Schneider Electric support forum for our Data Center and Business Power UPS, UPS Accessories, Software, Services, and associated commercial products designed to share knowledge, installation, and configuration.
Posted: 2021-10-05 02:12 PM
Hello,
I am struggling to replace the default SSL certificate on a newly deployed PCNS v4.4.1 VMware virtual appliance.
I have followed the Linux/Unix instructions in the appendix of the PowerChute Network Shutdown Security Handbook (990-91316A-001 / Publication Date: February, 2021), but I get the following error in the /opt/APC/PowerChute/group1/error.log when starting the PowerChute service.
FATAL Timer-2 com.apcc.m11.components.webserver.WebServerThread java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1283) - Start server exception:
The PCNS 'leaf' Enterprise CA signed certificate has 3 SANS entries - 1 IP address and 2 DNS names (short host name) and the FQDN.
There are 3 certificates in the chain. The leaf certificate above, the Intermediate signing CA and the Root CA. Both these are Windows Server 2019 CA's. I signed the PCNS CSR with the "Webserver Template"
Searching for the error above returns a number of hits relating to jetty versions after 9.4.24 having this exact issue with multiple certificates in the chain and/or SANS entries in the leaf certificate. This version of PCNS is using jetty 9.4.35 (9 files with this version are in /opt/APC/PowerChute/group1/lib), so I think that is the cause of the problem.
I am confused why this was not picked up by your QA/testing, as most modern browsers require a SANS entry of the FQDN in order for the certificate to be validated/accepted. It's been a few years since the Common Name (CN) was accepted.
I don't have support as this is a testing environment, so I cannot open a ticket.
If there is anyone from the PCNS team that could offer some help I would gratefully accept it.
Thanks
M
Posted: 2021-10-07 12:08 PM . Last Modified: 2021-10-07 12:09 PM
This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847
The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here
https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr
The issue will be addressed in a future release.
Posted: 2021-10-06 06:06 AM . Last Modified: 2021-10-06 09:31 AM
I have managed to get this working by:
1) downgrading the 9 jetty-*-9.4.35.v20201120.jar files in /opt/APC/PowerChute/group1/lib to version 9.4.23.v20191118.jar (downloaded from here https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-distribution/9.4.23.v20191118/)
and
2) creating my CSR with a single SANs entry (I used the FDQN).
Obviously I cannot run this in a production environment.
I opened a support case (84823365) referencing this forum post, asking for a PCNS product manager to take a look and feedback to the development team for consideration of a fix.
M
CSR Text:
-----BEGIN NEW CERTIFICATE REQUEST-----
MIIDNzCCAh8CAQAwgZMxCzAJBgNVBAYTAkdCMRIwEAYDVQQIEwlIYW1wc2hpcmUx
FDASBgNVBAcTC0Jhc2luZ3N0b2tlMRMwEQYDVQQLEwpNb211cyBMYWJzMRkwFwYD
VQQKExBNb211cyBDb25zdWx0aW5nMSowKAYDVQQDEyFtYy1wY25zLXYtMTAxLm1v
bXVzY29uc3VsdGluZy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCSGoeVskKABGxZYROqftefyf/ej6om26TnosL6AFSPpUREQQGRUwWEUIGPLzD9
5ICxAMuOXKNUA8uugbzuCYyoTlIHOjtaEvHiizFcF9SEB4LheOrw3tjTQEKCYBYe
En5N8iVer3k2E98cvju6wrbQeDJ2SBORVwtAJjm3tMI2WSgJLXAFjBqEFxqmtGgd
xG/XcNlkmGX5N6YPvErGmXqIDUQxhQeASQoh9W3+JxYYKVbCXMW7FnYgQwU1AVuO
V0bblN3Jcy4bDt5WvSYtll4XbMZJOAS3tHMwEJOFwh7yER/PRSmaeb7XrrUC0MzP
AGpkCAm4kuc+e/PEICvs0CKHAgMBAAGgXjBcBgkqhkiG9w0BCQ4xTzBNMB0GA1Ud
DgQWBBSlV6i3SznST/bkTuL9424GOTBC/jAsBgNVHREEJTAjgiFtYy1wY25zLXYt
MTAxLm1vbXVzY29uc3VsdGluZy5jb20wDQYJKoZIhvcNAQELBQADggEBADpS4l88
6eQTCqdc8vqcomhAAXL8o8aPV/VpZXjNBk2kXqn+B7X60HIRsaklT+M7c7+8dhV1
EMGU4adq203jDM073TBjR/BTFZAIrCfxmzHCALjKaA+4x8sqWI8AEFcBPhGGEvqp
OFVvOqOEwd48xMAeM+8lukR2Ec3+XJic7E+7RCFfVRYC4Lee3FAqLH4apPOfskDA
VnLD19Qti0ZtlkqeRr4rMv7oFWwuWnvA2tUFJLTg51kxA8azLCZM7sy3J6kVw8e/
GOZEnvvDZ89vCCrlPwlhF05k3uzZPxqAlv0G3JIWIQMWLrF0X/a80sn1D4N+OdLc
hPfxwHLZSQ7MNDA=
-----END NEW CERTIFICATE REQUEST-----
Posted: 2021-10-07 12:08 PM . Last Modified: 2021-10-07 12:09 PM
This is known issue with the jetty. See https://opennms.discourse.group/t/jetty-with-ssl-throws-error-with-keystores-with-multiple-certifica...
https://issues.opennms.org/browse/NMS-12847
The solution is to not use SAN, down grade the jetty as you did, or uninstall PCNS 4.4.1 and run PCNS 4.4 available here
https://schneider-electric.box.com/s/9u878j1ln1ftjmolqmsp0hwl2c0t99wr
The issue will be addressed in a future release.
Posted: 2022-04-28 11:55 PM
Is there any information when this newer version will be released.
I'm running version 4.4.1 as well and in the process of setting up SSL certificates for the installation.
But since I read just here that there are issues with this version I might wait for the next verison if an updated release is coming up.
Create your free account or log in to subscribe to the forum - and gain access to more than 10,000+ support articles along with insights from experts and peers.