Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#1712 closed enhancement (not a bug)

SSL-Key for Router Console broken by or within the process of updating

Reported by: Little Big T Owned by:
Priority: minor Milestone: undecided
Component: apps/console Version: 0.9.23
Keywords: Cc:
Parent Tickets: Sensitive: no

Description (last modified by zzz)

First off: I had some problem during the upgrade with apt-get, I think. The repositories used via i2p failed to get some packages, but the installation reported everything would have been upgrade ok anyways. To be sure I commented out those package sources and ran update again, which did nothing though (identical versions in repositories I assume). But as the router console didn't come up (nothing listening on port 7657) I did a remove + clean + install. Still no console, still nothing on that port.

In the wrapper.log I got this:

2015/11/21 14:58:10 | 2015-11-21 14:58:10.025:INFO:oejs.Server:jetty-8.1.17.v20150415
2015/11/21 14:58:11 | 2015-11-21 14:58:11.082:WARN:oejuc.AbstractLifeCycle:FAILED SslContextFactory@60c02319(/var/lib/i2p/i2p-config/keystore/console.ks,/var/lib/i2p/i2p-config/keystore/console.ks): java.io.IOException: Keystore was tampered with, or password was incorrect
2015/11/21 14:58:11 | java.io.IOException: Keystore was tampered with, or password was incorrect
2015/11/21 14:58:11 |   at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:772)
2015/11/21 14:58:11 |   at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
2015/11/21 14:58:11 |   at java.security.KeyStore.load(KeyStore.java:1226)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyStore(SslContextFactory.java:1053)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1013)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:264)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
2015/11/21 14:58:11 |   at org.eclipse.jetty.server.ssl.SslSelectChannelConnector.doStart(SslSelectChannelConnector.java:612)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
2015/11/21 14:58:11 |   at net.i2p.router.web.RouterConsoleRunner.startConsole(RouterConsoleRunner.java:620)
2015/11/21 14:58:11 |   at net.i2p.router.web.RouterConsoleRunner.startup(RouterConsoleRunner.java:214)
2015/11/21 14:58:11 |   at net.i2p.router.startup.RouterAppManager.addAndStart(RouterAppManager.java:55)
2015/11/21 14:58:11 |   at net.i2p.router.startup.LoadClientAppsJob$RunApp.run(LoadClientAppsJob.java:282)
2015/11/21 14:58:11 |   at java.lang.Thread.run(Thread.java:745)
2015/11/21 14:58:11 |   at net.i2p.util.I2PThread.run(I2PThread.java:100)
2015/11/21 14:58:11 | Caused by: 
2015/11/21 14:58:11 | java.security.UnrecoverableKeyException: Password verification failed
2015/11/21 14:58:11 |   at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
2015/11/21 14:58:11 |   at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:55)
2015/11/21 14:58:11 |   at java.security.KeyStore.load(KeyStore.java:1226)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.security.CertificateUtils.getKeyStore(CertificateUtils.java:55)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyStore(SslContextFactory.java:1053)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.ssl.SslContextFactory.loadKeyStore(SslContextFactory.java:1013)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:264)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
2015/11/21 14:58:11 |   at org.eclipse.jetty.server.ssl.SslSelectChannelConnector.doStart(SslSelectChannelConnector.java:612)
2015/11/21 14:58:11 |   at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
2015/11/21 14:58:11 |   at net.i2p.router.web.RouterConsoleRunner.startConsole(RouterConsoleRunner.java:620)
2015/11/21 14:58:11 |   at net.i2p.router.web.RouterConsoleRunner.startup(RouterConsoleRunner.java:214)
2015/11/21 14:58:11 |   at net.i2p.router.startup.RouterAppManager.addAndStart(RouterAppManager.java:55)
2015/11/21 14:58:11 |   at net.i2p.router.startup.LoadClientAppsJob$RunApp.run(LoadClientAppsJob.java:282)
2015/11/21 14:58:11 |   at java.lang.Thread.run(Thread.java:745)
2015/11/21 14:58:11 |   at net.i2p.util.I2PThread.run(I2PThread.java:100)

with some more resulting errors then and finally:

