PowerFlex 3.x: Presentation Server fails with Java Exception "KeyStores with multiple certificates are not supported"

Summary: PowerFlex 3.x Presentation Server fails with Java Exception "KeyStores with multiple certificates are not supported" if imported SSL certificates in keystore have multiple entries in SAN extension (Subject Alternative Name). ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

PowerFlex 3.x Presentation server service (mgmt-server) is not responding and not reachable from the web client.

The following error is seen in logs:

Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

Service status is reporting java errors:

# systemctl status mgmt-server.service
● mgmt-server.service - Scaleio MGMT Server
   Loaded: loaded (/etc/systemd/system/mgmt-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2022-12-12 04:17:48 EST; 2min 36s ago
 Main PID: 27178 (java)
   CGroup: /system.slice/mgmt-server.service
           └─27178 /bin/java -Xmx4g -Djna.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Djava.io.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Dstorage.diskCache.bufferSize=2000 -Dlog4j2.configurationFile=...

Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
...
Dec 12 04:18:10 presentation startup.sh[27178]: at java.lang.Thread.run(Thread.java:750)

All related journal events are:

# journalctl -u mgmt-server.service -n 30 --no-pager
-- Logs begin at Thu 2022-10-13 15:44:18 EDT, end at Mon 2022-12-12 04:20:01 EST. --
Dec 12 04:17:48 presentation systemd[1]: Started Scaleio MGMT Server.
Dec 12 04:18:10 presentation startup.sh[27178]: Exception in thread "main" java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {STARTING=[DisconnectingEventService [STARTING]], FAILED=[HttpdService [FAILED]]}
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:773)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:585)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:316)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.Server.start(Server.java:69)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.Server.main(Server.java:147)
Dec 12 04:18:10 presentation startup.sh[27178]: Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: HttpdService [FAILED]
Dec 12 04:18:10 presentation startup.sh[27178]: Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1288)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1270)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.Server.doStart(Server.java:401)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.httpd.HttpdService.startUp(HttpdService.java:31)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.Callables$4.run(Callables.java:119)
Dec 12 04:18:10 presentation startup.sh[27178]: at java.lang.Thread.run(Thread.java:750)

Cause

PowerFlex Presentation server version < 3.6.1 does not support SSL certificates with multiple entries in SAN extension (Subject Alternative Name).

SSL certificates and keystore can checked with the following commands:

# openssl x509 -noout -text -in cert.pem | grep -A1 'Subject Alternative Name'
            X509v3 Subject Alternative Name:
                DNS:example.plex.lab.dell.com, DNS:example.cork.lab
# keytool -list -v -keystore /etc/mgmt-server/.config/keystore.jks | grep -A4 SubjectAlternativeName
SubjectAlternativeName [
  DNSName: example.plex.lab.dell.com
  DNSName: example.cork.lab]

 This issue has been reported on PowerFlex release 3.6-500.101, but could be seen on earlier 3.x versions.

Resolution

The issue has been fixed in PowerFlex release 3.6.1 (3.6.1000.134). Upgrade to this version or higher.

Otherwise, use externally signed SSL certificate without SAN extension (Subject Alternative Name) or with a single entry. This rule applies to any imported certificates in the keystore (including root and intermediate CAs).

Affected Products

PowerFlex rack, VxFlex Ready Nodes, PowerFlex custom node, ScaleIO, PowerFlex appliance connectivity, PowerFlex appliance R650, PowerFlex appliance R6525, PowerFlex appliance R660, PowerFlex appliance R6625, Powerflex appliance R750 , PowerFlex appliance R760, PowerFlex appliance R7625, PowerFlex Software, PowerFlex appliance R640, PowerFlex appliance R740XD, PowerFlex appliance R7525, PowerFlex appliance R840 ...
Article Properties
Article Number: 000206321
Article Type: Solution
Last Modified: 11 Apr 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.