8.0.2 Unable to server HTTPS connection with custom cert/key Permission denied

tbennett6421 commented 2 years ago

Describe the bug On upgrade to 8.0.2, Custom TLS certs do not appear to be working; confirmed working with last 7.x branch. Followed all instructions for upgrading at this link https://docs.vectr.io/upgrading/non-root-migration/

We are using our own pki internally. Firefox reports SSL_ERROR_RX_RECORD_TOO_LONG; and doesn't show a certificate being presented from the server.

To Reproduce

openssl req -x509 -newkey rsa:4096 -keyout ssl.key -out ssl.crt -days 365
cp ssl.crt /opt/vectr/user/certs/
cp ssl.key /opt/vectr/user/certs/
cd /opt/vectr/
sudo docker-compose -f docker-compose.yml up

Expected behavior docker-compose brings the solution up, and the site is accessible via HTTPS

Screenshots scap1

scap2

scap3

scap4

scap5

Desktop (please complete the following information): Client 1:

OS: OS X 11.6
Browser: Firefox
Version: 92.0 (64-bit)

Client 2:

OS: Windows 10 19044
Browser: Firefox, Chrome, Edge
Version
- FireFox 92.0 x64
- Chrome 94.0 x86
- Edge 95.0 x64

Additional context

The server does not appear to be presenting a TLS certificate
relevant sample of lines from the docker-compose logging output

vectr-tomcat_1         | run-parts: executing /opt/vectr/release/scripts/docker-entrypoint.d/1_configure
vectr-tomcat_1         | run-parts: executing /opt/vectr/release/scripts/docker-entrypoint.d/2_build_certs
vectr-tomcat_1         | cp: cannot open '/opt/vectr/user/certs/ssl.crt' for reading: Permission denied
vectr-tomcat_1         | run-parts: /opt/vectr/release/scripts/docker-entrypoint.d/2_build_certs exited with return code 1
vectr-tomcat_1         | run-parts: executing /opt/vectr/release/scripts/docker-entrypoint.d/3_auth_setup

vectr-tomcat_1         | 25-Oct-2021 21:50:50.742 WARNING [main] org.apache.tomcat.util.net.openssl.OpenSSLContext.init Error initializing SSL context
vectr-tomcat_1         |    java.io.FileNotFoundException: Configured file [/usr/local/tomcat/conf/ssl.crt] does not exist
vectr-tomcat_1         |        at org.apache.tomcat.util.net.SSLHostConfig.adjustRelativePath(SSLHostConfig.java:879)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.openssl.OpenSSLContext.addCertificate(OpenSSLContext.java:380)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.openssl.OpenSSLContext.init(OpenSSLContext.java:250)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:246)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.AprEndpoint.createSSLContext(AprEndpoint.java:397)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.AprEndpoint.bind(AprEndpoint.java:363)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:1154)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:581)
vectr-tomcat_1         |        at org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:74)
vectr-tomcat_1         |        at org.apache.catalina.connector.Connector.initInternal(Connector.java:1039)
vectr-tomcat_1         |        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
vectr-tomcat_1         |        at org.apache.catalina.core.StandardService.initInternal(StandardService.java:533)
vectr-tomcat_1         |        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
vectr-tomcat_1         |        at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:1057)
vectr-tomcat_1         |        at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:136)
vectr-tomcat_1         |        at org.apache.catalina.startup.Catalina.load(Catalina.java:690)
vectr-tomcat_1         |        at org.apache.catalina.startup.Catalina.load(Catalina.java:712)
vectr-tomcat_1         |        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
vectr-tomcat_1         |        at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
vectr-tomcat_1         |        at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
vectr-tomcat_1         |        at java.base/java.lang.reflect.Method.invoke(Method.java:566)
vectr-tomcat_1         |        at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:302)
vectr-tomcat_1         |        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:472)

