Bug#1055348: jetty9: Update from DLA 3641 breaks puppetdb ("Exception in thread "main" java.lang.IllegalStateException: KeyStores with multiple certificates are not supported on the base class org.eclipse.jetty.util.ssl.SslContextFactory")

Sun Nov 5 20:35:20 GMT 2023

On Sun, 2023-11-05 at 19:18 +0100, Markus Koschany wrote:
> Am Sonntag, dem 05.11.2023 um 16:33 +0000 schrieb Adam D. Barratt:
> > [...]
> > Do you have an idea how simple rebuilding the bullseye package on
> > buster would be? I'm happy to try that in general, but I've not
> > really
> > looked at the Java ecosystem in Debian much.
> 
> Sorry, I missed those new or updated dependencies. That complicates
> the matter a little. We also have to deal with clojure here, a LISP
> dialect of the Java language with a different build system
> (leiningen), but if all dependencies were in place a rebuild would be
> pretty simple. As a last resort I could bundle all those dependencies
> together with trapperkeeper-* the Java way TM but I hope we can avoid
> that.
> 
> The most ideal solution is a patch for the current version in Buster.
> I have uploaded a new revision to people.debian.org with minimal
> changes here:
> 
> https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/
> 
> dget -x 
> https://people.debian.org/~apo/lts/buster/trapperkeeper-webserver-jetty9-clojure/trapperkeeper-webserver-jetty9-clojure_1.7.0-2+deb10u1.1.dsc 
> 
> should work as expected. I'm attaching the debdiff as well.
> 
> My solution is to replace the old SslContextFactory class with the
> new inner SslContextFactory.Server class but I don't know if this
> change has the desired effect because I couldn't test it.

Thanks for the patch.

Unfortunately it didn't work as-is:

Nov  5 18:39:14 handel/handel java[2393]: Exception in thread "main" java.lang.AssertionError: Assert failed: (keyword? kw)
Nov  5 18:39:14 handel/handel java[2393]: 	at puppetlabs.kitchensink.core$without_ns.invokeStatic(core.clj:613)
Nov  5 18:39:14 handel/handel java[2393]: 	at puppetlabs.kitchensink.core$without_ns.invoke(core.clj:613)
Nov  5 18:39:14 handel/handel java[2393]: 	at puppetlabs.trapperkeeper.core$main.invokeStatic(core.clj:175)
Nov  5 18:39:14 handel/handel java[2393]: 	at puppetlabs.trapperkeeper.core$main.doInvoke(core.clj:159)
Nov  5 18:39:14 handel/handel java[2393]: 	at clojure.lang.RestFn.applyTo(RestFn.java:137)
Nov  5 18:39:14 handel/handel java[2393]: 	at clojure.core$apply.invokeStatic(core.clj:665)
Nov  5 18:39:14 handel/handel java[2393]: 	at clojure.core$apply.invoke(core.clj:660)
Nov  5 18:39:14 handel/handel java[2393]: 	at puppetlabs.puppetdb.cli.services$provide_services.invokeStatic(services.clj:570)
Nov  5 18:39:14 handel/handel java[2393]: 	at puppetlabs.puppetdb.cli.services$provide_services.invoke(services.clj:558)
Nov  5 18:39:14 handel/handel java[2393]: 	at puppetlabs.puppetdb.cli.services$cli$fn__41585.invoke(services.clj:578)
...

After a bit of searching, I happened across a discussion of a similar
change in a different product that mentioned the
SslContextFactory$Server syntax, so gave that a try. The resulting
package is now installed on handel.d.o and seems to work - at least,
it's been running for 45 minutes now (whereas the broken versions
lasted less than 5 minutes) and at least one client has successfully
made a "puppet agent" run in the meantime.

I've attached a debdiff of the package we're now running, with the
revised patch.

Regards,

Adam
-------------- next part --------------
A non-text attachment was scrubbed...
Name: debian_1055348.diff
Type: text/x-patch
Size: 5073 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-maintainers/attachments/20231105/8827e23d/attachment.bin>