search

irods-contrib / metalnx-web

Metalnx Web Application
https://metalnx.github.io/
BSD 3-Clause "New" or "Revised" License
36 stars 36 forks source link

Configuring Metalnx against irods with ssl: [ERROR]: Metalnx was not able to contact iRODS server #41

Closed roadn closed 4 years ago

roadn commented 6 years ago

Hello

I am trying to configure metalnx 1.1.1-3 to connect to an instance of irods 4.1.10 with ssl.

I have created the keystore file on the metalnx server: keytool -import -alias irodscertificate -file /etc/pki/tls/certs/irodsCA.pem -keystore irodskeystore

and modified the file /usr/share/tomcat/conf/tomcat.conf JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/irodskeystore -Djavax.net.ssl.trustStorePassword=xxxx"

When I run : python /opt/emc/setup_metalnx.py I get an error at step Executing config_irods (8/13)

In the rodsLog on the remote irods server I have a SSL_HANDSHAKE_ERROR

Apr 19 17:20:35 pid:1587 NOTICE: Agent process 19423 exited with status 10240 Apr 19 17:24:10 pid:1587 NOTICE: Agent process 19576 started for puser=rods and cuser=rods from Apr 19 17:24:10 pid:19576 ERROR: [-] iRODS/server/core/src/rodsAgent.cpp:246:main : status [SSL_HANDSHAKE_ERROR] errno [] -- message [] [-] iRODS/lib/core/src/sockComm.cpp:131:sockAgentStart : status [SSL_HANDSHAKE_ERROR] errno [] -- message [failed to call 'agent start'] [-] libssl.cpp:841:ssl_agent_start : status [SSL_HANDSHAKE_ERROR] errno [] -- message [error calling SSL_accept | error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error]

In the tomcat log /usr/share/tomcat/logs/localhost.2018-04-23.log I have a SEVERE error SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener java.lang.IllegalArgumentException: Illegal base64 character 3c at java.util.Base64$Decoder.decode0(Base64.java:714) at java.util.Base64$Decoder.decode(Base64.java:526) at org.springframework.util.Base64Utils$JdkBase64Delegate.decode(Base64Utils.java:150) at org.springframework.util.Base64Utils.decodeFromString(Base64Utils.java:124) at com.emc.metalnx.context.EncodedPropertiesConfigurer.decodePassword(EncodedPropertiesConfigurer.java:68) at com.emc.metalnx.context.EncodedPropertiesConfigurer.processProperties(EncodedPropertiesConfigurer.java:47) at org.springframework.beans.factory.config.PropertyResourceConfigurer.postProcessBeanFactory(PropertyResourceConfigurer.java:86) at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:265) at org.springframework.context.support.PostProcessorRegistrationDelegate.invokeBeanFactoryPostProcessors(PostProcessorRegistrationDelegate.java:162) at org.springframework.context.support.AbstractApplicationContext.invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:606) at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:462) at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:403) at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:306) at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:106) at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:5118) at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5634) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1260) at org.apache.catalina.startup.HostConfig$DeployDirectory.run(HostConfig.java:2002) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

Do you know what could be wrong in my configuration ?

Thanks in advance

michael-conway commented 6 years ago

can you rerun with -Djavax.net.debug=all

What JDK is this, I'm curious about the TLSv1 error and wondering if you are using an unsupported ssl protocol?

On Mon, Apr 23, 2018 at 9:04 AM, roadn notifications@github.com wrote:

Hello

I am trying to configure metalnx 1.1.1-3 to connect to an instance of irods 4.1.10 with ssl.

I have created the keystore file on the metalnx server: keytool -import -alias irodscertificate -file /etc/pki/tls/certs/irodsCA.pem -keystore irodskeystore

and modified the file /usr/share/tomcat/conf/tomcat.conf JAVA_OPTS="-Djavax.net.ssl.trustStore=/etc/pki/tls/certs/irodskeystore -Djavax.net.ssl.trustStorePassword=xxxx"

When I run : python /opt/emc/setup_metalnx.py I get an error at step Executing config_irods (8/13)

  • Testing iRODS connection... [ERROR]: Metalnx was not able to contact iRODS server. Check your parameters and try again.

