search

streamnative / pulsar-archived

Apache Pulsar - distributed pub-sub messaging system
https://pulsar.apache.org
Apache License 2.0
72 stars 25 forks source link

ISSUE-13070: Pulsar Broker: Enable EC256 Support for WebService #3345

Open sijie opened 3 years ago

sijie commented 3 years ago

Original Issue: apache/pulsar#13070

Is your feature request related to a problem? Please describe. Let's Encrypt creates default Certificates with EC256, unfortunately when starting the Broker Service, it fails with the Information, that the Version of the Certificate is 0.

When deploying RSA4096 Certificates it works flawlessly.

Also when disabling only the webServicePortTls but leave brokerServicePortTls enabled, the Service is able to start.

I've checked the Documentation where it lists that key should only be in PKCS8 format, but this is not needed

Describe the solution you'd like Broker Service is able to start with EC256 Certificates.

Describe alternatives you've considered As mentioned with RSA4096 I'm able to start the Service.

Additional context

Trying to start with ec256 (not reformated as pkcs8) java.security.KeyManagementException: Private key loading error at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:468) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemFile(SecurityUtility.java:432) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.SecurityUtility.createSslContext(SecurityUtility.java:205) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:48) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:27) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.SslContextAutoRefreshBuilder.get(SslContextAutoRefreshBuilder.java:79) [org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.SecurityUtility$SslContextFactoryWithAutoRefresh.getSslContext(SecurityUtility.java:557) [org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.eclipse.jetty.util.ssl.SslContextFactory.newSSLEngine(SslContextFactory.java:1903) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:99) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.Server.doStart(Server.java:401) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.apache.pulsar.broker.web.WebService.start(WebService.java:242) [org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1] at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:689) [org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1] at org.apache.pulsar.PulsarBrokerStarter$BrokerStarter.start(PulsarBrokerStarter.java:259) [org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1] at org.apache.pulsar.PulsarBrokerStarter.main(PulsarBrokerStarter.java:331) [org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1] Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: IOException : version mismatch: (supported: 00, parsed: 01 at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:252) ~[?:1.8.0_312] at java.security.KeyFactory.generatePrivate(KeyFactory.java:372) ~[?:1.8.0_312] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] ... 21 more Caused by: java.security.InvalidKeyException: IOException : version mismatch: (supported: 00, parsed: 01 at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:351) ~[?:1.8.0_312] at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356) ~[?:1.8.0_312] at sun.security.rsa.RSAPrivateCrtKeyImpl.(RSAPrivateCrtKeyImpl.java:130) ~[?:1.8.0_312] at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:80) ~[?:1.8.0_312] at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:357) ~[?:1.8.0_312] at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:248) ~[?:1.8.0_312] at java.security.KeyFactory.generatePrivate(KeyFactory.java:372) ~[?:1.8.0_312] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]

Error Reformated as PKCS8 java.security.KeyManagementException: Private key loading error at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:468) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemFile(SecurityUtility.java:432) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.SecurityUtility.createSslContext(SecurityUtility.java:205) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:48) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.DefaultSslContextBuilder.update(DefaultSslContextBuilder.java:27) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.SslContextAutoRefreshBuilder.get(SslContextAutoRefreshBuilder.java:79) [org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.apache.pulsar.common.util.SecurityUtility$SslContextFactoryWithAutoRefresh.getSslContext(SecurityUtility.java:557) [org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] at org.eclipse.jetty.util.ssl.SslContextFactory.newSSLEngine(SslContextFactory.java:1903) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:99) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.server.Server.doStart(Server.java:401) [org.eclipse.jetty-jetty-server-9.4.42.v20210604.jar:9.4.42.v20210604] at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73) [org.eclipse.jetty-jetty-util-9.4.42.v20210604.jar:9.4.42.v20210604] at org.apache.pulsar.broker.web.WebService.start(WebService.java:242) [org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1] at org.apache.pulsar.broker.PulsarService.start(PulsarService.java:689) [org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1] at org.apache.pulsar.PulsarBrokerStarter$BrokerStarter.start(PulsarBrokerStarter.java:259) [org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1] at org.apache.pulsar.PulsarBrokerStarter.main(PulsarBrokerStarter.java:331) [org.apache.pulsar-pulsar-broker-2.8.1.jar:2.8.1] Caused by: java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:252) ~[?:1.8.0_312] at java.security.KeyFactory.generatePrivate(KeyFactory.java:372) ~[?:1.8.0_312] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] ... 21 more Caused by: java.security.InvalidKeyException: Invalid RSA private key at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:285) ~[?:1.8.0_312] at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:343) ~[?:1.8.0_312] at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356) ~[?:1.8.0_312] at sun.security.rsa.RSAPrivateCrtKeyImpl.(RSAPrivateCrtKeyImpl.java:130) ~[?:1.8.0_312] at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:80) ~[?:1.8.0_312] at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:357) ~[?:1.8.0_312] at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:248) ~[?:1.8.0_312] at java.security.KeyFactory.generatePrivate(KeyFactory.java:372) ~[?:1.8.0_312] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1] ... 21 more Caused by: java.io.IOException: Version must be 0 at sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:263) ~[?:1.8.0_312] at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:343) ~[?:1.8.0_312] at sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:356) ~[?:1.8.0_312] at sun.security.rsa.RSAPrivateCrtKeyImpl.(RSAPrivateCrtKeyImpl.java:130) ~[?:1.8.0_312] at sun.security.rsa.RSAPrivateCrtKeyImpl.newKey(RSAPrivateCrtKeyImpl.java:80) ~[?:1.8.0_312] at sun.security.rsa.RSAKeyFactory.generatePrivate(RSAKeyFactory.java:357) ~[?:1.8.0_312] at sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:248) ~[?:1.8.0_312] at java.security.KeyFactory.generatePrivate(KeyFactory.java:372) ~[?:1.8.0_312] at org.apache.pulsar.common.util.SecurityUtility.loadPrivateKeyFromPemStream(SecurityUtility.java:466) ~[org.apache.pulsar-pulsar-common-2.8.1.jar:2.8.1]

Pulsar Broker Throws Error with: Version must be 0

github-actions[bot] commented 2 years ago

The issue had no activity for 30 days, mark with Stale label.