Authentication is not possible with the Java Client

619 views
Skip to first unread message

Patrick

unread,
Dec 4, 2019, 1:55:12 PM12/4/19
to RavenDB - 2nd generation document database
Hey,

I am using the Java Client for the very first time. Currently I have a problem where I am not able to connect to my database from code.


```
KeyStore clientStore = KeyStore.getInstance("PKCS12");
clientStore.load(new FileInputStream("C:\\cert\\.pfx"), "".toCharArray());
DocumentStore store = new DocumentStore(
        new String[]{"https://.de"},
        ""
);

store.setCertificate(clientStore);
store.initialize();
```

I am using the .pfx file that I have imported into my user store in windows which I am using to authenticate in Browser. Using the cert I get this error:

```
Caused by: java.lang.IllegalStateException: Unable to configure ssl context: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
```

When I use a client certificate generated from the raven server it tells me to use .cer and .key file instead due to a bug. 

```
Caused by: java.lang.IllegalStateException: Unable to find certificate for alias: '1'. If you generated certificate using RavenDB server, then it might be related to: https://github.com/dotnet/corefx/issues/30946. Please try to create Keystore using *.crt and *.key files instead of *.pfx.
```

The issue with that is that Java does not support the format the raven server generates the certificate I think. I really don't know how to authenticate using those files.

Best Regards
Patrick

Oren Eini (Ayende Rahien)

unread,
Dec 4, 2019, 3:33:08 PM12/4/19
to ravendb
Did you edit the file names?
C:\\cert\\.pfx

--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/fa280e3f-8e28-42c7-ada7-07d2826babc5%40googlegroups.com.


--
Oren Eini
CEO   /   Hibernating Rhinos LTD
Skype:  ayenderahien
Support:  sup...@ravendb.net

Oren Eini (Ayende Rahien)

unread,
Dec 4, 2019, 3:34:59 PM12/4/19
to ravendb

Iftah Ben Zaken

unread,
Dec 5, 2019, 4:03:11 AM12/5/19
to RavenDB - 2nd generation document database
Let's try to use the .crt and .key files instead of the provided .pfx to rule out a problem with the pfx file.
You can convert the .crt and .key files to .pem format:
cat cert.crt cert.key > cert.pem

Then import it like in this answer:

Patrick Spiegel

unread,
Dec 5, 2019, 2:48:08 PM12/5/19
to rav...@googlegroups.com
I had no luck so far setting up authentification for Raven. But the issue in coreFx seems to be fixed. Is there any ETA when there will be a fixed certificate generation?

Holen Sie sich Outlook für iOS
 
Von: rav...@googlegroups.com im Auftrag von Iftah Ben Zaken <if...@ravendb.net>
Gesendet: Donnerstag, Dezember 5, 2019 10:03 AM
An: RavenDB - 2nd generation document database
Betreff: [RavenDB] Re: Authentication is not possible with the Java Client
 
--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.

Patrick

unread,
Dec 6, 2019, 1:14:24 PM12/6/19
to RavenDB - 2nd generation document database
So I have created a cacerts file using the command keytool -import -alias your-alias -keystore cacerts -file certificate.der

I have imported the generated file with the code I posted previously. Still no success yet.

chrome_EC8IhDYRcC.png


The certificate has all permissions as you can see (I uploaded the cacerts file)
Caused by: net.ravendb.client.exceptions.security.AuthorizationException: Forbidden access to Runtime@https://database.de, GET https://database.de/topology?name=Runtime&first-topology-update

I now get a permission denied error. 

Iftah Ben Zaken

unread,
Dec 8, 2019, 1:36:06 AM12/8/19
to RavenDB - 2nd generation document database
Can you paste the full stack trace of the error?
What is the RavenDB server version? Java client version?
I want to try to reproduce it.

Just to be clear, to make sure I understand correctly:
Are you able to authenticate with this certificate using the browser but not able to authenticate using the Java client?

Patrick

unread,
Dec 8, 2019, 2:15:29 AM12/8/19
to RavenDB - 2nd generation document database
Are you able to authenticate with this certificate using the browser but not able to authenticate using the Java client?
Yes, that is correct. For short term usage I have worked around by moving the application on the server running the application. But I'd like to access the web interface too. 

explorer_vxFOrF0BvS.png

I have tried to use the two .pfx files and I have used the cacerts. All three with different errors.

chrome_3UKeh9VGPy.png

Thats the one I am using to authenticate. 

mmc_If2xyrvSQs.png

And it is definetly the correct one. 


