Unable to access http server using SSL

1,344 views
Skip to first unread message

Amit Mhetre

unread,
Jul 15, 2015, 6:58:13 AM7/15/15
to ve...@googlegroups.com
Hello guys,

I tried to start vertx http server with SSL as below,

HttpServer server = vertx.createHttpServer();

server.setSSL(true).setKeyStorePath(PATH_TO_KEYSTORE).setKeyStorePassword("changeit");

server.listen(3500, HOSTNAME);

Server was starting with no errors, but I am not able to access any of the URL's( with https ) from it.
It seems that it fails to take self-signed certificate from the keystore, thats why it won't give me any suggestion in the browser as well.
Can someone please tell me where I am going wrong. Or any changes needed in current logic.

Thanks in advance.

Tim Fox

unread,
Jul 15, 2015, 7:01:50 AM7/15/15
to ve...@googlegroups.com
Hi Amit,

Do you have a reproducer?

Self signed certs should work fine, we use them in the test suite.

https://github.com/eclipse/vert.x/blob/master/src/test/java/io/vertx/test/core/HttpTest.java#L2683
--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at http://groups.google.com/group/vertx.
To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/c6368a55-f941-4f0e-bc1a-184d0570cabb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Amit Mhetre

unread,
Jul 15, 2015, 10:39:34 AM7/15/15
to ve...@googlegroups.com

Below is the steps that I followed to create and add self-signed certificate to java key store.


openssl genrsa -out myKey.pem 2048


openssl req -new -key myKey.pem -out csr.pem


openssl req -x509 -days 365 -key myKey.pem -in csr.pem -out myCertificate.pem


keytool -import -keystore myKeyStore -file myCertificate.pem -alias myCA



My code is,


HttpServer server = vertx.createHttpServer();

RouteMatcher routeMatcher = new RouteMatcher();

routeMatcher.get("/get", new Handler<HttpServerRequest>() {


  @Override

  public void handle(HttpServerRequest e) {

    e.response().end("Hello world !!");

  }

});

server.requestHandler(routeMatcher);

server.setSSL(true).setKeyStorePath("/home/amit/myKeyStore").setKeyStorePassword("changeit");

server.listen(3500, "localhost");



If I fire “https://localhost:3500/get” it gives me response as


                                         This webpage is not available



I am configuring this for first time, so not able to find this issue yet.

I am using vertx 2.1.6, java 1.8.0_45 and ubuntu 14.04 LTS.

Tim Fox

unread,
Jul 15, 2015, 10:45:12 AM7/15/15
to ve...@googlegroups.com
I recommend starting at a working example (e.g. the one in the vertx-examples repo).

Convince yourself that works, then slowly change it, until it doesn't work. That should give you a pointer as to where the problem lies.

Amit Mhetre

unread,
Jul 17, 2015, 10:13:07 AM7/17/15
to ve...@googlegroups.com
Thanks Tim,

I refer to the example provided in vertx-examples, it was very helpful.
What I found is that, my certificate has Signature algorithm name as SHA1withDSA and your certificate has SHA256withRSA.
So when I change the Signature algorithm name to SHA256withRSA it works perfectly.

Once again thanks for your quick and kind support. 

Regards,
Amit Mhetre

Adam Medeiros

unread,
Aug 7, 2018, 2:41:31 AM8/7/18
to vert.x
This is interesting. I too can't get https to work as advertised. Are there examples (or documentation) somewhere that specifies how the pem files for self-signed certificates should be generated to make this work? I generated mine as SHA265 with RSA - however, I used rsa:4096 vs. the widely used rsa:2048. Would love to see the manual on what exactly is needed for generating the self-signed certificate if they won't all work.

I'll try and generate one with rsa:2048 tomorrow to see if that works, but is that true? Only very specifically created pem files work?

