Welcome to the new Schneider Electric Community

It's your place to connect with experts and peers, get continuous support, and share knowledge.

  • Explore the new navigation for even easier access to your community.
  • Bookmark and use our new, easy-to-remember address (community.se.com).
  • Get ready for more content and an improved experience.

Contact SchneiderCommunity.Support@se.com if you have any questions.

Close
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
Send Invite Cancel
84766members
354199posts

PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

Solved
mc1903
Crewman
Crewman
0 Likes
4
795

PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

Hello,

 

I am struggling to replace the default SSL certificate on a newly deployed PCNS v4.4.1 VMware virtual appliance.

 

I have followed the Linux/Unix instructions in the appendix of the PowerChute Network Shutdown Security Handbook (990-91316A-001 / Publication Date: February, 2021), but I get the following error in the /opt/APC/PowerChute/group1/error.log when starting the PowerChute service.

 

 

FATAL Timer-2 com.apcc.m11.components.webserver.WebServerThread java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1283) - Start server exception:

 

 

The PCNS 'leaf' Enterprise CA signed certificate has 3 SANS entries - 1 IP address and 2 DNS names (short host name) and the FQDN.

 

There are 3 certificates in the chain. The leaf certificate above, the Intermediate signing CA and the Root CA. Both these are Windows Server 2019 CA's. I signed the PCNS CSR with the "Webserver Template"

 

Searching for the error above returns a number of hits relating to jetty versions after 9.4.24 having this exact issue with multiple certificates in the chain and/or SANS entries in the leaf certificate. This version of PCNS is using jetty 9.4.35 (9 files with this version are in /opt/APC/PowerChute/group1/lib), so I think that is the cause of the problem.

 

I am confused why this was not picked up by your QA/testing, as most modern browsers require a SANS entry of the FQDN in order for the certificate to be validated/accepted. It's been a few years since the Common Name (CN) was accepted.

 

I don't have support as this is a testing environment, so I cannot open a ticket.

 

If there is anyone from the PCNS team that could offer some help I would gratefully accept it.

 

Thanks

M

 


Accepted Solutions
BillP
Administrator Administrator
Administrator

Re: PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

@mc1903 

 

This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847

 

The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here

https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr

 

The issue will be addressed in a future release.

See Answer In Context

Tags (1)
4 Replies 4
mc1903
Crewman
Crewman
0 Likes
3
772

Re: PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

I have managed to get this working by:

 

1) downgrading the 9 jetty-*-9.4.35.v20201120.jar files in /opt/APC/PowerChute/group1/lib to version 9.4.23.v20191118.jar (downloaded from here https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.23.v20191118/)

 

and

 

2) creating my CSR with a single SANs entry (I used the FDQN).

 

Obviously I cannot run this in a production environment.

 

I opened a support case (84823365) referencing this forum post, asking for a PCNS product manager to take a look and feedback to the development team for consideration of a fix.

 

M

 

PCNS_Good_Ent_CA_Cert_Chain.PNG

 

 

CSR Text:

 

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDNzCCAh8CAQAwgZMxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUx
FDASBgNVBAcTC0Jhc2luZ3N0b2tlMRMwEQYDVQQLEwpNb211cyBMYWJzMRkwFwYD
VQQKExBNb211cyBDb25zdWx0aW5nMSowKAYDVQQDEyFtYy1wY25zLXYtMTAxLm1v
bXVzY29uc3VsdGluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCSGoeVskKABGxZYROqftefyf/ej6om26TnosL6AFSPpUREQQGRUwWEUIGPLzD9
5ICxAMuOXKNUA8uugbzuCYyoTlIHOjtaEvHiizFcF9SEB4LheOrw3tjTQEKCYBYe
En5N8iVer3k2E98cvju6wrbQeDJ2SBORVwtAJjm3tMI2WSgJLXAFjBqEFxqmtGgd
xG/XcNlkmGX5N6YPvErGmXqIDUQxhQeASQoh9W3+JxYYKVbCXMW7FnYgQwU1AVuO
V0bblN3Jcy4bDt5WvSYtll4XbMZJOAS3tHMwEJOFwh7yER/PRSmaeb7XrrUC0MzP
AGpkCAm4kuc+e/PEICvs0CKHAgMBAAGgXjBcBgkqhkiG9w0BCQ4xTzBNMB0GA1Ud
DgQWBBSlV6i3SznST/bkTuL9424GOTBC/jAsBgNVHREEJTAjgiFtYy1wY25zLXYt
MTAxLm1vbXVzY29uc3VsdGluZy5jb20wDQYJKoZIhvcNAQELBQADggEBADpS4l88
6eQTCqdc8vqcomhAAXL8o8aPV/VpZXjNBk2kXqn+B7X60HIRsaklT+M7c7+8dhV1
EMGU4adq203jDM073TBjR/BTFZAIrCfxmzHCALjKaA+4x8sqWI8AEFcBPhGGEvqp
OFVvOqOEwd48xMAeM+8lukR2Ec3+XJic7E+7RCFfVRYC4Lee3FAqLH4apPOfskDA
VnLD19Qti0ZtlkqeRr4rMv7oFWwuWnvA2tUFJLTg51kxA8azLCZM7sy3J6kVw8e/
GOZEnvvDZ89vCCrlPwlhF05k3uzZPxqAlv0G3JIWIQMWLrF0X/a80sn1D4N+OdLc
hPfxwHLZSQ7MNDA=
-----END NEW CERTIFICATE REQUEST-----

 

 

BillP
Administrator Administrator
Administrator

Re: PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

@mc1903 

 

This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847

 

The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here

https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr

 

The issue will be addressed in a future release.

Tags (1)
mc1903
Crewman
Crewman
0 Likes
0
718

Re: PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

Evening @BillP 

 

Thank you. It's good to hear that it will be addressed in a future release.

 

M

Tags (1)
Rudios
Cadet
0 Likes
0
422

Re: PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

Is there any information when this newer version will be released.

I'm running version 4.4.1 as well and in the process of setting up SSL certificates for the installation.

But since I read just here that there are issues with this version I might wait for the next verison if an updated release is coming up.

Tags (1)