'JHipster v7.1.0: TLS support in dev not working - app crashes or throw exception
I have created a simple microservice application, one gateway and one service, using JDL and enabling 'tls' in dev does not work out off the box, anyone know how to configure it in dev?
This are the only documentation that I have found about tls in JHipster and which I have followed:
These are the steps to reproduce the the exceptions I got when enabling 'tls' in dev;
Create a folder 'myapp' and move in to that folder.
Run: git init
Generate app: jhipster jdl model.jdl
npm install
mvn clean install
Move to the gateway folder (onegateway)
Start registry:
docker-compose -f src/main/docker/jhipster-registry.yml up -d
Start database:
docker-compose -f src/main/docker/postgresql.yml up -d
Start up with both dev&tls profiles:
./mvnw -Pdev,tls
The app crashes with;
2021-08-11 14:32:29.069 WARN 83643 --- [ restartedMain] onfigReactiveWebServerApplicationContext : Exception encountered during context initialization - cancelling refresh attempt: org.springframework.context.ApplicationContextException: Unable to start reactive web server; nested exception is reactor.core.Exceptions$ReactiveException: javax.net.ssl.SSLException: failed to set cipher suite: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256]
2021-08-11 14:32:29.115 ERROR 83643 --- [ restartedMain] o.s.boot.SpringApplication : Application run failed
org.springframework.context.ApplicationContextException: Unable to start reactive web server; nested exception is reactor.core.Exceptions$ReactiveException: javax.net.ssl.SSLException: failed to set cipher suite: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256]
at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.onRefresh(ReactiveWebServerApplicationContext.java:81)
at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:577)
at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.refresh(ReactiveWebServerApplicationContext.java:63)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:771)
at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:763)
at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:438)
at org.springframework.boot.SpringApplication.run(SpringApplication.java:339)
at com.carestra.jhipster.gateway.OnegatewayApp.main(OnegatewayApp.java:69)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.boot.devtools.restart.RestartLauncher.run(RestartLauncher.java:49)
Caused by: reactor.core.Exceptions$ReactiveException: javax.net.ssl.SSLException: failed to set cipher suite: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256]
at reactor.core.Exceptions.propagate(Exceptions.java:392)
at reactor.netty.tcp.SslProvider.<init>(SslProvider.java:361)
at reactor.netty.tcp.SslProvider$Build.build(SslProvider.java:734)
at reactor.netty.http.server.HttpServer.secure(HttpServer.java:721)
at reactor.netty.http.server.HttpServer.secure(HttpServer.java:689)
at org.springframework.boot.web.embedded.netty.SslServerCustomizer.apply(SslServerCustomizer.java:81)
at org.springframework.boot.web.embedded.netty.NettyReactiveWebServerFactory.customizeSslConfiguration(NettyReactiveWebServerFactory.java:182)
at org.springframework.boot.web.embedded.netty.NettyReactiveWebServerFactory.createHttpServer(NettyReactiveWebServerFactory.java:169)
at org.springframework.boot.web.embedded.netty.NettyReactiveWebServerFactory.getWebServer(NettyReactiveWebServerFactory.java:70)
at org.springframework.boot.web.reactive.context.WebServerManager.<init>(WebServerManager.java:49)
at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.createWebServer(ReactiveWebServerApplicationContext.java:93)
at org.springframework.boot.web.reactive.context.ReactiveWebServerApplicationContext.onRefresh(ReactiveWebServerApplicationContext.java:78)
... 12 common frames omitted
Caused by: javax.net.ssl.SSLException: failed to set cipher suite: [TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256]
at io.netty.handler.ssl.ReferenceCountedOpenSslContext.<init>(ReferenceCountedOpenSslContext.java:295)
at io.netty.handler.ssl.OpenSslContext.<init>(OpenSslContext.java:45)
at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:349)
at io.netty.handler.ssl.OpenSslServerContext.<init>(OpenSslServerContext.java:336)
at io.netty.handler.ssl.SslContext.newServerContextInternal(SslContext.java:473)
at io.netty.handler.ssl.SslContextBuilder.build(SslContextBuilder.java:606)
at reactor.netty.tcp.AbstractProtocolSslContextSpec.sslContext(AbstractProtocolSslContextSpec.java:53)
at reactor.netty.tcp.SslProvider.<init>(SslProvider.java:358)
... 22 common frames omitted
Caused by: java.lang.IllegalArgumentException: unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256(ECDHE-ECDSA-AES128-SHA256)
at io.netty.handler.ssl.CipherSuiteConverter.convertToCipherStrings(CipherSuiteConverter.java:470)
at io.netty.handler.ssl.ReferenceCountedOpenSslContext.<init>(ReferenceCountedOpenSslContext.java:282)
... 29 common frames omitted
########## All ciphers are those generated by jhipster and also found in https://www.jhipster.tech/production/#security
If I remove the cipher in, onegateway/src/main/resources/config/application-tls.yml the app starts but I get the following when accessing https://localhost:8080
----------------------------------------------------------
Application 'onegateway' is running! Access URLs:
Local: https://localhost:8080/
External: https://192.168.50.11:8080/
Profile(s): [dev, api-docs, tls]
----------------------------------------------------------
2021-08-11 14:18:36.554 WARN 83547 --- [ctor-http-nio-2] .s.ApplicationProtocolNegotiationHandler : [id: 0x3b06913a, L:/0:0:0:0:0:0:0:1:8080 - R:/0:0:0:0:0:0:0:1:61605] Failed to select the application-level protocol:
javax.net.ssl.SSLHandshakeException: error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1064)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1346)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1295)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1371)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1414)
at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:224)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1338)
at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1245)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
2021-08-11 14:18:36.558 WARN 83547 --- [ctor-http-nio-2] .s.ApplicationProtocolNegotiationHandler : [id: 0x3b06913a, L:/0:0:0:0:0:0:0:1:8080 ! R:/0:0:0:0:0:0:0:1:61605] TLS handshake failed:
javax.net.ssl.SSLHandshakeException: error:10000416:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.shutdownWithError(ReferenceCountedOpenSslEngine.java:1064)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.sslReadErrorResult(ReferenceCountedOpenSslEngine.java:1346)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1295)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1371)
at io.netty.handler.ssl.ReferenceCountedOpenSslEngine.unwrap(ReferenceCountedOpenSslEngine.java:1414)
at io.netty.handler.ssl.SslHandler$SslEngineType$1.unwrap(SslHandler.java:224)
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1338)
at io.netty.handler.ssl.SslHandler.decodeNonJdkCompatible(SslHandler.java:1245)
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1282)
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:719)
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:655)
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:581)
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:493)
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:989)
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
###################
I have also tried reverting all prev changes to application-tls.yml and activate tls for dev profile in src/main/resources/config/application.yml by uncomment the property: spring.profiles.group.dev.tls and starting the app with
./mvnw -Pdev
Got the same problem with unsupported cipher suite.
