Search code examples
javasslspring-bootjcecloudcaptain

Spring Boot app does not start due to SSL error on Boxfuse Dev VM

I have a Spring Boot application with following SSL configuration:

application.yml

server:
  port: 443
  ssl:
    key-store: classpath:keys/${BOXFUSE_ENV}.p12
    key-store-type: PKCS12
    key-alias: mydomain.com
    key-store-password: ${X_KEYSTORE_PASSWORD}

The correct environment-specific keystores are present in classpath and accessible after launch, which has been verified by manual launch from console with following PowerShell script:

dev.ps1

$env:BOXFUSE_ENV="dev"
$env:X_KEYSTORE_PASSWORD="correctpassword"

java -jar target\myapp-1.0.0.12314.jar

After manual start application successfully launches at localhost and available both in production and dev mode with correct certificates. Now, I try to launch it in PowerShell as Boxfuse app with following command:

boxfuse run target\myapp-1.0.0.12314.jar -env=dev "-envvars.X_KEYSTORE_PASSWORD=correctpassword"

App fails to start with this stacktrace:

vb-c2b995f3 -> 2016-11-17 15:31:56.659 ERROR 636 --- [           main] o.apache.catalina.core.StandardService   : Failed
 to start connector [Connector[HTTP/1.1-443]]
vb-c2b995f3 ->
vb-c2b995f3 -> org.apache.catalina.LifecycleException: Failed to start component [Connector[HTTP/1.1-443]]
vb-c2b995f3 ->  at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:158)
vb-c2b995f3 ->  at org.apache.catalina.core.StandardService.addConnector(StandardService.java:225)
vb-c2b995f3 ->  at org.springframework.boot.context.embedded.tomcat.TomcatEmbeddedServletContainer.addPreviouslyRemovedC
onnectors(TomcatEmbeddedServletContainer.java:234)
...
vb-c2b995f3 -> Caused by: java.lang.IllegalArgumentException: java.io.IOException: DerInputStream.getLength(): lengthTag
=109, too big.
vb-c2b995f3 ->  at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:103)
vb-c2b995f3 ->  at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:81)
...
vb-c2b995f3 -> Caused by: java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
vb-c2b995f3 ->  at sun.security.util.DerInputStream.getLength(DerInputStream.java:561)
vb-c2b995f3 ->  at sun.security.util.DerValue.init(DerValue.java:365)
vb-c2b995f3 ->  at sun.security.util.DerValue.<init>(DerValue.java:320)
vb-c2b995f3 ->  at sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:1914)

What makes so big difference between the two ways to launch the app? How can I fix it?

UPD: the issue was solved by converting the keystores to JKS format and setting key-store-type to PKCS12.

UPD2: the root cause of the issue is here: https://bz.apache.org/bugzilla/show_bug.cgi?id=60450

Solution

  • The key length could point to JDK unlimited strength crypto which may need to be enabled. See https://cloudcaptain.sh/docs/payloads/springboot#jce