Julien Viet

unread,
Aug 7, 2018, 3:54:12 AM8/7/18
to ve...@googlegroups.com
Hi,

we do support PKCS8 format and non encrypted PKCS1 format in PEM files:


HTH

Julien

On 7 Aug 2018, at 08:41, Adam Medeiros <adam...@gmail.com> wrote:

This is interesting. I too can't get https to work as advertised. Are there examples (or documentation) somewhere that specifies how the pem files for self-signed certificates should be generated to make this work? I generated mine as SHA265 with RSA - however, I used rsa:4096 vs. the widely used rsa:2048. Would love to see the manual on what exactly is needed for generating the self-signed certificate if they won't all work.

I'll try and generate one with rsa:2048 tomorrow to see if that works, but is that true? Only very specifically created pem files work?

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.

Adam Medeiros

unread,
Aug 8, 2018, 3:11:25 AM8/8/18
to vert.x
Thanks Julien!

Unfortunately, I'm not able to generate a PKCS8 key and crt that works. The server hangs when I call listen(8443). I added a Proc handler to capture the failure or success of calling listen, but the proc isn't called. Something is hanging and it's not clear what it is.

What is the formula for creating the PKCS8 key and crt files that you have used and that works for you?

Thanks again,

Adam

Julien Viet

unread,
Aug 8, 2018, 3:19:44 AM8/8/18
to ve...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.

Adam Medeiros

unread,
Aug 8, 2018, 1:24:40 PM8/8/18
to vert.x
Thanks again Julien.

Just so I'm clear in my understanding - when I'm trying to do this in ruby within a jar file (java -jar my_jar.jar), and I have the following code:

options = {
      'ssl' => true,
      'useAlpn' => true,
      'pemKeyCertOptions' => {
          'keyPath' =>  'ssl/server-key.pem',
          'certPath' => 'ssl/localhost.crt'
      }
  }

server = $vertx.create_http_server(options)
router = VertxWeb::Router.router($vertx)

done_handler = Proc.new {|c|
  c.response.put_header('content-type', 'application/json').end({msg: 'Received'}.to_json)
}

router.route("/ping").handler(&done_handler)

server.request_handler(&router.method(:accept)).listen(8443)

 

 Where should the pem and crt go exactly when running this as a jar? I currently have them inside resources within an ssl folder (src/main/resources/ssl). I've tried moving that folder around to various places to try to understand where the application is looking when I pass in the path. I've tried adding a forward slash to the paths as well. Since the app hangs when listen is called, and it doesn't throw an error when it can't find the pem and crt, it's causing a lot of guess work to get this to run. I've seen examples where the pem and crt file locations vary. What am I doing wrong? This app listens on port 8080 without ssl options passed in.

  I'm quite sure that most Vertx apps are running in ssl, and of course you have passing tests which proves that this should work for everyone. I think the issue I'm personally having is getting Ruby/Vertx/Jar/SSL pieces all in harmony. Is there a working example somewhere that is as simple as the above code, is written in ruby and is run as a Jar? Or, do you see the obvious mistake I'm making?

  It would be nice if the app didn't hang without raising a helpful error when it can't find the certs/pems. At least then, I'd know what the app is expecting and where it's expecting it.

Anyway, thank you for your prompt replies. SSL is crucial and I appreciate the hand holding as I am getting started.


Adam Medeiros

unread,
Aug 9, 2018, 11:33:54 PM8/9/18
to vert.x
Should I file an issue about .listen(...) not raising an error if the certs can't be found or aren't in the correct location?

Adam Medeiros

unread,
Aug 10, 2018, 12:23:39 AM8/10/18
to vert.x
To reproduce this, all one needs to do is set ssl: true in the options with no cert paths or anything else. 

options = {
  ssl: true
}

server = $vertx.create_http_server(options)

.....
.....
server.listen(<port num>) will hang and never raise an exception. This isn't expected behavior. The server should require everything it needs to start https or raise - right?


Julien Viet

unread,
Aug 12, 2018, 4:42:12 AM8/12/18
to ve...@googlegroups.com
yes it should, can you file an issue with a reproducing test ?

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.

