I have a RESTful netty server that will provide some data to users that request. I would like to secure this server using an SSL Certificate generated from Let's Encrypt.
I currently have this for my ChannelInitializer, where CHAIN_FILE is a file reference to fullchain.pem and PRIVATE_FILE is a file reference to privkey.pem.
ChannelPipeline pipeline = channel.pipeline();
SslContext sslContext = SslContextBuilder.forServer(CHAIN_FILE, PRIVATE_FILE).build();
pipeline.addLast("ssl", sslContext.newHandler(channel.alloc()));
pipeline.addLast(new HttpServerCodec()); // A combination of HttpRequestDecoder and HttpResponseEncoder which enables easier server side HTTP implementation.
pipeline.addLast(new HttpObjectAggregator(Integer.MAX_VALUE)); // Aggregates HttpMessage and HttpContents into a single FullHttpResponse/FullHttpRequest
pipeline.addLast(new HttpServerHandler()); // Handles incoming HttpRequests
Whenever I try to make a request to the server I get an error:
[io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73740d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a43616368652d436f6e74726f6c3a206d61782d6167653d300d0a7365632d63682d75613a2022476f6f676c65204368726f6d65223b763d223839222c20224368726f6d69756d223b763d223839222c20223b4e6f742041204272616e64223b763d223939220d0a7365632d63682d75612d6d6f62696c653a203f300d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f38392e302e343338392e313134205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f617669662c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e382c6170706c69636174696f6e2f7369676e65642d65786368616e67653b763d62333b713d302e390d0a5365632d46657463682d536974653a206e6f6e650d0a5365632d46657463682d4d6f64653a206e617669676174650d0a5365632d46657463682d557365723a203f310d0a5365632d46657463682d446573743a20646f63756d656e740d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e390d0a436f6f6b69653a20696f3d414e444b736c6953336c6374366a4b47414141430d0a0d0a
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:163) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:714) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:650) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:576) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[PaperSpigot.jar:git-Paper-449]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: io.netty.handler.ssl.NotSslRecordException: not an SSL/TLS record: 474554202f20485454502f312e310d0a486f73743a206c6f63616c686f73740d0a436f6e6e656374696f6e3a206b6565702d616c6976650d0a43616368652d436f6e74726f6c3a206d61782d6167653d300d0a7365632d63682d75613a2022476f6f676c65204368726f6d65223b763d223839222c20224368726f6d69756d223b763d223839222c20223b4e6f742041204272616e64223b763d223939220d0a7365632d63682d75612d6d6f62696c653a203f300d0a557067726164652d496e7365637572652d52657175657374733a20310d0a557365722d4167656e743a204d6f7a696c6c612f352e30202857696e646f7773204e542031302e303b2057696e36343b2078363429204170706c655765624b69742f3533372e333620284b48544d4c2c206c696b65204765636b6f29204368726f6d652f38392e302e343338392e313134205361666172692f3533372e33360d0a4163636570743a20746578742f68746d6c2c6170706c69636174696f6e2f7868746d6c2b786d6c2c6170706c69636174696f6e2f786d6c3b713d302e392c696d6167652f617669662c696d6167652f776562702c696d6167652f61706e672c2a2f2a3b713d302e382c6170706c69636174696f6e2f7369676e65642d65786368616e67653b763d62333b713d302e390d0a5365632d46657463682d536974653a206e6f6e650d0a5365632d46657463682d4d6f64653a206e617669676174650d0a5365632d46657463682d557365723a203f310d0a5365632d46657463682d446573743a20646f63756d656e740d0a4163636570742d456e636f64696e673a20677a69702c206465666c6174652c2062720d0a4163636570742d4c616e67756167653a20656e2d55532c656e3b713d302e390d0a436f6f6b69653a20696f3d414e444b736c6953336c6374366a4b47414141430d0a0d0a
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1246) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[PaperSpigot.jar:git-Paper-449]
... 17 more
I'm very new at webservers, so I can really only think of two things:
I probably don't need to secure this in the first place, but I would like to understand why this fails as I will most likely run into something similar in the future. Thanks in advance.
Edit:
Concision's suggestion was correct. My client was not requesting via HTTPS. The request is now accepted and returns results correctly, but the connection is still not secure due to a new error saying:
[04:43:38 WARN]: [io.netty.channel.DefaultChannelPipeline] An exceptionCaught() event was fired, and it reached at the tail of the pipeline. It usually means the last handler in the pipeline did not handle the exception.
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:471) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:792) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:475) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30) ~[PaperSpigot.jar:git-Paper-449]
at java.lang.Thread.run(Thread.java:834) [?:?]
Caused by: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alert.createSSLException(Alert.java:131) ~[?:?]
at sun.security.ssl.Alert.createSSLException(Alert.java:117) ~[?:?]
at sun.security.ssl.TransportContext.fatal(TransportContext.java:337) ~[?:?]
at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) ~[?:?]
at sun.security.ssl.TransportContext.dispatch(TransportContext.java:186) ~[?:?]
at sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[?:?]
at sun.security.ssl.SSLEngineImpl.decode(SSLEngineImpl.java:681) ~[?:?]
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:636) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:454) ~[?:?]
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:433) ~[?:?]
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:637) ~[?:?]
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1314) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:501) ~[PaperSpigot.jar:git-Paper-449]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:440) ~[PaperSpigot.jar:git-Paper-449]
... 15 more
Which leads me to believe that the arguments that I am passing to SslContextBuilder#forServer() are completely wrong. I am currently just passing the raw cert.pem and privkey.pem files that letsencrypt generated for me.
Made a few silly mistakes:
For one, my server was still pointing to port 80 (HTTP) instead of 443 (HTTPS). Also, I passing fullchain.pem instead of cert.pem as the first argument of the #forServer method.
As concision stated, the first error was due to my client trying to make a request through HTTP instead of HTTPS