ECDSA 인증서 지원 추가 #304
Description
이슈 타입
- 기능 개선 요청
- 기능 추가 요청
- 새 기능 아이디어
컴포넌트 이름
인증서 등록
ABLESTACK 버전
ablestack-diplo
구성
N/A
OS / 환경
N/A
이슈 내용
nginx proxy manager가 자동 갱신하는 ECDSA방식의 ssl인증서를 등록시 아래와 같은 오류 발생
2023-07-06 16:29:57,878 ERROR [o.a.c.f.s.k.KeystoreManagerImpl] (API-Job-Executor-2:ctx-866341e0 job-344 ctx-c6bbf5a5) (logid:5ded5b53) Certificate validation failed due to exception for domain: *.ablecloud.io,ablecloud.io
java.security.spec.InvalidKeySpecException: java.security.InvalidKeyException: Invalid RSA private key
at java.base/sun.security.rsa.RSAKeyFactory.engineGeneratePrivate(RSAKeyFactory.java:251)
at java.base/java.security.KeyFactory.generatePrivate(KeyFactory.java:390)
at com.cloud.utils.security.CertificateHelper.buildPrivateKey(CertificateHelper.java:138)
at com.cloud.utils.security.CertificateHelper.buildKeystore(CertificateHelper.java:121)
at com.cloud.utils.security.CertificateHelper.buildAndSaveKeystore(CertificateHelper.java:57)
at org.apache.cloudstack.framework.security.keystore.KeystoreManagerImpl.validateCertificate(KeystoreManagerImpl.java:58)
at com.cloud.server.ManagementServerImpl.uploadCertificate(ManagementServerImpl.java:4404)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.springframework.aop.support.AopUtils.invokeJoinpointUsingReflection(AopUtils.java:344)
at org.springframework.aop.framework.ReflectiveMethodInvocation.invokeJoinpoint(ReflectiveMethodInvocation.java:198)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:163)
at org.springframework.aop.interceptor.ExposeInvocationInterceptor.invoke(ExposeInvocationInterceptor.java:97)
at org.springframework.aop.framework.ReflectiveMethodInvocation.proceed(ReflectiveMethodInvocation.java:186)
at org.springframework.aop.framework.JdkDynamicAopProxy.invoke(JdkDynamicAopProxy.java:215)
at com.sun.proxy.$Proxy216.uploadCertificate(Unknown Source)
at org.apache.cloudstack.api.command.admin.resource.UploadCustomCertificateCmd.execute(UploadCustomCertificateCmd.java:103)
at com.cloud.api.ApiDispatcher.dispatch(ApiDispatcher.java:172)
at com.cloud.api.ApiAsyncJobDispatcher.runJob(ApiAsyncJobDispatcher.java:106)
at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.runInContext(AsyncJobManagerImpl.java:634)
at org.apache.cloudstack.managed.context.ManagedContextRunnable$1.run(ManagedContextRunnable.java:48)
at org.apache.cloudstack.managed.context.impl.DefaultManagedContext$1.call(DefaultManagedContext.java:55)
at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.callWithContext(DefaultManagedContext.java:102)
at org.apache.cloudstack.managed.context.impl.DefaultManagedContext.runWithContext(DefaultManagedContext.java:52)
at org.apache.cloudstack.managed.context.ManagedContextRunnable.run(ManagedContextRunnable.java:45)
at org.apache.cloudstack.framework.jobs.impl.AsyncJobManagerImpl$5.run(AsyncJobManagerImpl.java:582)
at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.security.InvalidKeyException: Invalid RSA private key
at java.base/sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:291)
at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:342)
at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:355)
... 36 more
Caused by: java.io.IOException: Version must be 0
at java.base/sun.security.rsa.RSAPrivateCrtKeyImpl.parseKeyBits(RSAPrivateCrtKeyImpl.java:269)
at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:342)
at java.base/sun.security.pkcs.PKCS8Key.decode(PKCS8Key.java:355)
... 36 more
재현 과정
ECDSA 방식으로 생성된 ssl인증서를 zone -> ssl certificate에 등록시 오류발생
참고: ECDSA방식 인증서는 proxy.ablecloud.io에 접속하여 다운로드 가능
기대한 결과
인증서 등록 성공
실제 결과
Invalid RSA private key 라는 management 서버 로그 발생