Here is the stacktrace from my first post. 


[08:10:04 WARN]: java.lang.IllegalStateException: Unable to configure ssl context: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.createClient(RequestExecutor.java:1086)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.lambda$new$0(RequestExecutor.java:178)

[08:10:04 WARN]:        at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1705)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.<init>(RequestExecutor.java:178)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.create(RequestExecutor.java:182)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.documents.DocumentStore.getRequestExecutor(DocumentStore.java:183)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.documents.operations.MaintenanceOperationExecutor.getRequestExecutor(MaintenanceOperationExecutor.java:32)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.documents.operations.MaintenanceOperationExecutor.send(MaintenanceOperationExecutor.java:61)

[08:10:04 WARN]:        at de.soulcraft.SoulcraftPlugIn.ensureDatabaseExists(SoulcraftPlugIn.java:139)

[08:10:04 WARN]:        at de.soulcraft.SoulcraftPlugIn.createDocumentStore(SoulcraftPlugIn.java:122)

[08:10:04 WARN]:        at de.soulcraft.SoulcraftPlugIn.onEnable(SoulcraftPlugIn.java:59)

[08:10:04 WARN]:        at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:263)

[08:10:04 WARN]:        at org.bukkit.plugin.java.JavaPluginLoader.enablePlugin(JavaPluginLoader.java:338)

[08:10:04 WARN]:        at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:420)

[08:10:04 WARN]:        at org.bukkit.craftbukkit.v1_14_R1.CraftServer.enablePlugin(CraftServer.java:467)

[08:10:04 WARN]:        at org.bukkit.craftbukkit.v1_14_R1.CraftServer.enablePlugins(CraftServer.java:381)

[08:10:04 WARN]:        at net.minecraft.server.v1_14_R1.MinecraftServer.a(MinecraftServer.java:474)

[08:10:04 WARN]:        at net.minecraft.server.v1_14_R1.DedicatedServer.init(DedicatedServer.java:290)

[08:10:04 WARN]:        at net.minecraft.server.v1_14_R1.MinecraftServer.run(MinecraftServer.java:876)

[08:10:04 WARN]:        at java.base/java.lang.Thread.run(Thread.java:835)

[08:10:04 WARN]: Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

[08:10:04 WARN]:        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:454)

[08:10:04 WARN]:        at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)

[08:10:04 WARN]:        at java.base/java.security.KeyStore.getKey(KeyStore.java:1050)

[08:10:04 WARN]:        at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)

[08:10:04 WARN]:        at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)

[08:10:04 WARN]:        at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)

[08:10:04 WARN]:        at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:302)

[08:10:04 WARN]:        at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:323)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.createSSLContext(RequestExecutor.java:1099)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.createClient(RequestExecutor.java:1084)

[08:10:04 WARN]:        ... 19 more

[08:10:04 WARN]: Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408)

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440)

[08:10:04 WARN]:        at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2208)

[08:10:04 WARN]:        at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:398)

[08:10:04 WARN]:        at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:294)

[08:10:04 WARN]:        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:392)

[08:10:04 WARN]:        ... 28 more

[08:10:04 WARN]: java.lang.IllegalStateException: Unable to configure ssl context: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.createClient(RequestExecutor.java:1086)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.lambda$new$0(RequestExecutor.java:178)

[08:10:04 WARN]:        at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1705)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.<init>(RequestExecutor.java:178)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.create(RequestExecutor.java:182)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.documents.DocumentStore.getRequestExecutor(DocumentStore.java:183)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.documents.operations.MaintenanceOperationExecutor.getRequestExecutor(MaintenanceOperationExecutor.java:32)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.documents.operations.MaintenanceOperationExecutor.send(MaintenanceOperationExecutor.java:61)

[08:10:04 WARN]:        at de.soulcraft.SoulcraftPlugIn.ensureDatabaseExists(SoulcraftPlugIn.java:139)

[08:10:04 WARN]:        at de.soulcraft.SoulcraftPlugIn.createDocumentStore(SoulcraftPlugIn.java:122)

[08:10:04 WARN]:        at de.soulcraft.SoulcraftPlugIn.onEnable(SoulcraftPlugIn.java:59)

