java.security.KeyStoreException: Key protection algorithm not found

[kares]

after the switch from OpenSSL to Java SSL provider (in 3.3.5) the plugin has some behavioral differences in terms of the configuration. This one is such difference when updating LS, namely having a configuration such as:

     ssl => true
     ssl_certificate => "multi-cert.pem"
     ssl_key => "private-key.pk8"

where mutli-cert.pem contains multiple certificate entries (not just a single public key certificate for the private key), these are being added into a key store and are assumed to be in proper order - from pub key certificate -> intermediate cert -> server cert and thus fail with :

Caused by: java.security.KeyStoreException: Key protection  algorithm not found: java.security.KeyStoreException: Certificate chain is not valid
        at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:707) ~[?:?]
        at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:604) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111) ~[?:?]
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1174) ~[?:?]
        at io.netty.handler.ssl.SslContext.buildKeyStore(SslContext.java:1102) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1274) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1263) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.JdkSslServerContext.newSSLContext(JdkSslServerContext.java:266) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        ... 67 more
Caused by: java.security.KeyStoreException: Certificate chain is not valid
        at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:654) ~[?:?]
        at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:604) ~[?:?]
        at sun.security.util.KeyStoreDelegator.engineSetKeyEntry(KeyStoreDelegator.java:111) ~[?:?]
        at java.security.KeyStore.setKeyEntry(KeyStore.java:1174) ~[?:?]
        at io.netty.handler.ssl.SslContext.buildKeyStore(SslContext.java:1102) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1274) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.SslContext.buildKeyManagerFactory(SslContext.java:1263) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]
        at io.netty.handler.ssl.JdkSslServerContext.newSSLContext(JdkSslServerContext.java:266) ~[netty-all-4.1.49.Final.jar:4.1.49.Final]

HINT: this validation does not occur if there's only ONE certificate in the ssl_certificate => ... file.

Previously (plugin versions < 3.3.5), OpenSSL did consider the chain valid using the reverse order (last in the chain being the certificate for the private key).

A resolution of removing the additional certificates usually works, after all the certificate for the private key is set by the user thus no reason not to consider it valid (and a trust-chain of intermediaries should be set using ssl_certificate_authorities => ... option).

NOTE: with plugin version 3.3.5-3.3.6 the error would not get properly unwrapped or logged and one is stuck with a generic error message (javax.net.ssl.SSLException: failed to initialize the server-side SSL context), improved in 3.3.7

Same issue concerns Beats input.

[MorrieAtElastic]

https://github.com/elastic/support-known-issues/issues/542 has been submitted as a Support Known Issue for this problem