Brand Logo
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Help
  • Get started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
close
  • Community Home
  • Forums
    • By Topic
    • By Topic
      EcoStruxure Building
      • Field Devices Forum
      • SmartConnector Forum
      EcoStruxure Power & Grid
      • Gateways and Energy Servers
      • Metering & Power Quality
      APC UPS, Critical Power, Cooling and Racks
      • APC UPS Data Center & Enterprise Solutions Forum
      • APC UPS for Home and Office Forum
      EcoStruxure IT
      • EcoStruxure IT forum
      Remote Operations
      • EcoStruxure Geo SCADA Expert Forum
      • Remote Operations Forum
      Industrial Automation
      • Alliance System Integrators Forum
      • AVEVA Plant SCADA Forum
      • CPG Expert Forum DACH
      • EcoStruxure Automation Expert / IEC 61499 Forum
      • Fabrika ve Makina Otomasyonu Çözümleri
      • Harmony Control Customization Forum
      • Industrial Edge Computing Forum
      • Industry Automation and Control Forum
      • Korea Industrial Automation Forum
      • Machine Automation Forum
      • Modicon PAC Forum
      • PLC Club Indonesia
      Schneider Electric Wiser
      • Schneider Electric Wiser Forum
      Power Distribution IEC
      • Eldistribution & Fastighetsautomation
      • Elektrik Tasarım Dağıtım ve Uygulama Çözümleri
      • Paneelbouw & Energie Distributie
      • Power Distribution and Digital
      • Solutions for Motor Management
      • Specifiers Club ZA Forum
      • Електропроектанти България
      Power Distribution NEMA
      • Power Monitoring and Energy Automation NAM
      Power Distribution Software
      • EcoStruxure Power Design Forum
      • LayoutFAST User Group Forum
      Light and Room Control
      • SpaceLogic C-Bus Forum
      Solutions for your Business
      • Solutions for your Business Forum
      Support
      • Ask the Community
  • Knowledge Center
    • Building Automation Knowledge Base
    • Geo SCADA Knowledge Base
    • Industrial Automation How-to videos
    • Digital E-books
    • Success Stories Corner
  • Events & Webinars
    • All Events
    • Innovation Talks
    • Innovation Summit
    • Let's Exchange Series
    • Partner Success
    • Process Automation Talks
    • Technology Partners
  • Ideas
    • EcoStruxure Building
      • EcoStruxure Building Advisor Ideas
      Remote Operations
      • EcoStruxure Geo SCADA Expert Ideas
      • Remote Operations Devices Ideas
      Industrial Automation
      • Modicon Ideas & new features
  • Blogs
    • By Topic
    • By Topic
      EcoStruxure Power & Grid
      • Backstage Access Resources
      Remote Operations
      • Remote Operations Blog
      Industrial Automation
      • Industrie du Futur France
      • Industry 4.0 Blog
      Power Distribution NEMA
      • NEMA Power Foundations Blog
      Light and Room Control
      • KNX Blog
      Knowledge Center
      • Digital E-books
      • Geo SCADA Knowledge Base
      • Industrial Automation How-to videos
      • Success Stories Corner

PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

APC UPS Data Center & Enterprise Solutions Forum

Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Communities
  • APC UPS, Critical Power, Cooling and Racks
  • APC UPS Data Center & Enterprise Solutions Forum
  • PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.
Options
  • Subscribe to RSS Feed
  • Mark Topic as New
  • Mark Topic as Read
  • Float this Topic for Current User
  • Bookmark
  • Subscribe
  • Mute
  • Printer Friendly Page
Invite a Co-worker
Send a co-worker an invite to the Exchange portal.Just enter their email address and we’ll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close
Top Experts
User Count
BillP
Administrator BillP Administrator
5022
voidstar_apc
Janeway voidstar_apc
195
Erasmus_apc
Sisko Erasmus_apc
111
TheNotoriousKMP_apc
Sisko TheNotoriousKMP_apc
108
View All
Related Products
product field
Schneider Electric
PowerChute Network Shutdown
Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite
Solved Go to Solution
Back to APC UPS Data Center & Enterprise Solutions Forum
Solved
mc1903
Crewman mc1903
Crewman

Posted: ‎2021-10-05 02:12 PM

0 Likes
4
1063
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-10-05 02:12 PM

PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

Hello,

 

I am struggling to replace the default SSL certificate on a newly deployed PCNS v4.4.1 VMware virtual appliance.