In the rodsLog on the remote irods server I have a SSL_HANDSHAKE_ERROR

Apr 19 17:20:35 pid:1587 NOTICE: Agent process 19423 exited with status 10240 Apr 19 17:24:10 pid:1587 NOTICE: Agent process 19576 started for puser=rods and cuser=rods from Apr 19 17:24:10 pid:19576 ERROR: [-] iRODS/server/core/src/rodsAgent.cpp:246:main : status [SSL_HANDSHAKE_ERROR] errno [] -- message [] [-] iRODS/lib/core/src/sockComm.cpp:131:sockAgentStart : status [SSL_HANDSHAKE_ERROR] errno [] -- message [failed to call 'agent start'] [-] libssl.cpp:841:ssl_agent_start : status [SSL_HANDSHAKE_ERROR] errno [] -- message [error calling SSL_accept | error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error]

In the tomcat log /usr/share/tomcat/logs/localhost.2018-04-23.log I have a SEVERE error SEVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener java.lang.IllegalArgumentException: Illegal base64 character 3c at java.util.Base64$Decoder.decode0(Base64.java:714) at java.util.Base64$Decoder.decode(Base64.java:526) at org.springframework.util.Base64Utils$JdkBase64Delegate. decode(Base64Utils.java:150) at org.springframework.util.Base64Utils.decodeFromString( Base64Utils.java:124) at com.emc.metalnx.context.EncodedPropertiesConfigurer.decodePassword( EncodedPropertiesConfigurer.java:68) at com.emc.metalnx.context.EncodedPropertiesConfigurer.processProperties( EncodedPropertiesConfigurer.java:47) at org.springframework.beans.factory.config.PropertyResourceConfigurer. postProcessBeanFactory(PropertyResourceConfigurer.java:86) at org.springframework.context.support.PostProcessorRegistrationDelegate. invokeBeanFactoryPostProcessors(PostProcessorRegistrationDeleg ate.java:265) at org.springframework.context.support.PostProcessorRegistrationDelegate. invokeBeanFactoryPostProcessors(PostProcessorRegistrationDeleg ate.java:162) at org.springframework.context.support.AbstractApplicationContext. invokeBeanFactoryPostProcessors(AbstractApplicationContext.java:606) at org.springframework.context.support.AbstractApplicationContext.refresh( AbstractApplicationContext.java:462) at org.springframework.web.context.ContextLoader. configureAndRefreshWebApplicationContext(ContextLoader.java:403) at org.springframework.web.context.ContextLoader. initWebApplicationContext(ContextLoader.java:306) at org.springframework.web.context.ContextLoaderListener. contextInitialized(ContextLoaderListener.java:106) at org.apache.catalina.core.StandardContext.listenerStart( StandardContext.java:5118) at org.apache.catalina.core.StandardContext.startInternal( StandardContext.java:5634) at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145) at org.apache.catalina.core.ContainerBase.addChildInternal( ContainerBase.java:899) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:875) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:652) at org.apache.catalina.startup.HostConfig.deployDirectory( HostConfig.java:1260) at org.apache.catalina.startup.HostConfig$DeployDirectory. run(HostConfig.java:2002) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511) at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker( ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run( ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)

Do you know what could be wrong in my configuration ?

Thanks in advance

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/irods-contrib/metalnx-web/issues/41, or mute the thread https://github.com/notifications/unsubscribe-auth/ABC-LSBswOE91NksPeOPWM4reTLkitqkks5trdFggaJpZM4Tf2pt .

roadn commented 6 years ago

Hello, the JDK version is as follows openjdk version "1.8.0_161" OpenJDK Runtime Environment (build 1.8.0_161-b14) OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)

I added -Djavax.net.debug=all in the JAVA_OPTS in the tomcat.conf and restarted tomcat but I do not see more information in the logs. I attach the logs. localhost.2018-04-23.log catalina.2018-04-23.log

Thank you in advance

roadn commented 6 years ago

Hello, did you have time to review the logs ? Thanks in advance.

michael-conway commented 6 years ago

I found this odd...

EVERE: Exception sending context initialized event to listener instance of class org.springframework.web.context.ContextLoaderListener java.lang.IllegalArgumentException: Illegal base64 character 3c at java.util.Base64$Decoder.decode0(Base64.java:714)

This sounds more like an error in the MetaLnx configuration, I know that in the 1.X versions they utilized environment variables etc, in the 2.x version all that has been consolidated into an etc properties file. This may be a confounding error separate from any SSL configuration issues, it may crop up again after you fix any ssl issues.

As for SSL I think it's a tomcat config issue and probably separate from the base64 encoding issue for the password.. For ssl certs, what I typically do is run via Docker and import the cert into the java keystore. I have seen issues before using the Tomcat keystore semantics and typically just go right to the JVM and place the certs there.

Check out the docker packaging we're doing for the updated MetaLnx version...

https://github.com/irods-contrib/metalnx-web/blob/master/packaging/docker/runit.sh

This seems to work quite well for Tomcat, and may be a better way to go, as I expect that MetaLnx will get a Spring Boot startup option soon and no longer require a container!

On Mon, May 14, 2018 at 10:24 AM, roadn notifications@github.com wrote:

Hello, did you have time to review the logs ? Thanks in advance.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/irods-contrib/metalnx-web/issues/41#issuecomment-388835531, or mute the thread https://github.com/notifications/unsubscribe-auth/ABC-Lbs6ITX3F4nM7QgzdNBl4cT3Yo1vks5tyZOZgaJpZM4Tf2pt .

trel commented 4 years ago

closing this - SSL works when run with Docker container and certs in the appropriate location.