cant't run - Githubissues

neginsadeghi commented 2 years ago

I ran the setup-certs.sh and created the .jks file by my own but it just cant be bootstrapped please help me that I could run it

I'm using https://github.com/immauss/openvas for hosting Openvas and I'm running the commands on the Openvas container that has been created by the mentioned repo

root@52fff93ea21f:~# ps -aux USER PID %CPU %MEM VSZ RSS TTY root 1 0.0 0.0 5612 1680 ? root 9 0.1 3.7 217128 151472 ? postgres 38 0.0 0.3 82420 14316 ? postgres 40 0.0 0.3 82656 13656 ? postgres 41 0.0 0.3 82552 14668 ? postgres 42 0.0 0.1 82420 4540 ? postgres 43 0.0 0.2 83096 8316 ? postgres 44 0.0 0.1 67408 4544 ? postgres 45 0.0 0.1 82964 5156 ? gvm 324 0.0 2.5 255140 104412 ? gvm 348 0.0 0.0 79748 1916 ? postgres 354 0.0 0.6 97772 24640 ? root 493 0.0 0.0 43468 3392 ? postfix 496 0.0 0.0 43544 3196 ? root 498 0.0 0.5 269168 21728 ? root 501 0.0 0.0 116624 3888 ? gvm 511 0.0 1.0 2383168 44052 ? root 517 0.0 0.0 4076 288 ? root 345614 0.0 0.0 5744 3548 pts/0 postfix 357023 0.0 0.1 43816 7788 ? root 358361 0.0 0.0 9672 3200 pts/0 STAT START TIME COMMAND Ss Sep28 0:00 /bin/bash /start.sh Ssl Sep28 18:14 redis-server 0.0.0.0:6379 Ss Sep28 1:04 /usr/lib/postgresql/12/bin/postgres -D /data/database Ss Sep28 0:03 postgres: checkpointer Ss Sep28 0:16 postgres: background writer Ss Sep28 2:36 postgres: walwriter Ss Sep28 0:16 postgres: autovacuum launcher Ss Sep28 0:48 postgres: stats collector Ss Sep28 0:00 postgres: logical replication launcher S Sep28 5:50 gvmd: Waiting for incoming connections Ss Sep28 0:00 gpg-agent --homedir /usr/local/var/lib/gvm/gvmd/gnupg --use-standard-socket --daemon SLs Sep28 2:27 postgres: gvm gvmd [local] idle Ss Sep28 0:02 /usr/lib/postfix/sbin/master S Sep28 0:00 qmgr -l -t unix -u Sl Sep28 6:15 /usr/bin/python3 /usr/local/bin/ospd-openvas --log-file /usr/local/var/log/gvm/ospd-openvas.log --unix-socket /var/run/ospd/ospd.sock --log-level INFO --socket-mode 777 Sl Sep28 1:18 /usr/bin/python3 /usr/local/bin/ospd-openvas --log-file /usr/local/var/log/gvm/ospd-openvas.log --unix-socket /var/run/ospd/ospd.sock --log-level INFO --socket-mode 777 Sl Sep28 0:01 gsad --mlisten 127.0.0.1 -m 9390 --verbose --timeout=15 --http-only --no-redirect --port=9392 S Sep28 0:00 tail -F /usr/local/var/log/gvm/gsad.log /usr/local/var/log/gvm/gvmd.log /usr/local/var/log/gvm/openvas.log /usr/local/var/log/gvm/ospd-openvas.log Ss 10:05 0:00 bash S 10:39 0:00 pickup -l -t unix -u -c R+ 11:32 0:00 ps -aux

root@52fff93ea21f:~/pki# pwd /root/pki root@52fff93ea21f:~/pki# ls ca.pem cert.crt cert.jks certificate.p12 private.key

siewer commented 2 years ago

Hey, fast fix is to run OpenVAS jar with additional parameter ‘—server.ssl.key-alias=localhost’

I will introduce PR to fix this issue in few hours

siewer commented 2 years ago

And btw enable --spring.profiles.active=noauth to bypas mTLS auth (not recommended at prod instance)

neginsadeghi commented 2 years ago

I added the parameters that you said but still no luck :

root@52fff93ea21f:~# java -jar MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar --spring.profiles.active=noauth --server.ssl.key-alias=localhost    --server.port=8443     --server.ssl.key-store=pki/certificate.p12     --server.ssl.key-store-password=changeit     --server.ssl.trust-store=pki/cert.jks   --server.ssl.trust-store-password=changeit     --openvasmd.socket=/var/run/ospd/ospd.sock     --allowed.users=localhost

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.2.4.RELEASE)

2021-10-10 07:56:33.719  WARN 385236 --- [           main] org.apache.tomcat.util.net.SSLUtilBase   : The JSSE TLS 1.3 implementation does not support authentication after the initial handshake and is therefore incompatible with optional client authentication
2021-10-10 07:56:33.905 ERROR 385236 --- [           main] o.s.boot.SpringApplication               : Application run failed

org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:215) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:297) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:163) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:553) ~[spring-context-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:747) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at pl.orange.bst.mixer.MixerApplication.main(MixerApplication.java:39) [classes!/:1.2.0-SNAPSHOT]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_302]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_302]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_302]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_302]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) [MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) [MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:51) [MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52) [MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed
        at org.apache.catalina.core.StandardService.addConnector(StandardService.java:231) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:278) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:197) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        ... 18 common frames omitted
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1008) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        ... 20 common frames omitted
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        ... 22 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[na:1.8.0_302]
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[na:1.8.0_302]
        at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[na:1.8.0_302]
        at org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:494) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:425) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        ... 28 common frames omitted

I'm using this docker container to bring up the openvas https://github.com/immauss/openvas

do you suggest any other container ?

neginsadeghi commented 2 years ago

maybe my .jks file is somehow corrupted, can you update the setup-cert.sh file that it generate all the required certificate files ?

MohsnRaj commented 6 months ago

@neginsadeghi Hello, did you manage to fix this problem?

siewer commented 6 months ago

@neginsadeghi this problem is somehow related with SSL/TLS configuration

Can You confirm that:

You have generated key pair eg with openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout private.key -out cert.crt -subj "/CN=localhost" &> /dev/null
taken those pair and generate PKCS12 eg with openssl pkcs12 -export -inkey private.key -in cert.crt -out certificate.p12 -name "localhost" -password pass:changeit
now we have PKCS12 containing keypair with alias localhost and protected by pass changeit so: --server.ssl.key-alias=localhost --server.ssl.key-store=certificate.p12 --server.ssl.key-store-password=changeit should be set
generate JKS or take JVM cacerts (eg. https://stackoverflow.com/questions/11936685/how-to-obtain-the-location-of-cacerts-of-the-default-java-installation) and then pass this cacerts to --server.ssl.trust-store=cacerts --server.ssl.trust-store-password=changeit`

this way it should be up and running

Mixeway / MixewayOpenVASRestAPI

cant't run #7