2015/11/21 14:58:11 | Caused by: java.security.UnrecoverableKeyException: Password verification failed
2015/11/21 14:58:11 |   at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:770)
2015/11/21 14:58:11 |   ... 15 more
2015/11/21 14:58:11 | WARNING: Error starting one or more listeners of the Router Console server.
2015/11/21 14:58:11 | If your console is still accessible at http://127.0.0.1:null/,
2015/11/21 14:58:11 | this may be a problem only with binding to the IPV6 address ::1.
2015/11/21 14:58:11 | If so, you may ignore this error, or remove the
2015/11/21 14:58:11 | "::1," in the "clientApp.0.args" line of the clients.config file.

So the router was actually running (I assume all the time it's down, only tested by trying to reach the console), just the router console couldn't get started because some problem with the keystore - either access to it or its content. I removed the "-s" in the options line and restarted and can now access the console again.

Due to the thing with inaccessible package-sources and the remove/clean/install thing this is a mess. But sounds like shouldn't happen anyways, right?

Also, I want to use SSL as I'm accessing the router over a network and not locally. Until now I had used the automatically generated keys (at least I never created any). How do I create new ones? Or is there anything I could check for diagnosis on the old ones maybe?

Subtickets

Change History (5)

comment:1 Changed 4 years ago by zzz

Component: unspecifiedapps/console
Description: modified (diff)

comment:2 Changed 4 years ago by zzz

Status: newinfoneeded_new

The SSL setup is pretty simple. The keystore is at /var/lib/i2p/i2p-config/keystore/console.ks and there are two passwords in /var/lib/i2p/i2p-config/router.config :

routerconsole.keyPassword=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
routerconsole.keystorePassword=changeit

Obviously, if the passwords don't match the keystore, it won't work. Not sure what happened and it doesn't sound like you are quite sure either. You can check the modification time of the keystore, and the presence of the two passwords in router.config, to see what went wrong in the uninstall and reinstall. My guess is that the passwords went away but the keystore wasn't deleted.

To start over, stop i2p, delete the keystore and remove the two password lines from the router.config file, then add the '-s' back to clients.config.

comment:3 Changed 4 years ago by Little Big T

Status: infoneeded_newnew

There are two passwords in the router.config: keyPassword (a long random string or so), and a keystorePassword, which is set to “changeit”. Now seeing this, I immediately remembered to have “met” this changeit. And I also remember to have done as told, and actually changed it. Still unsure what happened here, but I tried to change the keystorePassword back to “changeit”. After a restart, the SSL was working again.

So for now it feels, one rather shouldn’t change “changeit”, or what? Interesting at least. I did try to find this information in a documentation but did not succeed. This might be just dumb me again. But it might also give a hint that we should improve documentation here?

For me it seems there was a new key generated throughout the update and that this key assumed the unchanged pre-set keystorePassword. But why is that called as it is then? Or did I never restart the router after changing the password and a restart would have failed also? Unsure about this. I still don’t fully understand the mechanisms involved, I must admit. Change it or not? What’s the impact? Why are keys generated for a specific preset password but the password defined isn’t used?

comment:4 Changed 4 years ago by Little Big T

Resolution: not a bug
Status: newclosed
Type: defectenhancement

20:58:52 <@str4d> lbt, re: "changeit", that is the default keystore password in the JVM, and no one ever changes

it. I2P assumes it is "changeit"

20:59:27 <@str4d> So yes, if you had restarted at any time, you would have had the same problem

So it's not a bug at all …

comment:5 Changed 4 years ago by zzz

You can change the keystore pw, and we do have it in router.config as an option, as you discovered.

And if you "changed it", then it failed.

Agreed, we have little to no docs on making your own keystore, or adjusting the configs to match.

Anyway, this one was self-inflicted. Glad you figured it out.

Note: See TracTickets for help on using tickets.