search

Unicon / shibboleth-idp-dockerized

A Shibboleth Identity Provider (IdP) base-image
Apache License 2.0
108 stars 54 forks source link

Exception in thread "main" java.lang.IllegalStateException: no valid keystore #58

Closed renepardon closed 5 years ago

renepardon commented 5 years ago

I've created the IdP metadata/credentials as explained within the README.md of this repository but receive the following error:

shibboleth-idp-local | 2018-12-10 07:38:43.491:INFO:oejsh.ContextHandler:main: Started o.e.j.w.WebAppContext@457e2f02{/idp,[file:///tmp/jetty-0.0.0.0-8443-webapp-_idp-any-5051491019704864767.dir/webinf/, file:///opt/shibboleth-identity-provider-3.3.3/webapp/],AVAILABLE}{/opt/shibboleth-idp/webapp/} shibboleth-idp-local | 2018-12-10 07:38:43.675:INFO:oejus.SslContextFactory:main: x509=X509@7c1503a3(localhost,h=[localhost],w=[]) for DelegateToApplicationSslContextFactory@586495f1(file:///opt/shibboleth-identity-provider-3.3.3/credentials/idp-backchannel.p12,null) shibboleth-idp-local | 2018-12-10 07:38:43.774:INFO:oejs.AbstractConnector:main: Started ServerConnector@3e5b30a{SSL,[ssl, http/1.1]}{0.0.0.0:8443} shibboleth-idp-local | 2018-12-10 07:38:43.777:INFO:oejs.AbstractConnector:main: Started ServerConnector@6fddbf28{HTTP/1.1,[http/1.1]}{0.0.0.0:8080} shibboleth-idp-local | Exception in thread "main" java.lang.IllegalStateException: no valid keystore shibboleth-idp-local | at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:48) shibboleth-idp-local | at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1037) shibboleth-idp-local | at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:254) shibboleth-idp-local | at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:221) shibboleth-idp-local | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) shibboleth-idp-local | at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131) shibboleth-idp-local | at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113) shibboleth-idp-local | at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:72) shibboleth-idp-local | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) shibboleth-idp-local | at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:131) shibboleth-idp-local | at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:113) shibboleth-idp-local | at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:268) shibboleth-idp-local | at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) shibboleth-idp-local | at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235) shibboleth-idp-local | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) shibboleth-idp-local | at org.eclipse.jetty.server.Server.doStart(Server.java:406) shibboleth-idp-local | at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68) shibboleth-idp-local | at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1540) shibboleth-idp-local | at java.security.AccessController.doPrivileged(Native Method) shibboleth-idp-local | at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1462)

An example repository can be found here: https://github.com/renepardon/shibboleth-idp I used changeme as password when being asked and localhost for the configuration of the IdP.

So I'm not able to access the IdP through https://localhost/idp/

renepardon commented 5 years ago

When using HTTP it looks like this:

screenshot 2018-12-10 09 08 36
jtgasper3 commented 5 years ago

I'd recommend checking out https://github.com/UniconLabs/dockerized-idp-testbed. It has a full working impl.

paulerickson commented 5 years ago

@renepardon: I ran into the same issue, after running

docker run -it -v $(pwd):/ext-mount --rm unicon/shibboleth-idp init-idp.sh
# here I was prompted for two passphrases; I typed "secret" for both

to generate the customized-shibboleth-idp directory, I overlooked these extra steps to set up that SSL keystore (I left the passphrase blank, just tapping enter):

openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl x509 -text -noout -in certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out idp-browser.p12
sudo mv idp-browser.p12 customized-shibboleth-idp/credentials
sudo docker run -p 4443:4443 -p 8443:8443 -v $PWD/customized-shibboleth-idp/:/opt/shibboleth-idp/ -e JETTY_BROWSER_SSL_KEYSTORE_PASSWORD= -e JETTY_BACKCHANNEL_SSL_KEYSTORE_PASSWORD=secret unicon/shibboleth-idp

The env vars are not so obvious to me, but note that one is "secret" from the first step, and one is blank from how I made the keystore in the second step. I feel like one is missing, since I thought I was prompted twice in the initial setup… but anyway, from just running that much in an empty directory, I got it to start up without error and I can go to https://localhost:8443/ and look at a Jetty 404 page.

Since it is SSL, you're going to see undecoded binary like that when you try to use HTTP in the browser. If you trip on that a lot, you could map it to port the standard HTTPS port 443 instead.

renepardon commented 5 years ago

I'll give it a try within the next couple of weeks @paulerickson :)