[08:10:04 WARN]:        at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:263)

[08:10:04 WARN]:        at org.bukkit.plugin.java.JavaPluginLoader.enablePlugin(JavaPluginLoader.java:338)

[08:10:04 WARN]:        at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:420)

[08:10:04 WARN]:        at org.bukkit.craftbukkit.v1_14_R1.CraftServer.enablePlugin(CraftServer.java:467)

[08:10:04 WARN]:        at org.bukkit.craftbukkit.v1_14_R1.CraftServer.enablePlugins(CraftServer.java:381)

[08:10:04 WARN]:        at net.minecraft.server.v1_14_R1.MinecraftServer.a(MinecraftServer.java:474)

[08:10:04 WARN]:        at net.minecraft.server.v1_14_R1.DedicatedServer.init(DedicatedServer.java:290)

[08:10:04 WARN]:        at net.minecraft.server.v1_14_R1.MinecraftServer.run(MinecraftServer.java:876)

[08:10:04 WARN]:        at java.base/java.lang.Thread.run(Thread.java:835)

[08:10:04 WARN]: Caused by: java.security.UnrecoverableKeyException: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

[08:10:04 WARN]:        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:454)

[08:10:04 WARN]:        at java.base/sun.security.util.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:90)

[08:10:04 WARN]:        at java.base/java.security.KeyStore.getKey(KeyStore.java:1050)

[08:10:04 WARN]:        at java.base/sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:145)

[08:10:04 WARN]:        at java.base/sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)

[08:10:04 WARN]:        at java.base/javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:271)

[08:10:04 WARN]:        at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:302)

[08:10:04 WARN]:        at org.apache.http.ssl.SSLContextBuilder.loadKeyMaterial(SSLContextBuilder.java:323)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.createSSLContext(RequestExecutor.java:1099)

[08:10:04 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.createClient(RequestExecutor.java:1084)

[08:10:04 WARN]:        ... 19 more

[08:10:04 WARN]: Caused by: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.CipherCore.unpad(CipherCore.java:975)

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.CipherCore.fillOutputBuffer(CipherCore.java:1056)

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.CipherCore.doFinal(CipherCore.java:853)

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.PKCS12PBECipherCore.implDoFinal(PKCS12PBECipherCore.java:408)

[08:10:04 WARN]:        at java.base/com.sun.crypto.provider.PKCS12PBECipherCore$PBEWithSHA1AndDESede.engineDoFinal(PKCS12PBECipherCore.java:440)

[08:10:04 WARN]:        at java.base/javax.crypto.Cipher.doFinal(Cipher.java:2208)

[08:10:04 WARN]:        at java.base/sun.security.pkcs12.PKCS12KeyStore.lambda$engineGetKey$0(PKCS12KeyStore.java:398)

[08:10:04 WARN]:        at java.base/sun.security.pkcs12.PKCS12KeyStore$RetryWithZero.run(PKCS12KeyStore.java:294)

[08:10:04 WARN]:        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineGetKey(PKCS12KeyStore.java:392)

[08:10:04 WARN]:        ... 28 more



Here from my second post:(generated by Ravem)

