PowerFlex 3.x:簡報伺服器故障並顯示 Java 例外「不支援具有多個憑證的金鑰存放區」

Summary: PowerFlex 3.x 簡報伺服器失敗,如果匯入的金鑰存放區 SSL 憑證在 SAN 延伸 (主體別名) 中有多個項目,則顯示 Java 例外「不支援具有多個憑證的金鑰存放區」。

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

PowerFlex 3.x 簡報伺服器服務 (mgmt-server) 沒有回應,也無法從 Web 用戶端連線。

在記錄中出現下列錯誤:

Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

服務狀態為報告 java 錯誤:

# systemctl status mgmt-server.service
● mgmt-server.service - Scaleio MGMT Server
   Loaded: loaded (/etc/systemd/system/mgmt-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2022-12-12 04:17:48 EST; 2min 36s ago
 Main PID: 27178 (java)
   CGroup: /system.slice/mgmt-server.service
           └─27178 /bin/java -Xmx4g -Djna.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Djava.io.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Dstorage.diskCache.bufferSize=2000 -Dlog4j2.configurationFile=...

Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
...
Dec 12 04:18:10 presentation startup.sh[27178]: at java.lang.Thread.run(Thread.java:750)

所有相關的日記事件是:

# journalctl -u mgmt-server.service -n 30 --no-pager
-- Logs begin at Thu 2022-10-13 15:44:18 EDT, end at Mon 2022-12-12 04:20:01 EST. --
Dec 12 04:17:48 presentation systemd[1]: Started Scaleio MGMT Server.
Dec 12 04:18:10 presentation startup.sh[27178]: Exception in thread "main" java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {STARTING=[DisconnectingEventService [STARTING]], FAILED=[HttpdService [FAILED]]}
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:773)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:585)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:316)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.Server.start(Server.java:69)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.Server.main(Server.java:147)
Dec 12 04:18:10 presentation startup.sh[27178]: Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: HttpdService [FAILED]
Dec 12 04:18:10 presentation startup.sh[27178]: Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1288)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1270)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.Server.doStart(Server.java:401)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.httpd.HttpdService.startUp(HttpdService.java:31)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.Callables$4.run(Callables.java:119)
Dec 12 04:18:10 presentation startup.sh[27178]: at java.lang.Thread.run(Thread.java:750)

Cause

PowerFlex 簡報伺服器版本 < 3.6.1 不支援在 SAN 延伸 (主體別名) 中具有多個項目的 SSL 憑證。

可以使用下列命令檢查 SSL 憑證和金鑰存放區:

# openssl x509 -noout -text -in cert.pem | grep -A1 'Subject Alternative Name'
            X509v3 Subject Alternative Name:
                DNS:example.plex.lab.dell.com, DNS:example.cork.lab
# keytool -list -v -keystore /etc/mgmt-server/.config/keystore.jks | grep -A4 SubjectAlternativeName
SubjectAlternativeName [
  DNSName: example.plex.lab.dell.com
  DNSName: example.cork.lab]

 此問題已於 PowerFlex 版本 3.6-500.101 回報,但可能會在更早的 3.x 版本上出現。

Resolution

此問題已在 PowerFlex 版本 3.6.1 (3.6.1000.134) 中修正。升級到此版本或更高版本。

否則,請使用不含 SAN 延伸模組 (主體別名) 或單一項目的外部簽署 SSL 憑證。此規則適用於金鑰庫中任何導入的證書(包括根和中間 CA)。

Affected Products

PowerFlex rack, VxFlex Ready Nodes, PowerFlex custom node, ScaleIO, PowerFlex appliance connectivity, PowerFlex appliance R650, PowerFlex appliance R6525, PowerFlex appliance R660, PowerFlex appliance R6625, Powerflex appliance R750 , PowerFlex appliance R760, PowerFlex appliance R7625, PowerFlex Software, PowerFlex appliance R640, PowerFlex appliance R740XD, PowerFlex appliance R7525, PowerFlex appliance R840 ...
Article Properties
Article Number: 000206321
Article Type: Solution
Last Modified: 11 Apr 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.