10 Replies Latest reply on Nov 10, 2015 10:14 AM by Tomaz Cerar Branched to a new discussion.

    Problem using SSL in Wildfly

    Stefan Raabe Newbie

      I follow the instruction in the wildfly 8.0.0 Beta1 documentation to insert SSL Certificat, but every time i start the server i got Nullpoint. But that only if i use alias="" in keystore tag.

      On the other side if i leave alias i got ssl_error_no_cypher_overlap if i connect to the https connection.

       

      <security-realm name="testSSLRealm">

                      <server-identities>

                          <ssl>

                              <keystore path="../standalone/configuration/something.keystore" relative-to="jboss.server.config.dir" keystore-password="pwd" alias="tdnght" key-password="pwd" />

                          </ssl>

                      </server-identities>

              <authentication>

       

      and subsystem in the server tag

       

      <https-listener name="https" socket-binding="https" security-realm="testSSLRealm" />

       

      Hopefully some of you have an idea. Thanks in advance.

        • 1. Re: Problem using SSL in Wildfly
          Stefan Raabe Newbie

          That is the error:

           

          ERROR [org.jboss.msc.service.fail] (MSC service thread 1-1) MSC000001: Failed to start service jboss.server.controller.management.security_realm.testSSLRealm.keystore: org.jboss.msc.service.StartException in service jboss.server.controller.management.security_realm.testSSLRealm.keystore: Failed to start service

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1900) [jboss-msc-1.2.0.Beta2.jar:1.2.0.Beta2]

              at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) [rt.jar:1.7.0_13]

              at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) [rt.jar:1.7.0_13]

              at java.lang.Thread.run(Thread.java:722) [rt.jar:1.7.0_13]

          Caused by: java.lang.NullPointerException: invalid null input

              at java.security.KeyStore.setEntry(KeyStore.java:1321) [rt.jar:1.7.0_13]

              at org.jboss.as.domain.management.security.FileKeystore.load(FileKeystore.java:106)

              at org.jboss.as.domain.management.security.FileKeystoreService.start(FileKeystoreService.java:60)

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1944) [jboss-msc-1.2.0.Beta2.jar:1.2.0.Beta2]

              at org.jboss.msc.service.ServiceControllerImpl$StartTask.run(ServiceControllerImpl.java:1877) [jboss-msc-1.2.0.Beta2.jar:1.2.0.Beta2]

              ... 3 more

          • 2. Re: Problem using SSL in Wildfly
            Darran Lofthouse Master

            I believe there is a bug here but possibly caused by a bad config.

             

            Could you please list the contents of the keystore, we need to verify that the alias you are specifying is a valid alias - from the stack I am suspecting maybe not, or maybe it is only an alias to a certificate and not the private key.

            • 3. Re: Problem using SSL in Wildfly
              Stefan Raabe Newbie

              Hopefully that helps. The same keystore was still working in tomcat. Thanks.

               

              Keystore type: JKS

              Keystore provider: SUN

               

              Your keystore contains 4 entries

               

              tdnght, Dec 2, 2013, trustedCertEntry,

              Certificate fingerprint (SHA1): AA:D4:3E:7B:37:57:A2:FA:48:39:62:28:0D:C3:BD:81:A7:C5:01:82

              comodosslca, Dec 2, 2013, trustedCertEntry,

              Certificate fingerprint (SHA1): B4:C6:61:80:C5:20:BA:D6:88:47:0E:F8:0B:B2:2B:EB:A8:39:1C:22

              server, Dec 2, 2013, PrivateKeyEntry,

              Certificate fingerprint (SHA1): 23:20:A1:2D:01:87:7E:58:15:C8:C0:C5:C4:CE:E1:E9:2B:E1:F8:BF

              addtrustexternalcaroot, Dec 2, 2013, trustedCertEntry,

              Certificate fingerprint (SHA1): 02:FA:F3:E2:91:43:54:68:60:78:57:69:4D:F5:E4:5B:68:85:18:68

              • 4. Re: Problem using SSL in Wildfly
                François Hertay Newbie

                As pointed by Darran, the alias you are providing is a trusted cert entry not a private key entry.  There is only one private key entry (which is some how logical for this case), you should use the alias 'server'.

                • 5. Re: Problem using SSL in Wildfly
                  Stefan Raabe Newbie

                  I'm not really in that topic. Every time if I'm using an alias="" it shows me on start a null pointer error. That confuse me.

                  Here as follows is the original configuration part from tomcat(that was working for month ;-) ):

                   

                  <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol" maxHttpHeaderSize="8192" maxThreads="150"

                      minSpareThreads="25" enableLookups="false" disableUploadTimeout="true"

                      acceptCount="100" scheme="https" secure="true" SSLEnabled="true" clientAuth="false"

                      keystoreFile="/usr/share/tomcat7/ssl/something.keystore" keyPass="pwd123" />

                   

                  It is yet not really important, but later i would like to use a SSL certificate.

                  • 6. Re: Problem using SSL in Wildfly
                    Darran Lofthouse Master

                    When you set alias="" what you are saying is that the key should be selected using an alias and that alias is a zero length String - I will update WildFly so that the String has a minimum length of 1.

                     

                    For now if there is only a single private key in the store you can completely omit the alias attribute.

                    • 7. Re: Problem using SSL in Wildfly
                      Darran Lofthouse Master

                      After testing this, the error you report does not seem possible when setting the alias to an empty String, instead start up is aborted with a valid error message saying that at least one character is required.

                       

                      The NullPointerException is being caused because the alias you specify is the alias of the certificate and not the private key, for the server side of this connection you need to be pointing to the private key - i.e. that is the key that the server will use for encryption, the certificate is only applicable on the client side to verify that the corresponding private key was used.

                      • 8. Re: Problem using SSL in Wildfly
                        Stefan Raabe Newbie

                        Yes it is still working also with a trusted certificate. Important is the correct order to import everything. Thanks a lot and sorry.

                        • 9. Re: Problem using SSL in Wildfly
                          Francesco Esposito Newbie

                          Hello Stefan,

                          sorry , can you help me ?

                          I'm using WildFly  8.2.1 Final .
                          I have a problem to load protocol="org.apache.coyote.http11.Http11NioProtocol" can you help me ? 

                          Can you explain me how load Http11Protocol and load on standalone.xml?

                          Tnk's

                          Francesco

                          • 10. Re: Problem using SSL in Wildfly
                            Tomaz Cerar Master

                            Francesco Esposito wrote:

                             

                            Hello Stefan,

                            sorry , can you help me ?

                            I'm using WildFly  8.2.1 Final .
                            I have a problem to load protocol="org.apache.coyote.http11.Http11NioProtocol" can you help me ?

                            Can you explain me how load Http11Protocol and load on standalone.xml?

                            Tnk's

                            Francesco

                            Why would you even need that?

                            WildFly 8+ doesn't use jbossweb(fork of tomcat) anymore as web server, but undertow, so any tomcat related properties don't apply anymore.

                            Undertow NIO based server in its core, so you by default get nio impl of the all listeners