[08:13:09 WARN]: java.lang.IllegalStateException: Unable to find certificate for alias: '1'. If you generated certificate using RavenDB server, then it might be related to: https://github.com/dotnet/corefx/issues/30946. Please try to create Keystore using *.crt and *.key files instead of *.pfx.
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.util.CertificateUtils.extractThumbprintFromCertificate(CertificateUtils.java:27)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.<init>(RequestExecutor.java:174)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.create(RequestExecutor.java:182)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.documents.DocumentStore.getRequestExecutor(DocumentStore.java:183)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.documents.operations.MaintenanceOperationExecutor.getRequestExecutor(MaintenanceOperationExecutor.java:32)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.documents.operations.MaintenanceOperationExecutor.send(MaintenanceOperationExecutor.java:61)
[08:13:09 WARN]:        at de.soulcraft.SoulcraftPlugIn.ensureDatabaseExists(SoulcraftPlugIn.java:139)
[08:13:09 WARN]:        at de.soulcraft.SoulcraftPlugIn.createDocumentStore(SoulcraftPlugIn.java:122)
[08:13:09 WARN]:        at de.soulcraft.SoulcraftPlugIn.onEnable(SoulcraftPlugIn.java:59)
[08:13:09 WARN]:        at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:263)
[08:13:09 WARN]:        at org.bukkit.plugin.java.JavaPluginLoader.enablePlugin(JavaPluginLoader.java:338)
[08:13:09 WARN]:        at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:420)
[08:13:09 WARN]:        at org.bukkit.craftbukkit.v1_14_R1.CraftServer.enablePlugin(CraftServer.java:467)
[08:13:09 WARN]:        at org.bukkit.craftbukkit.v1_14_R1.CraftServer.enablePlugins(CraftServer.java:381)
[08:13:09 WARN]:        at net.minecraft.server.v1_14_R1.MinecraftServer.a(MinecraftServer.java:474)
[08:13:09 WARN]:        at net.minecraft.server.v1_14_R1.DedicatedServer.init(DedicatedServer.java:290)
[08:13:09 WARN]:        at net.minecraft.server.v1_14_R1.MinecraftServer.run(MinecraftServer.java:876)
[08:13:09 WARN]:        at java.base/java.lang.Thread.run(Thread.java:835)
[08:13:09 WARN]: java.lang.IllegalStateException: Unable to find certificate for alias: '1'. If you generated certificate using RavenDB server, then it might be related to: https://github.com/dotnet/corefx/issues/30946. Please try to create Keystore using *.crt and *.key files instead of *.pfx.
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.util.CertificateUtils.extractThumbprintFromCertificate(CertificateUtils.java:27)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.<init>(RequestExecutor.java:174)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.create(RequestExecutor.java:182)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.documents.DocumentStore.getRequestExecutor(DocumentStore.java:183)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.documents.operations.MaintenanceOperationExecutor.getRequestExecutor(MaintenanceOperationExecutor.java:32)
[08:13:09 WARN]:        at de.soulcraft.shaded.ravendb.documents.operations.MaintenanceOperationExecutor.send(MaintenanceOperationExecutor.java:61)
[08:13:09 WARN]:        at de.soulcraft.SoulcraftPlugIn.ensureDatabaseExists(SoulcraftPlugIn.java:139)
[08:13:09 WARN]:        at de.soulcraft.SoulcraftPlugIn.createDocumentStore(SoulcraftPlugIn.java:122)
[08:13:09 WARN]:        at de.soulcraft.SoulcraftPlugIn.onEnable(SoulcraftPlugIn.java:59)
[08:13:09 WARN]:        at org.bukkit.plugin.java.JavaPlugin.setEnabled(JavaPlugin.java:263)
[08:13:09 WARN]:        at org.bukkit.plugin.java.JavaPluginLoader.enablePlugin(JavaPluginLoader.java:338)
[08:13:09 WARN]:        at org.bukkit.plugin.SimplePluginManager.enablePlugin(SimplePluginManager.java:420)
[08:13:09 WARN]:        at org.bukkit.craftbukkit.v1_14_R1.CraftServer.enablePlugin(CraftServer.java:467)
[08:13:09 WARN]:        at org.bukkit.craftbukkit.v1_14_R1.CraftServer.enablePlugins(CraftServer.java:381)
[08:13:09 WARN]:        at net.minecraft.server.v1_14_R1.MinecraftServer.a(MinecraftServer.java:474)
[08:13:09 WARN]:        at net.minecraft.server.v1_14_R1.DedicatedServer.init(DedicatedServer.java:290)
[08:13:09 WARN]:        at net.minecraft.server.v1_14_R1.MinecraftServer.run(MinecraftServer.java:876)
[08:13:09 WARN]:        at java.base/java.lang.Thread.run(Thread.java:835)

