Enabling HTTPS causes Jetty in KumuluzEE 3.11 to fail to start

[danpfe]

After upgrading to KumuluzEE 3.11 I am receiving the error SEVERE -- com.kumuluz.ee.jetty.JettyServletServer -- KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead) and from a bit of research this seems to be caused by the upgrade of the Jetty dependencies (in 3.10.0).

My keystore does not contain multiple keypairs, but it does contain a keypair where the primary certificate's intermediate is in the chain. Although incorrect, I removed the intermediate to see if that's the reason for the startup-failure, but I was greeted with the same error message. Then I tried to convert the PKCS12-keystore to a JKS-keystore, just to see if that helps, but the result is still the same.

To clarify, it worked in KumuluzEE 3.9.0, stopped working in 3.10.0 and still doesn't work in 3.11.0.

[MBJuric]

Hi Daniel, Thanks for you feedback, we will look at the issue and let you know. BR, Matjaz

[urbim]

Hi @danpfe!

I'm unable to reproduce this, even with multiple keypairs in my keystore. Could you provide a minimum sample of config.yml and keystore (not the production one, of course) with which the error happens?

Judging from the error description, the fix is simple, but I would really like to confirm it beforehand.

[danpfe]

Hi @urbim, sorry for the late answer. Didn't get around checking until today. Indeed, when it's an absolute minimal sample with a minimal CA created for this purpose it starts just fine. I'll have to figure out if an extension triggers this or if the certificates have a different make-up that may trigger this. I'll get back to you as soon as I tested further.

[danpfe]

Hi again @urbim. I uploaded a sample repo to https://github.com/danpfe/kee-bughunt containing a throwaway CA and certificates. From what I could identify relatively quickly after being able to reproduce the issue it seems that it's multiple SAN-DNS-names that seem to cause this.

[urbim]

Thanks! I will check it out.

[urbim]

Hi!

I fixed the issue in #191. The project you provided now starts without problems. Could you build the branch yourself and check if the issue is solved on the original project too?

[danpfe]

Yes, now it worked. 👍 Now the big question, do you know when this is gonna be released? I've been holding back pushing an update to my application to production for a while now since I couldn't SSL the traffic.

[MBJuric]

Hi Daniel, we will make a new release next week. BR, Matjaz