#########################
This is my model.jdl
application {
config {
applicationType gateway,
baseName onegateway,
packageName com.carestra.jhipster.gateway,
authenticationType jwt,
serviceDiscoveryType eureka,
buildTool maven,
reactive true,
skipClient false,
skipServer false,
skipUserManagement false,
databaseType sql,
prodDatabaseType postgresql,
devDatabaseType postgresql
clientFramework angularX,
testFrameworks [cypress],
enableTranslation true,
nativeLanguage en,
languages [en]
}
entities *
}
application {
config {
applicationType microservice,
baseName onebackend,
packageName com.carestra.jhipster.backend,
authenticationType jwt,
serviceDiscoveryType eureka,
buildTool maven,
reactive false,
skipClient true,
skipUserManagement true,
databaseType sql,
prodDatabaseType postgresql,
devDatabaseType postgresql,
testFrameworks [cypress]
}
entities *
}
entity Activity {
id Long,
title String minlength(4) maxlength(50) required,
startDate Instant required,
endDate Instant required,
}
entity Booking {
id Long,
activityId Long required,
message String minlength(0) maxlength(500),
}
microservice * with onebackend
deployment {
deploymentType docker-compose
appsFolders [onegateway, onebackend]
dockerRepositoryName "carestra"
serviceDiscoveryType eureka
}
and the .yo-rc.json
{
"generator-jhipster": {
"authenticationType": "jwt",
"clientFramework": "angularX",
"serverPort": "8080",
"serviceDiscoveryType": "eureka",
"skipUserManagement": false,
"withAdminUi": true,
"baseName": "onegateway",
"buildTool": "maven",
"databaseType": "sql",
"devDatabaseType": "postgresql",
"cacheProvider": "no",
"enableHibernateCache": false,
"enableSwaggerCodegen": false,
"enableTranslation": true,
"jhiPrefix": "jhi",
"languages": ["en"],
"messageBroker": false,
"prodDatabaseType": "postgresql",
"searchEngine": false,
"skipClient": false,
"testFrameworks": ["cypress"],
"websocket": false,
"applicationType": "gateway",
"packageName": "com.carestra.jhipster.gateway",
"packageFolder": "com/carestra/jhipster/gateway",
"reactive": true,
"skipServer": false,
"nativeLanguage": "en",
"jhipsterVersion": "7.1.0",
"clientPackageManager": "npm",
"dtoSuffix": "DTO",
"entitySuffix": "",
"clientTheme": "none",
"clientThemeVariant": "",
"applicationIndex": 0,
"applications": {
"onebackend": {
"serverPort": "8081",
"applicationIndex": 1
}
},
"skipCheckLengthOfIdentifier": false,
"skipFakeData": false,
"blueprints": [],
"otherModules": [],
"pages": [],
"creationTimestamp": 1628675597074,
"jwtSecretKey": "NDE5ZTFkOTJiYzQ1ZGI5NmZlMmZjNWQ5NzVjZTkwODJhZWJjMTFlZjQ5NjcwOWU5MWI1NjdiNWI4MjBlNmY5ODFkNThhNzk4NjllNzA2MWM1N2YzOTdhMjdhNTcyY2ZhZDk5ODM1MjU4ODJhM2YxYTMzYTM2ZTNlNWM5N2UxOWU=",
"devServerPort": 4200,
"entities": ["Booking", "Activity"],
"lastLiquibaseTimestamp": 1628675717000
}
}
and
Environment and Tools
openjdk version "11.0.11" 2021-04-20 OpenJDK Runtime Environment AdoptOpenJDK-11.0.11+9 (build 11.0.11+9) OpenJDK 64-Bit Server VM AdoptOpenJDK-11.0.11+9 (build 11.0.11+9, mixed mode)
git version 2.23.0
node: v14.17.3
npm: 7.20.1
Docker version 20.10.7, build f0df350
Solution 1:[1]
I commented on one issue, also. Here's what I did as a workaround:
In package.json
replace
"start-tls": "npm run webapp:dev -- --env.tls",
with
"start-tls": "npm run webapp:dev -- --env tls",
For the dev profile, the options.tls variable is checked whether it's set, and if so, the "s" is appended to http. But I don't know my way around webpack and javascript stuff at all, so not sure, yet, what other implications there are.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Frischling |