Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Inputs can not read trusted TLS certs from directory #5939

Closed
mpfz0r opened this issue May 14, 2019 · 1 comment · Fixed by #5958

Comments

@mpfz0r
Copy link
Member

commented May 14, 2019

The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.

Expected Behavior

Providing a directory should read all the certs within it

Current Behavior

2019-05-14 09:34:15,120 WARN : io.netty.channel.ChannelInitializer - Failed to initialize a channel. Closing: [id: 0x45383efc, L:/172.16.1.1:5044 - R:/172.16.1.2:46930]
java.security.cert.CertificateException: java.io.IOException: Is a directory
	at sun.security.provider.X509Factory.engineGenerateCertificates(X509Factory.java:358) ~[?:1.8.0_191]
	at java.security.cert.CertificateFactory.generateCertificates(CertificateFactory.java:462) ~[?:1.8.0_191]
	at org.graylog2.plugin.inputs.transports.util.KeyUtil.loadCertificates(KeyUtil.java:112) ~[classes/:?]
[...]

Possible Solution

Bring back the code that got dropped in 3.0 with #4397

The former code handled directories:
https://github.com/Graylog2/graylog2-server/blob/2.4/graylog2-server/src/main/java/org/graylog2/plugin/inputs/transports/util/KeyUtil.java#L87

Possible Workaround

cat(1) all the needed certificates into one file (untested)
$ cat *.crt > jumbo.crt

Your Environment

  • Graylog Version: 3.0

@mpfz0r mpfz0r added inputs bug labels May 14, 2019

@mpfz0r

This comment has been minimized.

Copy link
Member Author

commented May 16, 2019

duplicate of #5856

@mpfz0r mpfz0r self-assigned this May 22, 2019

mpfz0r added a commit that referenced this issue May 22, 2019
Fix support for TLS input trusted certs directories
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending also handling directories in loadCertificates().
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
mpfz0r added a commit that referenced this issue May 22, 2019
Fix support for TLS input trusted certs directories
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending loadCertificates() to also handle directories.
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939

@kmerz kmerz closed this in #5958 Jul 9, 2019

kmerz added a commit that referenced this issue Jul 9, 2019
Fix support for TLS input trusted certs directories (#5958)
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending loadCertificates() to also handle directories.
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
kmerz added a commit that referenced this issue Jul 9, 2019
Fix support for TLS input trusted certs directories (#5958)
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending loadCertificates() to also handle directories.
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
mpfz0r added a commit that referenced this issue Jul 9, 2019
Fix support for TLS input trusted certs directories (#5958) (#6102)
The Input configuration TLS Client Auth Trusted Certs used to support
either a file, or a directory of certificates.
This got broken in 3.0 with PR #4397

- Fix this by extending loadCertificates() to also handle directories.
- Delete the old TrustManager based version that is not used anymore.
- Extend the KeyUtilTest and use `Resources.getResource()` instead,
  which does not rely on the resources to exist in the target directory.

Fixes #5939
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.