And finally from the combined cacerts file

[08:14:46 WARN]: de.soulcraft.shaded.ravendb.exceptions.security.AuthorizationException: Forbidden access to Soulcraft_Runtime@https://database.soulcraft.de:443, GET https://database.soulcraft.de:443/topology?name=Soulcraft_Runtime&first-topology-update
[08:14:46 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.handleUnsuccessfulResponse(RequestExecutor.java:836)
[08:14:46 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.execute(RequestExecutor.java:646)
[08:14:46 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.lambda$updateTopologyAsync$2(RequestExecutor.java:290)
[08:14:46 WARN]:        at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1771)
[08:14:46 WARN]:        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[08:14:46 WARN]:        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[08:14:46 WARN]:        at java.base/java.lang.Thread.run(Thread.java:835)
[08:14:46 WARN]: de.soulcraft.shaded.ravendb.exceptions.security.AuthorizationException: Forbidden access to Soulcraft_Runtime@https://database.soulcraft.de:443, GET https://database.soulcraft.de:443/topology?name=Soulcraft_Runtime&first-topology-update
[08:14:46 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.handleUnsuccessfulResponse(RequestExecutor.java:836)
[08:14:46 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.execute(RequestExecutor.java:646)
[08:14:46 WARN]:        at de.soulcraft.shaded.ravendb.http.RequestExecutor.lambda$updateTopologyAsync$2(RequestExecutor.java:290)
[08:14:46 WARN]:        at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1771)
[08:14:46 WARN]:        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
[08:14:46 WARN]:        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
[08:14:46 WARN]:        at java.base/java.lang.Thread.run(Thread.java:835)

Iftah Ben Zaken

unread,
Dec 8, 2019, 3:36:01 AM12/8/19
to rav...@googlegroups.com
Sorry that I ask again, your answer is not clear to me.
Can you access the RavenDB Studio (the web interface)?

Iftah Ben Zaken
Core Team Developer   /   Hibernating Rhinos LTD
E-mail:    if...@ravendb.net
Support:  sup...@ravendb.net
Skype:  live:iftahbe



--
You received this message because you are subscribed to the Google Groups "RavenDB - 2nd generation document database" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/93d485c0-fe8e-4771-8a1d-a58ae3e41c06%40googlegroups.com.

Patrick

unread,
Dec 8, 2019, 3:41:31 AM12/8/19
to RavenDB - 2nd generation document database
Yes I can
To unsubscribe from this group and stop receiving emails from it, send an email to rav...@googlegroups.com.

Iftah Ben Zaken

unread,
Dec 8, 2019, 4:10:43 AM12/8/19
to rav...@googlegroups.com
Ok thanks,

We'll try to reproduce this and see if there is a problem with the Java client.
I'll let you know.

Iftah Ben Zaken
Core Team Developer   /   Hibernating Rhinos LTD
E-mail:    if...@ravendb.net
Support:  sup...@ravendb.net
Skype:  live:iftahbe


To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/6331adfe-0826-40a2-9e1c-0f686f0355e3%40googlegroups.com.

Iftah Ben Zaken

unread,
Dec 8, 2019, 9:28:28 AM12/8/19
to rav...@googlegroups.com
We reproduced the problem and we'll try to fix it ASAP.

In the meantime, here's a little workaround:

Security.addProvider(new BouncyCastleProvider());
KeyStore keyStore = KeyStore.getInstance("PKCS12", new BouncyCastleProvider().getName());
keyStore.load(new FileInputStream("e:\\cert\\clientCert.pfx"), "p@22w0rd".toCharArray());

String alias = keyStore.aliases().nextElement();
Certificate cert = keyStore.getCertificate(alias);

KeyStore keyStore2 = KeyStore.getInstance("PKCS12", new BouncyCastleProvider().getName());
keyStore2.load(null, null); // initialize the store
keyStore2.setKeyEntry("private-key", keyStore.getKey(alias, null), null, new Certificate[] { cert });

Then supply this keyStore2 to the document store of RavenDB:

store.setCertificate(keyStore2);

We use BouncyCastle to open the certificate and export just the relevant alias into a new certificate.

Hope this helps,

Iftah Ben Zaken
Core Team Developer   /   Hibernating Rhinos LTD
E-mail:    if...@ravendb.net
Support:  sup...@ravendb.net
Skype:  live:iftahbe


Matt Baker

unread,
Dec 26, 2019, 10:01:20 AM12/26/19
to RavenDB - 2nd generation document database
I'm having this issue with the Java Client as well. Client Certificate generated through the RavenDB management web app (the Docker image: ravendb/ravendb:4.2.6-ubuntu.18.04-x64), imported in Java 8 running on tomcat:8.5.38-jre8 with BouncyCastle 1.63.

