Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cant't run #7

Open
neginsadeghi opened this issue Oct 9, 2021 · 6 comments
Open

cant't run #7

neginsadeghi opened this issue Oct 9, 2021 · 6 comments
Assignees
@siewer
Labels
bug Something isn't working

Comments

@neginsadeghi
Copy link

I ran the setup-certs.sh and created the .jks file by my own but it just cant be bootstrapped please help me that I could run it

image

I'm using https://github.com/immauss/openvas for hosting Openvas and I'm running the commands on the Openvas container that has been created by the mentioned repo

root@52fff93ea21f:~# ps -aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.0 5612 1680 ? Ss Sep28 0:00 /bin/bash /start.sh
root 9 0.1 3.7 217128 151472 ? Ssl Sep28 18:14 redis-server 0.0.0.0:6379
postgres 38 0.0 0.3 82420 14316 ? Ss Sep28 1:04 /usr/lib/postgresql/12/bin/postgres -D /data/database
postgres 40 0.0 0.3 82656 13656 ? Ss Sep28 0:03 postgres: checkpointer
postgres 41 0.0 0.3 82552 14668 ? Ss Sep28 0:16 postgres: background writer
postgres 42 0.0 0.1 82420 4540 ? Ss Sep28 2:36 postgres: walwriter
postgres 43 0.0 0.2 83096 8316 ? Ss Sep28 0:16 postgres: autovacuum launcher
postgres 44 0.0 0.1 67408 4544 ? Ss Sep28 0:48 postgres: stats collector
postgres 45 0.0 0.1 82964 5156 ? Ss Sep28 0:00 postgres: logical replication launcher
gvm 324 0.0 2.5 255140 104412 ? S Sep28 5:50 gvmd: Waiting for incoming connections
gvm 348 0.0 0.0 79748 1916 ? Ss Sep28 0:00 gpg-agent --homedir /usr/local/var/lib/gvm/gvmd/gnupg --use-standard-socket --daemon
postgres 354 0.0 0.6 97772 24640 ? SLs Sep28 2:27 postgres: gvm gvmd [local] idle
root 493 0.0 0.0 43468 3392 ? Ss Sep28 0:02 /usr/lib/postfix/sbin/master
postfix 496 0.0 0.0 43544 3196 ? S Sep28 0:00 qmgr -l -t unix -u
root 498 0.0 0.5 269168 21728 ? Sl Sep28 6:15 /usr/bin/python3 /usr/local/bin/ospd-openvas --log-file /usr/local/var/log/gvm/ospd-openvas.log --unix-socket /var/run/ospd/ospd.sock --log-level INFO --socket-mode 777
root 501 0.0 0.0 116624 3888 ? Sl Sep28 1:18 /usr/bin/python3 /usr/local/bin/ospd-openvas --log-file /usr/local/var/log/gvm/ospd-openvas.log --unix-socket /var/run/ospd/ospd.sock --log-level INFO --socket-mode 777
gvm 511 0.0 1.0 2383168 44052 ? Sl Sep28 0:01 gsad --mlisten 127.0.0.1 -m 9390 --verbose --timeout=15 --http-only --no-redirect --port=9392
root 517 0.0 0.0 4076 288 ? S Sep28 0:00 tail -F /usr/local/var/log/gvm/gsad.log /usr/local/var/log/gvm/gvmd.log /usr/local/var/log/gvm/openvas.log /usr/local/var/log/gvm/ospd-openvas.log
root 345614 0.0 0.0 5744 3548 pts/0 Ss 10:05 0:00 bash
postfix 357023 0.0 0.1 43816 7788 ? S 10:39 0:00 pickup -l -t unix -u -c
root 358361 0.0 0.0 9672 3200 pts/0 R+ 11:32 0:00 ps -aux

root@52fff93ea21f:/pki# pwd
/root/pki
root@52fff93ea21f:/pki# ls
ca.pem cert.crt cert.jks certificate.p12 private.key
@siewer
Copy link
Contributor

siewer commented Oct 9, 2021
edited
Loading

Hey, fast fix is to run OpenVAS jar with additional parameter ‘—server.ssl.key-alias=localhost’

I will introduce PR to fix this issue in few hours

@siewer siewer self-assigned this Oct 9, 2021
@siewer siewer added the bug Something isn't working label Oct 9, 2021
@siewer
Copy link
Contributor

siewer commented Oct 9, 2021

And btw enable --spring.profiles.active=noauth to bypas mTLS auth (not recommended at prod instance)

@neginsadeghi
Copy link
Author

neginsadeghi commented Oct 10, 2021
edited by siewer
Loading

I added the parameters that you said but still no luck :

root@52fff93ea21f:~# java -jar MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar --spring.profiles.active=noauth --server.ssl.key-alias=localhost    --server.port=8443     --server.ssl.key-store=pki/certificate.p12     --server.ssl.key-store-password=changeit     --server.ssl.trust-store=pki/cert.jks   --server.ssl.trust-store-password=changeit     --openvasmd.socket=/var/run/ospd/ospd.sock     --allowed.users=localhost

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::        (v2.2.4.RELEASE)

2021-10-10 07:56:33.719  WARN 385236 --- [           main] org.apache.tomcat.util.net.SSLUtilBase   : The JSSE TLS 1.3 implementation does not support authentication after the initial handshake and is therefore incompatible with optional client authentication
2021-10-10 07:56:33.905 ERROR 385236 --- [           main] o.s.boot.SpringApplication               : Application run failed

org.springframework.boot.web.server.WebServerException: Unable to start embedded Tomcat server
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:215) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.startWebServer(ServletWebServerApplicationContext.java:297) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.finishRefresh(ServletWebServerApplicationContext.java:163) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:553) ~[spring-context-5.2.3.RELEASE.jar!/:5.2.3.RELEASE]
        at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:747) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) [spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at pl.orange.bst.mixer.MixerApplication.main(MixerApplication.java:39) [classes!/:1.2.0-SNAPSHOT]
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[na:1.8.0_302]
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[na:1.8.0_302]
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[na:1.8.0_302]
        at java.lang.reflect.Method.invoke(Method.java:498) ~[na:1.8.0_302]
        at org.springframework.boot.loader.MainMethodRunner.run(MainMethodRunner.java:48) [MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:87) [MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
        at org.springframework.boot.loader.Launcher.launch(Launcher.java:51) [MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
        at org.springframework.boot.loader.JarLauncher.main(JarLauncher.java:52) [MixewayOpenVasRestAPI-1.2.0-SNAPSHOT.jar:1.2.0-SNAPSHOT]
Caused by: java.lang.IllegalArgumentException: standardService.connector.startFailed
        at org.apache.catalina.core.StandardService.addConnector(StandardService.java:231) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.addPreviouslyRemovedConnectors(TomcatWebServer.java:278) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        at org.springframework.boot.web.embedded.tomcat.TomcatWebServer.start(TomcatWebServer.java:197) ~[spring-boot-2.2.4.RELEASE.jar!/:2.2.4.RELEASE]
        ... 18 common frames omitted
Caused by: org.apache.catalina.LifecycleException: Protocol handler start failed
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1008) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.catalina.core.StandardService.addConnector(StandardService.java:227) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        ... 20 common frames omitted
Caused by: java.lang.IllegalArgumentException: the trustAnchors parameter must be non-empty
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:99) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:71) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:217) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.AbstractEndpoint.bindWithCleanup(AbstractEndpoint.java:1141) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.AbstractEndpoint.start(AbstractEndpoint.java:1227) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.coyote.AbstractProtocol.start(AbstractProtocol.java:586) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.catalina.connector.Connector.startInternal(Connector.java:1005) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        ... 22 common frames omitted
Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty
        at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) ~[na:1.8.0_302]
        at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) ~[na:1.8.0_302]
        at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) ~[na:1.8.0_302]
        at org.apache.tomcat.util.net.SSLUtilBase.getParameters(SSLUtilBase.java:494) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.SSLUtilBase.getTrustManagers(SSLUtilBase.java:425) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.SSLUtilBase.createSSLContext(SSLUtilBase.java:247) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:97) ~[tomcat-embed-core-9.0.30.jar!/:9.0.30]
        ... 28 common frames omitted

I'm using this docker container to bring up the openvas
https://github.com/immauss/openvas

do you suggest any other container ?

@neginsadeghi
Copy link
Author

maybe my .jks file is somehow corrupted, can you update the setup-cert.sh file that it generate all the required certificate files ?

@MohsnRaj
Copy link

MohsnRaj commented Mar 8, 2024

@neginsadeghi Hello, did you manage to fix this problem?

@siewer
Copy link
Contributor

siewer commented Mar 8, 2024

@neginsadeghi
this problem is somehow related with SSL/TLS configuration

Can You confirm that:

  1. You have generated key pair eg with openssl req -new -newkey rsa:2048 -days 365 -nodes -x509 -keyout private.key -out cert.crt -subj "/CN=localhost" &> /dev/null
  2. taken those pair and generate PKCS12 eg with openssl pkcs12 -export -inkey private.key -in cert.crt -out certificate.p12 -name "localhost" -password pass:changeit
  3. now we have PKCS12 containing keypair with alias localhost and protected by pass changeit so: --server.ssl.key-alias=localhost --server.ssl.key-store=certificate.p12 --server.ssl.key-store-password=changeit should be set
  4. generate JKS or take JVM cacerts (eg. https://stackoverflow.com/questions/11936685/how-to-obtain-the-location-of-cacerts-of-the-default-java-installation) and then pass this cacerts to --server.ssl.trust-store=cacerts --server.ssl.trust-store-password=changeit`

this way it should be up and running

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@siewer siewer

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@siewer @neginsadeghi @MohsnRaj