Logstash 1.5.4 : No password supplied for PKCS#12 KeyStore

meghnatolani · April 11, 2018, 7:32pm

Hi,

I am using logstash version 1.5.4 I am getting the bellow error -

WARNING: Default JAVA_OPTS will be overridden by the JAVA_OPTS defined in the environment. Environment JAVA_OPTS are -Djava.io.tmpdir=/var/lib/logstash 
OpenSSL::X509::StoreError: setting default path failed: **No password supplied for PKCS#12 KeyStore**. 
set_default_paths at org/jruby/ext/openssl/X509Store.java:185 
(root) at /opt/logstash/vendor/jruby/lib/ruby/shared/jopenssl/load.rb:22 
require at org/jruby/RubyKernel.java:1072 
(root) at /opt/logstash/vendor/jruby/lib/ruby/shared/openssl.rb:1 
require at org/jruby/RubyKernel.java:1072 
(root) at /opt/logstash/vendor/jruby/lib/ruby/shared/openssl.rb:1 
require at org/jruby/RubyKernel.java:1072 
(root) at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.4-java/lib/logstash/patches/stronger_openssl_defaults.rb:1 
require at org/jruby/RubyKernel.java:1072 
(root) at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.4-java/lib/logstash/patches/stronger_openssl_defaults.rb:2 
require at org/jruby/RubyKernel.java:1072 
(root) at /opt/logstash/vendor/bundle/jruby/1.9/gems/logstash-core-1.5.4-java/lib/logstash/patches.rb:1 
require at org/jruby/RubyKernel.java:1072 
(root) at /opt/logstash/lib/bootstrap/environment.rb:48

Can anyone help please?

yaauie · April 12, 2018, 3:59am

My searches seem to indicate that others had this trouble running old versions of Logstash with a Java JDK that was newer than the Java available when that old version of Logstash was built:

what version of Java are you running?
```
java -version
```
what is your JAVA_HOME?
```
echo $JAVA_HOME
```

meghnatolani · April 12, 2018, 5:31pm

java -version

    openjdk version "1.8.0_161"
    OpenJDK Runtime Environment (build 1.8.0_161-b14)
    OpenJDK 64-Bit Server VM (build 25.161-b14, mixed mode)

no output when running echo $JAVA_HOME. $JAVA_HOME is not set.

yaauie · April 12, 2018, 11:08pm

Logstash 1.x is relatively out-of-date, and it runs on a version of JRuby that reached end-of-life on 2016-11-21 with dependencies that are similarly end-of-life or may have diverged in the years since its release; I'd recommend using a newer Logstash if you're able -- the current release is 6.x, and includes significant new features and improvements.

I did a little sleuthing, and it looks like older versions of JRuby made an assumption in their OpenSSL implementation that caused the above error; it appears as though KeyStore#getDefaultType was not a reliable way to get the Java Key Store it needed, and well-behaved JVMs could reasonably set a different value as the default. My guess here is that either your JVM is configured with a different default, or the OpenJDK variant is.

To get the fix, you will need to install at least version 0.9.14 of the jruby-openssl gem to override the implementation that shipped with jruby (it appears as though jruby-openssl-0.9.21 is the most recent version that is backwards-compatible with JRuby 1.7.x).

You may be able to install the one gem by adding it to the runtime dependencies in the logstash-core.gemspec file in the block that selects for java:

    # pin jruby-openssl implementation to most recent compatible version
    gem.add_runtime_dependency "jruby-openssl", "~> 0.9.21"

And then run the vendored bundle executable to tell it to resolve dependencies:

cd $logstash_home
bin/bundle install

system · May 10, 2018, 11:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.