search

diennea / carapaceproxy

A Distributed Java Reverse Proxy
Apache License 2.0
24 stars 8 forks source link

Listeners > Listener not booting when certificate is unreachable #506

Open hamadodene opened 2 weeks ago

hamadodene commented 2 weeks ago

While attempting to update Carapace with the branch 410-http2-enable-http2-h2, Carapace fails to start due to this error:

SEVERE: No dynamic certificate available for domain cara8testxx.example.it
Oct 28, 2024 9:20:55 AM org.carapaceproxy.core.ListeningChannel bootSslContext
SEVERE: ERROR booting listener
java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at org.carapaceproxy.utils.CertificatesUtils.loadKeyStoreData(CertificatesUtils.java:179)
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:140)
        at org.carapaceproxy.core.ListeningChannel.map(ListeningChannel.java:106)
        at org.carapaceproxy.core.ListeningChannel.applySslContext(ListeningChannel.java:213)
        at org.carapaceproxy.core.Listeners.lambda$bootListener$1(Listeners.java:199)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:807)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:776)
        at org.carapaceproxy.core.Listeners.bootListener(Listeners.java:191)
        at org.carapaceproxy.core.Listeners.reloadConfiguration(Listeners.java:165)
        at org.carapaceproxy.core.Listeners.start(Listeners.java:101)
        at org.carapaceproxy.core.HttpProxyServer.start(HttpProxyServer.java:446)
        at org.carapaceproxy.launcher.ServerMain.start(ServerMain.java:181)
        at org.carapaceproxy.launcher.ServerMain.main(ServerMain.java:129)
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 16 more

The certificate in question, which is being loaded, is actually in an UNREACHABLE state, meaning there is no certificate, or there may not be a certificate available for this domain.

Therefore, we need to ensure that we load ONLY certificates that are in the AVAILABLE state.

hamadodene commented 2 weeks ago

I get same error for another certificate but it's available:

Oct 28, 2024 5:52:18 PM org.carapaceproxy.core.ListeningChannel map
SEVERE: Error booting certificate for SNI hostname cara17test.example.it, on listener NetworkListenerConfiguration[host=0.0.0.0, port=4089, ssl=true, sslCiphers=, defaultCertificate=*, sslProtocols=[TLSv1.3], soBacklog=128, keepAlive=true, keepAliveIdle=300, keepAliveInterval=60, keepAliveCount=8, maxKeepAliveRequests=10, forwardedStrategy=IF_TRUSTED, trustedIps=[127.0.0.1], protocols=[H2], group=DefaultChannelGroup(name: group-0x2, size: 0)]
org.carapaceproxy.server.config.ConfigurationNotValidException: java.io.IOException: keystore password was incorrect
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:168)
        at org.carapaceproxy.core.ListeningChannel.map(ListeningChannel.java:106)
        at org.carapaceproxy.core.ListeningChannel.applySslContext(ListeningChannel.java:213)
        at org.carapaceproxy.core.Listeners.lambda$bootListener$1(Listeners.java:199)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:807)
        at reactor.netty.http.server.HttpServer.secure(HttpServer.java:776)
        at org.carapaceproxy.core.Listeners.bootListener(Listeners.java:191)
        at org.carapaceproxy.core.Listeners.reloadConfiguration(Listeners.java:165)
        at org.carapaceproxy.core.Listeners.start(Listeners.java:101)
        at org.carapaceproxy.core.HttpProxyServer.start(HttpProxyServer.java:446)
        at org.carapaceproxy.launcher.ServerMain.start(ServerMain.java:181)
        at org.carapaceproxy.launcher.ServerMain.main(ServerMain.java:129)
Caused by: java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2097)
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:228)
        at java.base/java.security.KeyStore.load(KeyStore.java:1500)
        at org.carapaceproxy.utils.CertificatesUtils.loadKeyStoreData(CertificatesUtils.java:180)
        at org.carapaceproxy.core.ListeningChannel.bootSslContext(ListeningChannel.java:140)
        ... 11 more
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 16 more