Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

java.security.KeyStoreException: Key protection algorithm not found #406

Open
kares opened this issue Feb 1, 2021 · 0 comments
Open

java.security.KeyStoreException: Key protection algorithm not found #406

kares opened this issue Feb 1, 2021 · 0 comments

Comments

@kares
Copy link
Contributor

kares commented Feb 1, 2021

after the switch from OpenSSL to Java SSL provider (in 6.0.11) the plugin has some behavioral differences in terms of the configuration. This one is such difference when updating LS, namely having a configuration such as:

     ssl => true
     ssl_certificate => "multi-cert.pem"
     ssl_key => "private-key.pk8"

where mutli-cert.pem contains multiple certificate entries (not just a single public key certificate for the private key), these are being added into a key store and are assumed to be in proper order - from pub key certificate -> intermediate cert -> server cert and thus fail with :

Caused by: java.security.KeyStoreException: Key protection  algorithm not found: java.security.KeyStoreException: Certificate chain is not valid
        at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:707) ~[?:?]
        at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:604) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111) ~[?:?]
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1174) ~[?:?]
        at io.netty.handler.ssl.SslContext.buildKeyStore(SslContext.java:1102) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1274) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1263) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.JdkSslServerContext.newSSLContext(JdkSslServerContext.java:266) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        ... 67 more
Caused by: java.security.KeyStoreException: Certificate chain is not valid
        at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:654) ~[?:?]
        at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:604) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111) ~[?:?]
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1174) ~[?:?]
        at io.netty.handler.ssl.SslContext.buildKeyStore(SslContext.java:1102) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1274) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1263) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.JdkSslServerContext.newSSLContext(JdkSslServerContext.java:266) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]

HINT: this validation does not occur if there's only ONE certificate in the ssl_certificate => ... file.

Previously (plugin versions < 6.0.11), OpenSSL did consider the chain valid using the reverse order (last in the chain being the certificate for the private key).

A resolution of removing the additional certificates usually works, after all the certificate for the private key is set by the user thus no reason not to consider it valid (and a trust-chain of intermediaries should be set using ssl_certificate_authorities => ... option).

NOTE: with plugin version 6.0.11-6.0.13 the error would not get properly unwrapped or logged and one is stuck with a generic error message (javax.net.ssl.SSLException: failed to initialize the server-side SSL context), improved in 6.0.14

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant