 9.4.19 and where the problem does not happen, or
      2. Do not use a wildcard certificate, or
      3. Switch to plain HTTP
      4. Terminate SSL at proxy level instead of directly in Fisheye

            [FE-7318] Fisheye fails to start with wildcard certificate

            Marek Parfianowicz made changes -
            Labels Original: release-48x release-490 warranty New: release-48x warranty
            Marek Parfianowicz made changes -
            Labels Original: release-490 warranty New: release-48x release-490 warranty
            Marek Parfianowicz made changes -
            Labels Original: warranty New: release-490 warranty

            Marek Parfianowicz added a comment -

            Hello!

            I would like to apologize everyone watching this bug and waiting for a release. Please let me explain the delay. In the incoming version 4.8.7 we upgraded numerous third party libraries, including an upgrade of the Google Web Toolkit library to the latest version. Unfortunately, this version turned out to be less stable and we're working on a fix. This is the only issue preventing us from releasing 4.8.7. We want to give you thoroughly tested product of high quality.

            My current estimation is that we will release 4.8.7 till end of June. I am sorry for inconvenience.

             

            Kind regards
            Marek Parfianowicz
            Development Team Lead

            Marek Parfianowicz added a comment - Hello! I would like to apologize everyone watching this bug and waiting for a release. Please let me explain the delay. In the incoming version 4.8.7 we upgraded numerous third party libraries, including an upgrade of the Google Web Toolkit library to the latest version. Unfortunately, this version turned out to be less stable and we're working on a fix. This is the only issue preventing us from releasing 4.8.7. We want to give you thoroughly tested product of high quality. My current estimation is that we will release 4.8.7 till end of June. I am sorry for inconvenience.   Kind regards Marek Parfianowicz Development Team Lead

            mcote added a comment -

            looking for this fix as well.  when will it be released please?

            mcote added a comment - looking for this fix as well.  when will it be released please?

            Sreenath Hampi added a comment -

            Hi Marek, any update on when the latest version will be released? We are planning to upgrade to latest version of Fisheye to meet below mandates

            1. Move to Oracle 19c. Our company has mandate to move to Oracle 19c and FE-7318 is blocking us from upgrade to latest version.
            2. Take benefit of security fixes in the newer releases
            3. Move to version of Fisheye that is supported by Atlassian

            But due to this defect we are not able to proceed. Any insight will be helpful.

            Sreenath Hampi added a comment - Hi Marek, any update on when the latest version will be released? We are planning to upgrade to latest version of Fisheye to meet below mandates 1. Move to Oracle 19c. Our company has mandate to move to Oracle 19c and FE-7318 is blocking us from upgrade to latest version. 2. Take benefit of security fixes in the newer releases 3. Move to version of Fisheye that is supported by Atlassian But due to this defect we are not able to proceed. Any insight will be helpful.

            Marek Parfianowicz added a comment -

            Hi Sreenath, please take my sincere apologies for the delay. I estimate we need 1-2 more weeks to release 4.8.7.

            Marek Parfianowicz added a comment - Hi Sreenath, please take my sincere apologies for the delay. I estimate we need 1-2 more weeks to release 4.8.7.

            Sreenath Hampi added a comment - - edited

            Hi Marek, Any update on when the fix to this defect is released. We are blocked in upgrading to latest version  and move to Oracle 19c due to this. Thank you.

            Sreenath Hampi added a comment - - edited Hi Marek, Any update on when the fix to this defect is released. We are blocked in upgrading to latest version  and move to Oracle 19c due to this. Thank you.

            Marek Parfianowicz added a comment -

            In about one month.

            Marek Parfianowicz added a comment - In about one month.

            Mark de Bont added a comment -

            Any chance when this can be expected? 4.8.6 was released in feb/2021

            Mark de Bont added a comment - Any chance when this can be expected? 4.8.6 was released in feb/2021

              aslaski Adam Slaski
              fkraemer Felipe Kraemer
              Affected customers:
              17 This affects my team
              Watchers:
              30 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - Not Specified
                  Not Specified
                  Logged:
                  Time Spent - 5m
                  5m