Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Listeners > Listener not booting when certificate is unreachable #506

Open
hamadodene opened this issue Oct 28, 2024 · 2 comments · May be fixed by #490
Open

Listeners > Listener not booting when certificate is unreachable #506

hamadodene opened this issue Oct 28, 2024 · 2 comments · May be fixed by #490
Assignees
@NiccoMlt

Comments

@hamadodene
Copy link
Contributor

hamadodene commented Oct 28, 2024
edited
Loading

While attempting to update Carapace with the branch 410-http2-enable-http2-h2, Carapace fails to start due to this error:

SEVERE: No dynamic certificate available for domain cara8testxx.example.it
Oct 28, 2024 9:20:55 AM org.carapaceproxy.core.ListeningChannel bootSslContext
SEVERE: ERROR booting listener
java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at org.carapaceproxy.utils.CertificatesUtils.loadKeyStoreData(CertificatesUtils.java:179)
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:140)
        at org.carapaceproxy.core.ListeningChannel.map(ListeningChannel.java:106)
        at org.carapaceproxy.core.ListeningChannel.applySslContext(ListeningChannel.java:213)
        at org.carapaceproxy.core.Listeners.lambda$bootListener$1(Listeners.java:199)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:807)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:776)
        at org.carapaceproxy.core.Listeners.bootListener(Listeners.java:191)
        at org.carapaceproxy.core.Listeners.reloadConfiguration(Listeners.java:165)
        at org.carapaceproxy.core.Listeners.start(Listeners.java:101)
        at org.carapaceproxy.core.HttpProxyServer.start(HttpProxyServer.java:446)
        at org.carapaceproxy.launcher.ServerMain.start(ServerMain.java:181)
        at org.carapaceproxy.launcher.ServerMain.main(ServerMain.java:129)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 16 more

The certificate in question, which is being loaded, is actually in an UNREACHABLE state, meaning there is no certificate, or there may not be a certificate available for this domain.

Therefore, we need to ensure that we load ONLY certificates that are in the AVAILABLE state.
@hamadodene hamadodene changed the title Certificates > Listener not booting when certificate is unreachable Listener> Listener not booting when certificate is unreachable Oct 28, 2024
@hamadodene hamadodene linked a pull request Oct 28, 2024 that will close this issue
Open
@NiccoMlt NiccoMlt changed the title Listener> Listener not booting when certificate is unreachable Listeners > Listener not booting when certificate is unreachable Oct 28, 2024
@hamadodene
Copy link
Contributor Author

hamadodene commented Oct 28, 2024
edited
Loading

I get same error for another certificate but it's available:

Oct 28, 2024 5:52:18 PM org.carapaceproxy.core.ListeningChannel map
SEVERE: Error booting certificate for SNI hostname cara17test.example.it, on listener NetworkListenerConfiguration[host=0.0.0.0, port=4089, ssl=true, sslCiphers=, defaultCertificate=*, sslProtocols=[TLSv1.3], soBacklog=128, keepAlive=true, keepAliveIdle=300, keepAliveInterval=60, keepAliveCount=8, maxKeepAliveRequests=10, forwardedStrategy=IF_TRUSTED, trustedIps=[127.0.0.1], protocols=[H2], group=DefaultChannelGroup(name: group-0x2, size: 0)]
org.carapaceproxy.server.config.ConfigurationNotValidException: java.io.IOException: keystore password was incorrect
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:168)
        at org.carapaceproxy.core.ListeningChannel.map(ListeningChannel.java:106)
        at org.carapaceproxy.core.ListeningChannel.applySslContext(ListeningChannel.java:213)
        at org.carapaceproxy.core.Listeners.lambda$bootListener$1(Listeners.java:199)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:807)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:776)
        at org.carapaceproxy.core.Listeners.bootListener(Listeners.java:191)
        at org.carapaceproxy.core.Listeners.reloadConfiguration(Listeners.java:165)
        at org.carapaceproxy.core.Listeners.start(Listeners.java:101)
        at org.carapaceproxy.core.HttpProxyServer.start(HttpProxyServer.java:446)
        at org.carapaceproxy.launcher.ServerMain.start(ServerMain.java:181)
        at org.carapaceproxy.launcher.ServerMain.main(ServerMain.java:129)
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at org.carapaceproxy.utils.CertificatesUtils.loadKeyStoreData(CertificatesUtils.java:180)
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:140)
        ... 11 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 16 more

