PCNS v4.4.1 Unable to replace the Default PowerChute SSL Certificate with an Enterprise CA signed one.

mc1903 · ‎2021-10-05

Hello,

I am struggling to replace the default SSL certificate on a newly deployed PCNS v4.4.1 VMware virtual appliance.

I have followed the Linux/Unix instructions in the appendix of the PowerChute Network Shutdown Security Handbook (990-91316A-001 / Publication Date: February, 2021), but I get the following error in the /opt/APC/PowerChute/group1/error.log when starting the PowerChute service.

FATAL Timer-2 com.apcc.m11.components.webserver.WebServerThread java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1283) - Start server exception:

The PCNS 'leaf' Enterprise CA signed certificate has 3 SANS entries - 1 IP address and 2 DNS names (short host name) and the FQDN.

There are 3 certificates in the chain. The leaf certificate above, the Intermediate signing CA and the Root CA. Both these are Windows Server 2019 CA's. I signed the PCNS CSR with the "Webserver Template"

Searching for the error above returns a number of hits relating to jetty versions after 9.4.24 having this exact issue with multiple certificates in the chain and/or SANS entries in the leaf certificate. This version of PCNS is using jetty 9.4.35 (9 files with this version are in /opt/APC/PowerChute/group1/lib), so I think that is the cause of the problem.

I am confused why this was not picked up by your QA/testing, as most modern browsers require a SANS entry of the FQDN in order for the certificate to be validated/accepted. It's been a few years since the Common Name (CN) was accepted.

I don't have support as this is a testing environment, so I cannot open a ticket.

If there is anyone from the PCNS team that could offer some help I would gratefully accept it.

Thanks

M

BillP · ‎2021-10-07

@mc1903

This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847

The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here

https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr

The issue will be addressed in a future release.

See Answer In Context

mc1903 · ‎2021-10-06

I have managed to get this working by:

1) downgrading the 9 jetty-*-9.4.35.v20201120.jar files in /opt/APC/PowerChute/group1/lib to version 9.4.23.v20191118.jar (downloaded from here https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.23.v20191118/)

and

2) creating my CSR with a single SANs entry (I used the FDQN).

Obviously I cannot run this in a production environment.

I opened a support case (84823365) referencing this forum post, asking for a PCNS product manager to take a look and feedback to the development team for consideration of a fix.

M

CSR Text:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDNzCCAh8CAQAwgZMxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUx
FDASBgNVBAcTC0Jhc2luZ3N0b2tlMRMwEQYDVQQLEwpNb211cyBMYWJzMRkwFwYD
VQQKExBNb211cyBDb25zdWx0aW5nMSowKAYDVQQDEyFtYy1wY25zLXYtMTAxLm1v
bXVzY29uc3VsdGluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCSGoeVskKABGxZYROqftefyf/ej6om26TnosL6AFSPpUREQQGRUwWEUIGPLzD9
5ICxAMuOXKNUA8uugbzuCYyoTlIHOjtaEvHiizFcF9SEB4LheOrw3tjTQEKCYBYe
En5N8iVer3k2E98cvju6wrbQeDJ2SBORVwtAJjm3tMI2WSgJLXAFjBqEFxqmtGgd
xG/XcNlkmGX5N6YPvErGmXqIDUQxhQeASQoh9W3+JxYYKVbCXMW7FnYgQwU1AVuO
V0bblN3Jcy4bDt5WvSYtll4XbMZJOAS3tHMwEJOFwh7yER/PRSmaeb7XrrUC0MzP
AGpkCAm4kuc+e/PEICvs0CKHAgMBAAGgXjBcBgkqhkiG9w0BCQ4xTzBNMB0GA1Ud
DgQWBBSlV6i3SznST/bkTuL9424GOTBC/jAsBgNVHREEJTAjgiFtYy1wY25zLXYt
MTAxLm1vbXVzY29uc3VsdGluZy5jb20wDQYJKoZIhvcNAQELBQADggEBADpS4l88
6eQTCqdc8vqcomhAAXL8o8aPV/VpZXjNBk2kXqn+B7X60HIRsaklT+M7c7+8dhV1
EMGU4adq203jDM073TBjR/BTFZAIrCfxmzHCALjKaA+4x8sqWI8AEFcBPhGGEvqp
OFVvOqOEwd48xMAeM+8lukR2Ec3+XJic7E+7RCFfVRYC4Lee3FAqLH4apPOfskDA
VnLD19Qti0ZtlkqeRr4rMv7oFWwuWnvA2tUFJLTg51kxA8azLCZM7sy3J6kVw8e/
GOZEnvvDZ89vCCrlPwlhF05k3uzZPxqAlv0G3JIWIQMWLrF0X/a80sn1D4N+OdLc
hPfxwHLZSQ7MNDA=
-----END NEW CERTIFICATE REQUEST-----

BillP · ‎2021-10-07

@mc1903

This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847

The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here

https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr

The issue will be addressed in a future release.

mc1903 · ‎2021-10-07

Evening @BillP

Thank you. It's good to hear that it will be addressed in a future release.

M

Rudios · ‎2022-04-28

Is there any information when this newer version will be released.

I'm running version 4.4.1 as well and in the process of setting up SSL certificates for the installation.

But since I read just here that there are issues with this version I might wait for the next verison if an updated release is coming up.