Adam Medeiros

unread,
Aug 12, 2018, 11:47:45 PM8/12/18
to vert.x
Yeah - I'll do that.

I also found this example to not work:


(NoMethodError) undefined method `ssl=' for #<Vertx::HttpServer:0x556e0956>

org.jruby.embed.EvalFailedException: (NoMethodError) undefined method `ssl=' for #<Vertx::HttpServer:0x556e0956>

at org.jruby.embed.internal.EmbedEvalUnitImpl.run(EmbedEvalUnitImpl.java:131)

at org.jruby.embed.ScriptingContainer.runUnit(ScriptingContainer.java:1307)

at org.jruby.embed.ScriptingContainer.runScriptlet(ScriptingContainer.java:1323)

at io.vertx.lang.ruby.ContainerHolder.create(ContainerHolder.java:133)

at io.vertx.lang.ruby.JRubyVerticle.start(JRubyVerticle.java:43)

at io.vertx.core.impl.DeploymentManager.lambda$doDeploy$8(DeploymentManager.java:483)

at io.vertx.core.impl.ContextImpl.lambda$wrapTask$2(ContextImpl.java:339)

at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163)

at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:404)

at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:463)

at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:886)

at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)

at java.lang.Thread.run(Thread.java:748)

Caused by: org.jruby.exceptions.RaiseException: (NoMethodError) undefined method `ssl=' for #<Vertx::HttpServer:0x556e0956>


I think the example is outdated. So, we'll need to go through and clean up all of these examples as well (unless of course, I'm completely missing something) so that future Vertx discoverers have an easier time of things. If anyone out there is paying attention to this thread in the hopes of also figuring out how to run this in https mode, I still haven't figured it out. I'm still trying every sort of file location combination that I can to get my app to not hang on listen() - so far, nothing works.

Julien Viet

unread,
Aug 13, 2018, 4:37:16 AM8/13/18
to ve...@googlegroups.com
that's the old vert examples of 2.x

look at the repository description : https://github.com/vert-x/vertx-examples


I will "archive" these repositories. (when I updated the description, archive waas not yet available).

Julien

-- 
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.

Adam Medeiros

unread,
Aug 13, 2018, 4:37:57 AM8/13/18
to vert.x
Here's what I finally had to do. I created an ssl directory in my resources folder that contained a pkcs1 pem and cert file created by following the steps posted here:


I then needed to fetch those files from the resources folder, read the files to string and then base64 those files for the options hash:

  class_loader = java.lang.Thread.currentThread().getContextClassLoader()

  key_file = class_loader.get_resource 'ssl/server-key-pkcs1.pem'
  crt_file = class_loader.get_resource 'ssl/server-cert.pem'
  key = File.read key_file.get_path
  crt = File.read crt_file.get_path

  options = {
      'ssl' => true,
      'pemKeyCertOptions' => {
          'keyValue'  => Base64.strict_encode64(key),
          'certValue' => Base64.strict_encode64(crt)
      }
  }

  server = $vertx.create_http_server(options)
  router = VertxWeb::Router.router($vertx)

  ...
  ...
  ...

  server.listen(8443)

  This doesn't hang. It currently doesn't work to pass options in with paths to the files if you are running this as a jar application. The documentation, while well-intentioned, isn't up to date on how to configure SSL for a production environment running as a jar. Nor does it raise exceptions properly so that one can diagnose a faulty SSL options hash.

  I hope this helps someone. I'm finally unstuck.


Adam Medeiros

unread,
Aug 13, 2018, 4:42:06 AM8/13/18
to ve...@googlegroups.com
Thank you, Julien, for pointing me down some paths.

Adam

Julien


To unsubscribe from this group and stop receiving emails from it, send an email to vertx+unsubscribe@googlegroups.com.

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+unsubscribe@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/5A17DBC3-0B7A-40CE-8744-9A486973C127%40julienviet.com.

For more options, visit https://groups.google.com/d/optout.



--
A.R. Medeiros
Reply all
Reply to author
Forward
0 new messages