@NiccoMlt NiccoMlt self-assigned this Nov 7, 2024
@NiccoMlt
Copy link
Contributor

More errors:

SEVERE: No dynamic certificate available for domain cara8testxx.peach.it
Dec 10, 2024 5:47:45 PM org.carapaceproxy.utils.CertificatesUtils loadKeyStoreData
SEVERE: Load keystore (class class java.security.KeyStore provider SUN version 21, type PKCS12) failed with password ` ... ` (charArray [ ... ])
java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at org.carapaceproxy.utils.CertificatesUtils.loadKeyStoreData(CertificatesUtils.java:184)
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:139)
        at org.carapaceproxy.core.ListeningChannel.map(ListeningChannel.java:105)
        at org.carapaceproxy.core.ListeningChannel.applySslContext(ListeningChannel.java:212)
        at org.carapaceproxy.core.Listeners.lambda$bootListener$1(Listeners.java:200)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:807)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:776)
        at org.carapaceproxy.core.Listeners.bootListener(Listeners.java:192)
        at org.carapaceproxy.core.Listeners.reloadConfiguration(Listeners.java:166)
        at org.carapaceproxy.core.Listeners.start(Listeners.java:102)
        at org.carapaceproxy.core.HttpProxyServer.start(HttpProxyServer.java:442)
        at org.carapaceproxy.launcher.ServerMain.start(ServerMain.java:180)
        at org.carapaceproxy.launcher.ServerMain.main(ServerMain.java:129)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 16 more

Dec 10, 2024 5:47:45 PM org.carapaceproxy.core.ListeningChannel map
SEVERE: Error booting certificate for SNI hostname cara17test.peach.it, on listener NetworkListenerConfiguration[host=0.0.0.0, port=4089, ssl=true, sslCiphers=, defaultCertificate=*, sslProtocols=[TLSv1.3], soBacklog=128, keepAlive=true, keepAliveIdle=300, keepAliveInterval=60, keepAliveCount=8, maxKeepAliveRequests=10, forwardedStrategy=IF_TRUSTED, trustedIps=[127.0.0.1], protocols=[H2], group=DefaultChannelGroup(name: group-0x2, size: 0)]
org.carapaceproxy.server.config.ConfigurationNotValidException: java.security.KeyStoreException: Uninitialized keystore
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:167)
        at org.carapaceproxy.core.ListeningChannel.map(ListeningChannel.java:105)
        at org.carapaceproxy.core.ListeningChannel.applySslContext(ListeningChannel.java:212)
        at org.carapaceproxy.core.Listeners.lambda$bootListener$1(Listeners.java:200)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:807)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:776)
        at org.carapaceproxy.core.Listeners.bootListener(Listeners.java:192)
        at org.carapaceproxy.core.Listeners.reloadConfiguration(Listeners.java:166)
        at org.carapaceproxy.core.Listeners.start(Listeners.java:102)
        at org.carapaceproxy.core.HttpProxyServer.start(HttpProxyServer.java:442)
        at org.carapaceproxy.launcher.ServerMain.start(ServerMain.java:180)
        at org.carapaceproxy.launcher.ServerMain.main(ServerMain.java:129)
Caused by: java.security.KeyStoreException: Uninitialized keystore
        at java.base/java.security.KeyStore.aliases(KeyStore.java:1285)
        at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:135)
        at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:64)
        at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:270)
        at io.netty.handler.ssl.OpenSslCachingX509KeyManagerFactory$1.engineInit(OpenSslCachingX509KeyManagerFactory.java:53)
        at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:270)
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:142)
        ... 11 more

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NiccoMlt NiccoMlt

Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@NiccoMlt @hamadodene