vectr-tomcat_1         | 25-Oct-2021 21:51:18.509 INFO [https-openssl-apr-8443-exec-2] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
vectr-tomcat_1         |  Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
vectr-tomcat_1         |    java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x010x000x8d0x010x000x000x890x030x03h0xc40xaa0xf1d0xf70x0900x180x8e0xc40xad<0xb90xa00x080xffB0x0a0xe00x0c0xba0xcc]0xe7"0x9f0xe00xdc3Yn0x000x000x160xc0+0xc0/0xc0,0xc000xc00x130xc00x140x000x9c0x000x9d0x00/0x0050x000xff0x010x000x00J0x000x000x000x170x000x150x000x000x12vectr.redacted.com0x000x0a0x000x060x000x040x000x170x000x180x000x0b0x000x020x010x000x000x100x000x0b0x000x090x08http/1.10x000x0d0x000x0c0x000x0a0x040x030x040x010x050x030x050x010x06...]. HTTP method names must be tokens
vectr-tomcat_1         |        at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
vectr-tomcat_1         |        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1967)
vectr-tomcat_1         |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
vectr-tomcat_1         |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
vectr-tomcat_1         |        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
vectr-tomcat_1         |        at java.base/java.lang.Thread.run(Thread.java:834)
vectr-tomcat_1         | 25-Oct-2021 21:51:18.511 INFO [https-openssl-apr-8443-exec-1] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
vectr-tomcat_1         |  Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
vectr-tomcat_1         |    java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x010x000x8d0x010x000x000x890x030x030xe30x910x0b0xa10xa6l0xd60xa50xa4H%?0x920xbd0xcd0x91-+h30xab0x8c0xd340xc2Dag0x90}0xc9n0x000x000x160xc0+0xc0/0xc0,0xc000xc00x130xc00x140x000x9c0x000x9d0x00/0x0050x000xff0x010x000x00J0x000x000x000x170x000x150x000x000x12vectr.redacted.com0x000x0a0x000x060x000x040x000x170x000x180x000x0b0x000x020x010x000x000x100x000x0b0x000x090x08http/1.10x000x0d0x000x0c0x000x0a0x040x030x040x010x050x030x050x010x06...]. HTTP method names must be tokens
vectr-tomcat_1         |        at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
vectr-tomcat_1         |        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1967)
vectr-tomcat_1         |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
vectr-tomcat_1         |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
vectr-tomcat_1         |        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
vectr-tomcat_1         |        at java.base/java.lang.Thread.run(Thread.java:834)
vectr-tomcat_1         | 25-Oct-2021 21:51:18.511 INFO [https-openssl-apr-8443-exec-3] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
vectr-tomcat_1         |  Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
vectr-tomcat_1         |    java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x010x020x000x010x000x010xfc0x030x030xcavM0xb90xde(0xa30xc20x7f^0x02)N0x92C`0x030x1f0x970x87`0xd7o0xc0oj0x87K0xf10xe9U0xb3]. HTTP method names must be tokens
vectr-tomcat_1         |        at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
vectr-tomcat_1         |        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1967)
vectr-tomcat_1         |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
vectr-tomcat_1         |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
vectr-tomcat_1         |        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
vectr-tomcat_1         |        at java.base/java.lang.Thread.run(Thread.java:834)
vectr-tomcat_1         | 25-Oct-2021 21:51:18.511 INFO [https-openssl-apr-8443-exec-4] org.apache.coyote.http11.Http11Processor.service Error parsing HTTP request header
vectr-tomcat_1         |  Note: further occurrences of HTTP request parsing errors will be logged at DEBUG level.
vectr-tomcat_1         |    java.lang.IllegalArgumentException: Invalid character found in method name [0x160x030x010x000x9b0x010x000x000x970x030x030x180x1a00xc90xa60xa4^0xcb0x090xbf0x0b0x1e0xac0xf2N0x140xdf30xb30x02Ay0xfe0xbc0xd1#0xf60xd7<6>/0x000x000x1c0xc0+0xc0/0xc0,0xc000xc00x0a0xc00x090xc00x130xc00x140x000x9c0x000x9d0x00/0x0050x000x0a0x000xff0x010x000x00R0x000x000x000x170x000x150x000x000x12vectr.redacted.com0x000x0a0x000x080x000x060x000x170x000x180x000x190x000x0b0x000x020x010x000x000x100x000x0b0x000x090x08http/1.10x000x0d0x000x120x000x100x040x030x050x030x060x030x040x010x050x010x060x010x020x030x02...]. HTTP method names must be tokens
vectr-tomcat_1         |        at org.apache.coyote.http11.Http11InputBuffer.parseRequestLine(Http11InputBuffer.java:418)
vectr-tomcat_1         |        at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:260)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
vectr-tomcat_1         |        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:868)
vectr-tomcat_1         |        at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1967)
vectr-tomcat_1         |        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
vectr-tomcat_1         |        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
vectr-tomcat_1         |        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
vectr-tomcat_1         |        at java.base/java.lang.Thread.run(Thread.java:834)

Full docker output is available at the following gist https://gist.github.com/tbennett6421/100741de30c440c054e57969f959b1f9#file-vectr-8x-docker-log

SRAPSpencer commented 2 years ago

Thanks for the detailed bug report. We'll look into this when able and report back.

Paul

carlvonderheid commented 2 years ago

Can you verify that in your docker-compose.yml, the "user" directory is a bind-mount and not a named volume? It should look like this:

- ./user:/opt/vectr/user
- #- vectr-user:/opt/vectr/user

tbennett6421 commented 2 years ago

  vectr-tomcat:
    image: securityriskadvisors/vectr_tomcat:8.0.2
    networks:
      vectr_bridge:
        aliases:
          - ${VECTR_HOSTNAME}
    volumes:
      #- ./resources:/opt/vectr/resources
      - vectr-resources:/opt/vectr/resources
      - ./user:/opt/vectr/user
      #- vectr-user:/opt/vectr/user
      #- ./logs:/usr/local/tomcat/logs
      - vectr-logs:/usr/local/tomcat/logs
      - builder-runtimes:/opt/vectr/rta

carlvonderheid commented 2 years ago

Does the user vectr on the host have a uid/gid of 10001/10001?

tbennett6421 commented 2 years ago

uid=1001(vectr) gid=1001(vectr) groups=1001(vectr),999(docker)

carlvonderheid commented 2 years ago

Can you try to make the gid for vectr 10001?

https://docs.vectr.io/upgrading/non-root-migration/#1-configure-permissions-for-vectr-directories

carlvonderheid commented 2 years ago

There's a writeup of what's going on in the FAQ if you want to know what's going on under the hood:

https://docs.vectr.io/upgrading/non-root-migration/faq/

tbennett6421 commented 2 years ago

uid=10001(vectr) gid=10001(vectr) groups=10001(vectr),999(docker) That appears to have fixed it. Thank you greatly

SecurityRiskAdvisors / VECTR

8.0.2 Unable to server HTTPS connection with custom cert/key Permission denied #152