Micronaut-core: HTTPS config for buildSelfSigned logs SSLException from Chrome
Task List
- [x ] Steps to reproduce provided
- [x ] Stacktrace (if present) provided
- [ x] Example that reproduces the problem uploaded to Github
- [x ] Full description of the issue provided (see below)
Steps to Reproduce
- Update micronaut configuration according to Securing the Server with HTTPS by adding
micronaut:
ssl:
enabled: true
buildSelfSigned: true
- Add a simple controller for
/hello - Access https://localhost:8443/hello via Chrome. The page will load (once you accept the certificate)
- View logs - the server will show an SSLException
Expected Behaviour
Site is accessible and no errors in the logs
Actual Behaviour
When accessing via Chrome, the logs show:
17:24:05.680 [nioEventLoopGroup-1-7] ERROR i.m.h.s.netty.RoutingInBoundHandler - Micronaut Server Error - No request state present. Cause: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
io.netty.handler.codec.DecoderException: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:472)
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:405)
at io.netty.handler.codec.ByteToMessageDecoder.channelInputClosed(ByteToMessageDecoder.java:372)
at io.netty.handler.codec.ByteToMessageDecoder.channelInactive(ByteToMessageDecoder.java:355)
at io.netty.handler.ssl.SslHandler.channelInactive(SslHandler.java:1050)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelInactive(AbstractChannelHandlerContext.java:224)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelInactive(DefaultChannelPipeline.java:1429)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:245)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelInactive(AbstractChannelHandlerContext.java:231)
at io.netty.channel.DefaultChannelPipeline.fireChannelInactive(DefaultChannelPipeline.java:947)
at io.netty.channel.AbstractChannel$AbstractUnsafe$8.run(AbstractChannel.java:822)
at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)
at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:462)
at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:897)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1666)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1634)
at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1800)
at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1083)
at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:907)
at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:294)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1297)
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1199)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1243)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:502)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:441)
Getting informal: These appear to be intermittent. I haven't been able to prove it, but it appears it's on the first use of a specific nioEventLoopGroup. ie: nioEventLoopGroup-1-12 will occur twice from one page load (likely once for the load and once for an associated fav.ico call, which is unavailable).
Other methods of accessing the endpoint
When accessing via curl, they do not appear:
curl -v -k https://localhost:8443/hello
* Trying ::1...
* TCP_NODELAY set
* Connected to localhost (::1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Client hello (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-SHA
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=example.com
* start date: Jul 25 21:37:15 2018 GMT
* expire date: Dec 31 23:59:59 9999 GMT
* issuer: CN=example.com
* SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /hello HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Thu, 25 Jul 2019 21:37:25 GMT
< content-type: application/json
< content-length: 12
< connection: keep-alive
<
* Connection #0 to host localhost left intact
Hello World!%
Likewise, they do not appear when copying the chrome request as a cURL request and running it via curl, and they do not appear when using Safari.
Environment Information
- Operating System: MacOS 10.14.5
- Micronaut Version: 1.1.3 (also tested seen in more complex project on 1.1.4)
- JDK Version: 8u144. Also tested with 11.0.2
- Chrome Version: Version 75.0.3770.142 (Official Build) (64-bit)
Example Application
dforegger
👍6
All 3 comments
I am facing same issue.
adityathakur-ast
on 18 Nov 2019
👍6
Any news on this?
ckapop
on 14 Apr 2020
I have a similar issue with micronaut 2.3.3. With Chrome I get an HTTP_SSL_PROTOCOL_ERROR and even curl fails consistently...
$ curl -vvv https://127.0.0.1:8443/
* Trying 127.0.0.1:8443...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS alert, handshake failure (552):
* error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
* Closing connection 0
curl: (35) error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure
From the error it either seems that micronaut is trying to use SSLv3, or that the clients & server are unable to negotiate the ssl protocol.
AFAIK I only specify micronaut.ssl.enabled=true and micronaut.ssl.buildSelfSigned=true, so everything else about ssl is default and I'd expect this to "just work".
galzetta
on 26 Feb 2021
Was this page helpful?
0 / 5 - 0 ratings
Related issues
radpet
路
5Comments
adityasrini
路
5Comments
rt-works
路
4Comments
denbilyk
路
3Comments
radpet
路
3Comments
Most helpful comment
I am facing same issue.