Login/Register
Debugging Jetty https
Asked Answered
Solved httpsjettyjetty-9
M

3

7

I am setting up a standalone (not embedded) jetty 9.2.1 with https.

I played a bit with a self-signed certificate on my local box and all went fine.

Now I am setting up a uat server (similar to what I'll get in production), and I'm failing at getting the https running properly. These are my steps:

1) I created a keystore, generated the cert request and submitted to my CA, got the signed certificate and imported both the new and root certificates in the keystore

2) I can verify that the keystore is looking fine and by doing:

keytool -list -keystore jetty.jks

I can see all the certificates showing with their alias

3) I placed the keystore in /etc folder and edited the jetty-ssl.xml

<Set name="KeyStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.keystore" default="etc/jetty.jks"/></Set>
<Set name="KeyStorePassword"><Property name="jetty.keystore.password" default="somepassword"/></Set>
<Set name="KeyManagerPassword"><Property name="jetty.keymanager.password" default="somepassword"/></Set>
<Set name="TrustStorePath"><Property name="jetty.base" default="." />/<Property name="jetty.truststore" default="etc/jetty.jks"/></Set>
<Set name="TrustStorePassword"><Property name="jetty.truststore.password" default="somepassword"/></Set>

on startup I can see both the http and https connectors 'up'

10927 [main] INFO  org.eclipse.jetty.server.ServerConnector  - Started ServerConnector@231e04a9{HTTP/1.1}{0.0.0.0:8090}
11285 [main] INFO  org.eclipse.jetty.server.ServerConnector  - Started ServerConnector@4a1f826d{SSL-http/1.1}{0.0.0.0:8443}
11285 [main] INFO  org.eclipse.jetty.server.Server  - Started @12632ms

but the https does not respond, indeed I see from netstat that nothing is listening on port 8443 (while showing a healthy one for port 8090)

I tried using the 'sample' keystore shipped with jetty and got it working, which makes me think of some issue with my keystore ... but, I see no errors on the console nor in any logs (even when started with -DDEBUG=true) and I can see the keystore's certificates.

I tried also to 'force' which alias to pick with -Djetty.https-cert-alias=capi but no luck.

Any ideas on how to debug this?

Thanks!

Matrona answered 25/3, 2015 at 0:42 Comment(0)
M
8

I've added the following properties to enable ssl debugging:

-DDEBUG=true -Dorg.eclipse.jetty.LEVEL=DEBUG -Djavax.net.debug=ssl,handshake,data

That did the trick. ;)

Matrona answered 30/3, 2015 at 11:32 Comment(1)
What kind of output does this give? Similar than SunJSSE output? ThanksDubose
P
0

What I did was to add the debug property to jetty startup script:

-Djavax.net.debug=all

For some reason all the debug information was available on my upstart file under /var/log/upstart/myComponent.log

Practiced answered 16/7, 2015 at 20:7 Comment(0)
J
0

For me this works:

 -DDEBUG=true -Dorg.mortbay.jetty.LEVEL=DEBUG -Djavax.net.debug=ssl,handshake,data -classpath
Johnathanjohnathon answered 23/9, 2015 at 6:32 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.