Jetty with SSL throws error with KeyStores with multiple certificates are not supported

Problem

You have configured Jetty using SSL as described in How to setup SSL with Jetty. On startup, you see the following error message in the log files:

2020-09-21 12:44:39,328 ERROR [Main] o.o.n.j.JettyServer: Error starting Jetty Server
java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory. (Use org.eclipse.jetty.util.ssl.SslContextFactory$Server or org.eclipse.jetty.util.ssl.SslContextFactory$Client instead)

When you check your Java Keystore file you only see one certificate. This problem happens also if you have one certificate with multiple subject alternative names. You can check this with

keytool -list -v -keystore /path/to/my/keystore.file

You get this error message also when you have multiple SubjectAlternativeName elements like here:

SubjectAlternativeName [
  DNSName: my-nms.local
  DNSName: my-name.local
]

Solution

We have addressed this problem in NMS-12847 by fixing the jetty.xml configuration in our example directory. You can apply the following change to the jetty.xml manually by changing the SSL context factory from:

org.eclipse.jetty.util.ssl.SslContextFactory

to

org.eclipse.jetty.util.ssl.SslContextFactory$Server

Detailed information can be found in the patch for the jetty.xml file:


:woman_facepalming: You can fix me, Iā€™m a wiki post.

1 Like

I had been having issues upgrading from 26.1, and this was the key. In my install, we are using a DigiCert wildcard cert.

1 Like

Awesome, this worked perfectly. We use a DigiCert wildcard as well. Thanks!

1 Like