 

I have followed the Linux/Unix instructions in the appendix of the PowerChute Network Shutdown Security Handbook (990-91316A-001 / Publication Date: February, 2021), but I get the following error in the /opt/APC/PowerChute/group1/error.log when starting the PowerChute service.

 

 

FATAL Timer-2 com.apcc.m11.components.webserver.WebServerThread java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1283) - Start server exception:

 

 

The PCNS 'leaf' Enterprise CA signed certificate has 3 SANS entries - 1 IP address and 2 DNS names (short host name) and the FQDN.

 

There are 3 certificates in the chain. The leaf certificate above, the Intermediate signing CA and the Root CA. Both these are Windows Server 2019 CA's. I signed the PCNS CSR with the "Webserver Template"

 

Searching for the error above returns a number of hits relating to jetty versions after 9.4.24 having this exact issue with multiple certificates in the chain and/or SANS entries in the leaf certificate. This version of PCNS is using jetty 9.4.35 (9 files with this version are in /opt/APC/PowerChute/group1/lib), so I think that is the cause of the problem.

 

I am confused why this was not picked up by your QA/testing, as most modern browsers require a SANS entry of the FQDN in order for the certificate to be validated/accepted. It's been a few years since the Common Name (CN) was accepted.

 

I don't have support as this is a testing environment, so I cannot open a ticket.

 

If there is anyone from the PCNS team that could offer some help I would gratefully accept it.

 

Thanks

M

 

Labels
  • Labels:
  • UPS Management Devices & PowerChute Software
  • Tags:
  • certificate
  • english
  • jetty
  • SANS
Reply
Share
  • All forum topics
  • Previous Topic
  • Next Topic

Accepted Solutions
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-10-07 12:08 PM . Last Modified: ‎2021-10-07 12:09 PM

In response to mc1903
1 Like
2
990
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-10-07 12:08 PM . Last Modified: ‎2021-10-07 12:09 PM

@mc1903 

 

This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847

 

The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here

https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr

 

The issue will be addressed in a future release.

See Answer In Context

  • Tags:
  • english
Reply
Share
Replies 4
mc1903
Crewman mc1903
Crewman

Posted: ‎2021-10-06 06:06 AM . Last Modified: ‎2021-10-06 09:31 AM

0 Likes
3
1039
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-10-06 06:06 AM . Last Modified: ‎2021-10-06 09:31 AM

I have managed to get this working by:

 

1) downgrading the 9 jetty-*-9.4.35.v20201120.jar files in /opt/APC/PowerChute/group1/lib to version 9.4.23.v20191118.jar (downloaded from here https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.23.v20191118/)

 

and

 

2) creating my CSR with a single SANs entry (I used the FDQN).

 

Obviously I cannot run this in a production environment.

 

I opened a support case (84823365) referencing this forum post, asking for a PCNS product manager to take a look and feedback to the development team for consideration of a fix.