The workaround above does not work. When keyStore.load is called, I get an exception

java.io.IOException: attempt to add existing attribute with different value

  at org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(Unknown Source)

  at java.security.KeyStore.load(KeyStore.java:1445)


Where can I track the status of the actual fix for this issue in the Java client? The issue tracker appears to be offline: http://issues.hibernatingrhinos.com/issues/RDBC


Egor Shamanaev

unread,
Dec 26, 2019, 10:38:25 AM12/26/19
to rav...@googlegroups.com
Hi, 

Are you using the same client code as shown in the example above ? Can you share the exact code ?

The issue tracker will be back online within a few days.

To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/72cf15f9-34ce-48b0-bfed-c1aa90a21e53%40googlegroups.com.

Matt Baker

unread,
Dec 26, 2019, 10:47:08 AM12/26/19
to RavenDB - 2nd generation document database
Yes I'm using exactly the workaround code you provided, but still get the exception:

Security.addProvider(new BouncyCastleProvider());
KeyStore keyStore = KeyStore.getInstance("PKCS12", new BouncyCastleProvider().getName());
keyStore.load("/usr/secrets/dev.pfx", "password".toCharArray());

String alias = keyStore.aliases().nextElement();
Certificate cert = keyStore.getCertificate(alias);

KeyStore keyStore2 = KeyStore.getInstance("PKCS12", new BouncyCastleProvider().getName());
keyStore2.load(null, null); // initialize the store
keyStore2.setKeyEntry("private-key", keyStore.getKey(alias, null), null, new Certificate[] { cert });

store.setCertificate(keyStore2);
Matt Baker
unread,
Dec 26, 2019, 12:46:47 PM12/26/19
to RavenDB - 2nd generation document database
I also tried creating a new PKCS12 keystore using the .key and .crt provided in the ZIP file from RavenDB, but when I try to use it I get another error:

 java.lang.IllegalStateException: Unable to configure ssl context: Get Key failed: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
at net.ravendb.client.http.RequestExecutor.createClient(RequestExecutor.java:1086)
at net.ravendb.client.http.RequestExecutor.lambda$new$0(RequestExecutor.java:178)
at java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1660)
at net.ravendb.client.http.RequestExecutor.<init>(RequestExecutor.java:178)
at net.ravendb.client.http.RequestExecutor.create(RequestExecutor.java:182)
at net.ravendb.client.documents.DocumentStore.getRequestExecutor(DocumentStore.java:183)
at net.ravendb.client.documents.session.InMemoryDocumentSessionOperations.<init>(InMemoryDocumentSessionOperations.java:331)
at net.ravendb.client.documents.session.DocumentSession.<init>(DocumentSession.java:111)
at net.ravendb.client.documents.DocumentStore.openSession(DocumentStore.java:158)
at net.ravendb.client.documents.DocumentStore.openSession(DocumentStore.java:149)
Message has been deleted
Iftah Ben Zaken
unread,
Dec 29, 2019, 5:44:57 AM12/29/19
to RavenDB - 2nd generation document database
Hi Matt,

Where is your server certificate from? Was it created in our Let's Encrypt setup wizard or generated somewhere else?
If you can send the **client certificate** that fails to sup...@ravendb.net it will help us reproduce the problem, why the workaround didn't work for you.

If you cannot, or if you don't want to wait for the investigation of this problem (can take some time) I can offer another workaround:

Bring you own client certificate which works in Java, it doesn't have to be generated by the RavenDB server. It can be **any** client certificate you wish.
Then register it in the RavenDB server as a trusted client certificate:
After it is registered in the server, use it in the client code and it should work.

Thanks,
Iftah Ben Zaken.
Matt Baker
unread,
Dec 29, 2019, 9:53:06 AM12/29/19
to RavenDB - 2nd generation document database
The certificate was created using the bash scripts found in the RavenDB repository: https://github.com/ravendb/ravendb/tree/v4.1/scripts/certificates/bash. Either way, I just gave up trying to get this to work locally and used insecure mode for the docker-compose configuration shared by our development team.
Oren Eini (Ayende Rahien)
unread,
Jan 1, 2020, 6:13:19 AM1/1/20
to ravendb
If you want to get it working, we'll be happy to setup a call to go over this in detail


To unsubscribe from this group and stop receiving emails from it, send an email to ravendb+u...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ravendb/8d30f9fb-dd17-44ef-a670-ca0525d8a099%40googlegroups.com.


Reply all
Reply to author
Forward
0 new messages