PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

mc1903 · ‎2021-10-05

Hello,

I am struggling to replace the default SSL certificate on a newly deployed PCNS v4.4.1 VMware virtual appliance.

I have followed the Linux/Unix instructions in the appendix of the PowerChute Network Shutdown Security Handbook (990-91316A-001 / Publication Date: February, 2021), but I get the following error in the /opt/APC/PowerChute/group1/error.log when starting the PowerChute service.

FATAL Timer-2 com.apcc.m11.components.webserver.WebServerThread java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1283) - Start server exception:

The PCNS 'leaf' Enterprise CA signed certificate has 3 SANS entries - 1 IP address and 2 DNS names (short host name) and the FQDN.

There are 3 certificates in the chain. The leaf certificate above, the Intermediate signing CA and the Root CA. Both these are Windows Server 2019 CA's. I signed the PCNS CSR with the "Webserver Template"

Searching for the error above returns a number of hits relating to jetty versions after 9.4.24 having this exact issue with multiple certificates in the chain and/or SANS entries in the leaf certificate. This version of PCNS is using jetty 9.4.35 (9 files with this version are in /opt/APC/PowerChute/group1/lib), so I think that is the cause of the problem.

I am confused why this was not picked up by your QA/testing, as most modern browsers require a SANS entry of the FQDN in order for the certificate to be validated/accepted. It's been a few years since the Common Name (CN) was accepted.

I don't have support as this is a testing environment, so I cannot open a ticket.

If there is anyone from the PCNS team that could offer some help I would gratefully accept it.

Thanks

M

BillP · ‎2021-10-07

@mc1903

This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847

The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here

https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr

The issue will be addressed in a future release.

See Answer In Context

mc1903 · ‎2021-10-06

I have managed to get this working by:

1) downgrading the 9 jetty-*-9.4.35.v20201120.jar files in /opt/APC/PowerChute/group1/lib to version 9.4.23.v20191118.jar (downloaded from here https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.23.v20191118/)

and

2) creating my CSR with a single SANs entry (I used the FDQN).

Obviously I cannot run this in a production environment.

I opened a support case (84823365) referencing this forum post, asking for a PCNS product manager to take a look and feedback to the development team for consideration of a fix.

M

CSR Text:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDNzCCAh8CAQAwgZMxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUx
FDASBgNVBAcTC0Jhc2luZ3N0b2tlMRMwEQYDVQQLEwpNb211cyBMYWJzMRkwFwYD
VQQKExBNb211cyBDb25zdWx0aW5nMSowKAYDVQQDEyFtYy1wY25zLXYtMTAxLm1v
bXVzY29uc3VsdGluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCSGoeVskKABGxZYROqftefyf/ej6om26TnosL6AFSPpUREQQGRUwWEUIGPLzD9
5ICxAMuOXKNUA8uugbzuCYyoTlIHOjtaEvHiizFcF9SEB4LheOrw3tjTQEKCYBYe
En5N8iVer3k2E98cvju6wrbQeDJ2SBORVwtAJjm3tMI2WSgJLXAFjBqEFxqmtGgd
xG/XcNlkmGX5N6YPvErGmXqIDUQxhQeASQoh9W3+JxYYKVbCXMW7FnYgQwU1AVuO
V0bblN3Jcy4bDt5WvSYtll4XbMZJOAS3tHMwEJOFwh7yER/PRSmaeb7XrrUC0MzP
AGpkCAm4kuc+e/PEICvs0CKHAgMBAAGgXjBcBgkqhkiG9w0BCQ4xTzBNMB0GA1Ud
DgQWBBSlV6i3SznST/bkTuL9424GOTBC/jAsBgNVHREEJTAjgiFtYy1wY25zLXYt
MTAxLm1vbXVzY29uc3VsdGluZy5jb20wDQYJKoZIhvcNAQELBQADggEBADpS4l88
6eQTCqdc8vqcomhAAXL8o8aPV/VpZXjNBk2kXqn+B7X60HIRsaklT+M7c7+8dhV1
EMGU4adq203jDM073TBjR/BTFZAIrCfxmzHCALjKaA+4x8sqWI8AEFcBPhGGEvqp
OFVvOqOEwd48xMAeM+8lukR2Ec3+XJic7E+7RCFfVRYC4Lee3FAqLH4apPOfskDA
VnLD19Qti0ZtlkqeRr4rMv7oFWwuWnvA2tUFJLTg51kxA8azLCZM7sy3J6kVw8e/
GOZEnvvDZ89vCCrlPwlhF05k3uzZPxqAlv0G3JIWIQMWLrF0X/a80sn1D4N+OdLc
hPfxwHLZSQ7MNDA=
-----END NEW CERTIFICATE REQUEST-----

BillP · ‎2021-10-07

@mc1903

This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847

The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here

https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr

The issue will be addressed in a future release.

mc1903 · ‎2021-10-07

Evening @BillP

Thank you. It's good to hear that it will be addressed in a future release.

M

Rudios · ‎2022-04-28

Is there any information when this newer version will be released.

I'm running version 4.4.1 as well and in the process of setting up SSL certificates for the installation.

But since I read just here that there are issues with this version I might wait for the next verison if an updated release is coming up.

PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

This is a heading