 

M

 

PCNS_Good_Ent_CA_Cert_Chain.PNG

 

 

CSR Text:

 

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDNzCCAh8CAQAwgZMxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUx
FDASBgNVBAcTC0Jhc2luZ3N0b2tlMRMwEQYDVQQLEwpNb211cyBMYWJzMRkwFwYD
VQQKExBNb211cyBDb25zdWx0aW5nMSowKAYDVQQDEyFtYy1wY25zLXYtMTAxLm1v
bXVzY29uc3VsdGluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCSGoeVskKABGxZYROqftefyf/ej6om26TnosL6AFSPpUREQQGRUwWEUIGPLzD9
5ICxAMuOXKNUA8uugbzuCYyoTlIHOjtaEvHiizFcF9SEB4LheOrw3tjTQEKCYBYe
En5N8iVer3k2E98cvju6wrbQeDJ2SBORVwtAJjm3tMI2WSgJLXAFjBqEFxqmtGgd
xG/XcNlkmGX5N6YPvErGmXqIDUQxhQeASQoh9W3+JxYYKVbCXMW7FnYgQwU1AVuO
V0bblN3Jcy4bDt5WvSYtll4XbMZJOAS3tHMwEJOFwh7yER/PRSmaeb7XrrUC0MzP
AGpkCAm4kuc+e/PEICvs0CKHAgMBAAGgXjBcBgkqhkiG9w0BCQ4xTzBNMB0GA1Ud
DgQWBBSlV6i3SznST/bkTuL9424GOTBC/jAsBgNVHREEJTAjgiFtYy1wY25zLXYt
MTAxLm1vbXVzY29uc3VsdGluZy5jb20wDQYJKoZIhvcNAQELBQADggEBADpS4l88
6eQTCqdc8vqcomhAAXL8o8aPV/VpZXjNBk2kXqn+B7X60HIRsaklT+M7c7+8dhV1
EMGU4adq203jDM073TBjR/BTFZAIrCfxmzHCALjKaA+4x8sqWI8AEFcBPhGGEvqp
OFVvOqOEwd48xMAeM+8lukR2Ec3+XJic7E+7RCFfVRYC4Lee3FAqLH4apPOfskDA
VnLD19Qti0ZtlkqeRr4rMv7oFWwuWnvA2tUFJLTg51kxA8azLCZM7sy3J6kVw8e/
GOZEnvvDZ89vCCrlPwlhF05k3uzZPxqAlv0G3JIWIQMWLrF0X/a80sn1D4N+OdLc
hPfxwHLZSQ7MNDA=
-----END NEW CERTIFICATE REQUEST-----

 

 

  • Tags:
  • downgrade
  • english
  • java
  • jetty
Reply
Share
BillP
Administrator BillP Administrator
Administrator

Posted: ‎2021-10-07 12:08 PM . Last Modified: ‎2021-10-07 12:09 PM

In response to mc1903
1 Like
2
991
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-10-07 12:08 PM . Last Modified: ‎2021-10-07 12:09 PM

@mc1903 

 

This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847

 

The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here

https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr

 

The issue will be addressed in a future release.

  • Tags:
  • english
Reply
Share
mc1903
Crewman mc1903
Crewman

Posted: ‎2021-10-07 12:59 PM

In response to BillP
0 Likes
0
985
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2021-10-07 12:59 PM

Evening @BillP 

 

Thank you. It's good to hear that it will be addressed in a future release.

 

M

  • Tags:
  • english
Reply
Share
Rudios
Rudios
Cadet

Posted: ‎2022-04-28 11:55 PM

In response to BillP
0 Likes
0
689
  • Mark as New
  • Bookmark
  • Subscribe
  • Mute
  • Subscribe to RSS Feed
  • Permalink
  • Print
  • Email to a Friend
  • Report Inappropriate Content
Share

Posted: ‎2022-04-28 11:55 PM

Is there any information when this newer version will be released.

I'm running version 4.4.1 as well and in the process of setting up SSL certificates for the installation.

But since I read just here that there are issues with this version I might wait for the next verison if an updated release is coming up.

  • Tags:
  • english
Reply
Share
Preview Exit Preview

never-displayed

You must be signed in to add attachments

never-displayed

Additional options
You do not have permission to remove this product association.
 
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this forum after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account?Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2023 Schneider Electric, Inc