Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Listeners > Listener not booting when certificate is unreachable #506

Open
hamadodene opened this issue Oct 28, 2024 · 1 comment
Open

Listeners > Listener not booting when certificate is unreachable #506

hamadodene opened this issue Oct 28, 2024 · 1 comment
Assignees
@NiccoMlt

Comments

@hamadodene
Copy link
Contributor

hamadodene commented Oct 28, 2024
edited
Loading

While attempting to update Carapace with the branch 410-http2-enable-http2-h2, Carapace fails to start due to this error:

SEVERE: No dynamic certificate available for domain cara8testxx.example.it
Oct 28, 2024 9:20:55 AM org.carapaceproxy.core.ListeningChannel bootSslContext
SEVERE: ERROR booting listener
java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at org.carapaceproxy.utils.CertificatesUtils.loadKeyStoreData(CertificatesUtils.java:179)
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:140)
        at org.carapaceproxy.core.ListeningChannel.map(ListeningChannel.java:106)
        at org.carapaceproxy.core.ListeningChannel.applySslContext(ListeningChannel.java:213)
        at org.carapaceproxy.core.Listeners.lambda$bootListener$1(Listeners.java:199)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:807)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:776)
        at org.carapaceproxy.core.Listeners.bootListener(Listeners.java:191)
        at org.carapaceproxy.core.Listeners.reloadConfiguration(Listeners.java:165)
        at org.carapaceproxy.core.Listeners.start(Listeners.java:101)
        at org.carapaceproxy.core.HttpProxyServer.start(HttpProxyServer.java:446)
        at org.carapaceproxy.launcher.ServerMain.start(ServerMain.java:181)
        at org.carapaceproxy.launcher.ServerMain.main(ServerMain.java:129)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 16 more

The certificate in question, which is being loaded, is actually in an UNREACHABLE state, meaning there is no certificate, or there may not be a certificate available for this domain.

Therefore, we need to ensure that we load ONLY certificates that are in the AVAILABLE state.
@hamadodene hamadodene changed the title Certificates > Listener not booting when certificate is unreachable Listener> Listener not booting when certificate is unreachable Oct 28, 2024
@hamadodene hamadodene mentioned this issue Oct 28, 2024
Draft
@NiccoMlt NiccoMlt changed the title Listener> Listener not booting when certificate is unreachable Listeners > Listener not booting when certificate is unreachable Oct 28, 2024
@hamadodene
Copy link
Contributor Author

hamadodene commented Oct 28, 2024
edited
Loading

I get same error for another certificate but it's available:

Oct 28, 2024 5:52:18 PM org.carapaceproxy.core.ListeningChannel map
SEVERE: Error booting certificate for SNI hostname cara17test.example.it, on listener NetworkListenerConfiguration[host=0.0.0.0, port=4089, ssl=true, sslCiphers=, defaultCertificate=*, sslProtocols=[TLSv1.3], soBacklog=128, keepAlive=true, keepAliveIdle=300, keepAliveInterval=60, keepAliveCount=8, maxKeepAliveRequests=10, forwardedStrategy=IF_TRUSTED, trustedIps=[127.0.0.1], protocols=[H2], group=DefaultChannelGroup(name: group-0x2, size: 0)]
org.carapaceproxy.server.config.ConfigurationNotValidException: java.io.IOException: keystore password was incorrect
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:168)
        at org.carapaceproxy.core.ListeningChannel.map(ListeningChannel.java:106)
        at org.carapaceproxy.core.ListeningChannel.applySslContext(ListeningChannel.java:213)
        at org.carapaceproxy.core.Listeners.lambda$bootListener$1(Listeners.java:199)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:807)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:776)
        at org.carapaceproxy.core.Listeners.bootListener(Listeners.java:191)
        at org.carapaceproxy.core.Listeners.reloadConfiguration(Listeners.java:165)
        at org.carapaceproxy.core.Listeners.start(Listeners.java:101)
        at org.carapaceproxy.core.HttpProxyServer.start(HttpProxyServer.java:446)
        at org.carapaceproxy.launcher.ServerMain.start(ServerMain.java:181)
        at org.carapaceproxy.launcher.ServerMain.main(ServerMain.java:129)
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at org.carapaceproxy.utils.CertificatesUtils.loadKeyStoreData(CertificatesUtils.java:180)
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:140)
        ... 11 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 16 more

@NiccoMlt NiccoMlt self-assigned this Nov 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@NiccoMlt NiccoMlt

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@NiccoMlt @hamadodene