PowerFlex 3.x: 프레젠테이션 서버가 Java Exception "KeyStores with multiple certificates are not supported"와 함께 실패함

Summary: 키 저장소에서 가져온 SSL 인증서의 SAN 확장(주체 대체 이름)에 여러 항목이 있는 경우 "여러 인증서가 있는 키 저장소가 지원되지 않습니다"라는 Java 예외가 표시되며 PowerFlex 3.x 프레젠테이션 서버가 실패합니다.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms

PowerFlex 3.x 프레젠테이션 서버 서비스(mgmt-server)가 응답하지 않고 웹 클라이언트에서 연결할 수 없습니다.

로그에 다음 오류가 표시됩니다.

Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

서비스 상태가 java 오류를 보고합니다.

# systemctl status mgmt-server.service
● mgmt-server.service - Scaleio MGMT Server
   Loaded: loaded (/etc/systemd/system/mgmt-server.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2022-12-12 04:17:48 EST; 2min 36s ago
 Main PID: 27178 (java)
   CGroup: /system.slice/mgmt-server.service
           └─27178 /bin/java -Xmx4g -Djna.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Djava.io.tmpdir=/opt/emc/scaleio/mgmt-server/tmp -Dstorage.diskCache.bufferSize=2000 -Dlog4j2.configurationFile=...

Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
...
Dec 12 04:18:10 presentation startup.sh[27178]: at java.lang.Thread.run(Thread.java:750)

모든 관련 저널 이벤트는 다음과 같습니다.

# journalctl -u mgmt-server.service -n 30 --no-pager
-- Logs begin at Thu 2022-10-13 15:44:18 EDT, end at Mon 2022-12-12 04:20:01 EST. --
Dec 12 04:17:48 presentation systemd[1]: Started Scaleio MGMT Server.
Dec 12 04:18:10 presentation startup.sh[27178]: Exception in thread "main" java.lang.IllegalStateException: Expected to be healthy after starting. The following services are not running: {STARTING=[DisconnectingEventService [STARTING]], FAILED=[HttpdService [FAILED]]}
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.checkHealthy(ServiceManager.java:773)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager$ServiceManagerState.awaitHealthy(ServiceManager.java:585)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.ServiceManager.awaitHealthy(ServiceManager.java:316)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.Server.start(Server.java:69)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.Server.main(Server.java:147)
Dec 12 04:18:10 presentation startup.sh[27178]: Suppressed: com.google.common.util.concurrent.ServiceManager$FailedService: HttpdService [FAILED]
Dec 12 04:18:10 presentation startup.sh[27178]: Caused by: java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.newSniX509ExtendedKeyManager(SslContextFactory.java:1288)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1270)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.load(SslContextFactory.java:372)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:243)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:97)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:169)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:117)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:321)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:234)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.server.Server.doStart(Server.java:401)
Dec 12 04:18:10 presentation startup.sh[27178]: at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:73)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.emc.vxflexos.webui.backend.httpd.HttpdService.startUp(HttpdService.java:31)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.AbstractIdleService$DelegateService$1.run(AbstractIdleService.java:62)
Dec 12 04:18:10 presentation startup.sh[27178]: at com.google.common.util.concurrent.Callables$4.run(Callables.java:119)
Dec 12 04:18:10 presentation startup.sh[27178]: at java.lang.Thread.run(Thread.java:750)

Cause

PowerFlex 프레젠테이션 서버 버전 < 3.6.1은 SAN 확장(Subject Alternative Name)에 여러 항목이 있는 SSL 인증서를 지원하지 않습니다.

SSL 인증서와 키 저장소는 다음 명령을 사용하여 확인할 수 있습니다.

# openssl x509 -noout -text -in cert.pem | grep -A1 'Subject Alternative Name'
            X509v3 Subject Alternative Name:
                DNS:example.plex.lab.dell.com, DNS:example.cork.lab
# keytool -list -v -keystore /etc/mgmt-server/.config/keystore.jks | grep -A4 SubjectAlternativeName
SubjectAlternativeName [
  DNSName: example.plex.lab.dell.com
  DNSName: example.cork.lab]

 이 문제는 PowerFlex 릴리스 3.6-500.101에서 보고되었지만 이전 3.x 버전에서도 나타날 수 있습니다.

Resolution

이 문제는 PowerFlex 릴리스 3.6.1(3.6.1000.134)에서 해결되었습니다. 이 버전 이상으로 업그레이드하십시오.

그렇지 않으면 SAN 확장자(주체 대체 이름) 또는 단일 항목과 함께 외부에서 서명된 SSL 인증서를 사용합니다. 이 규칙은 키 저장소에서 가져온 모든 인증서(루트 및 중간 CA 포함)에 적용됩니다.

Affected Products

PowerFlex rack, VxFlex Ready Nodes, PowerFlex custom node, ScaleIO, PowerFlex appliance connectivity, PowerFlex appliance R650, PowerFlex appliance R6525, PowerFlex appliance R660, PowerFlex appliance R6625, Powerflex appliance R750 , PowerFlex appliance R760, PowerFlex appliance R7625, PowerFlex Software, PowerFlex appliance R640, PowerFlex appliance R740XD, PowerFlex appliance R7525, PowerFlex appliance R840 ...
Article Properties
Article Number: 000206321
Article Type: Solution
Last Modified: 11 Apr 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.