Summary
For OpsCenter releases 6.0.0 to 6.0.2, the OpsCenter webserver might not startup correctly if using HTTPs with SSL certificates with CA chains.
Symptoms
SSL certificates that contain a chain may give the following error in the opscenterd.log
file and the webserver would fail to start, although the opscenterd process would still be running:
2016-08-10 12:40:32,622 [opscenterd] ERROR: Unable to start up the OpsCenter webserver. (MainThread)
2016-08-10 12:40:32,640 [opscenterd] ERROR: Traceback (most recent call last):
File "/usr/share/opscenter/jython/Lib/site-packages/opscenterd/OpsCenterdService.py", line 111, in setupWebServer
File "/usr/share/opscenter/jython/Lib/site-packages/opscenterd/WebServer.py", line 108, in makeWebServer
File "/usr/share/opscenter/jython/Lib/site-packages/opscenterd/SslUtils.py", line 24, in make_ssl_context_factory
File "/usr/share/opscenter/lib/py/twisted/internet/legacy_ssl.py", line 1133, in __init__
self.cacheContext()
File "/usr/share/opscenter/lib/py/twisted/internet/legacy_ssl.py", line 1142, in cacheContext
ctx.load_cert_chain(self.certificateFileName, keyfile=self.privateKeyFileName) # Automatically checks against private key
File "/usr/share/opscenter/lib/jvm/jython-standalone-2.7.0.3.jar/Lib/ssl.py", line 1035, in load_cert_chain
self._key_managers = _get_openssl_key_manager(certfile, keyfile, password, _key_store=self._key_store)
File "/usr/share/opscenter/lib/jvm/jython-standalone-2.7.0.3.jar/Lib/ssl.py", line 1035, in load_cert_chain
self._key_managers = _get_openssl_key_manager(certfile, keyfile, password, _key_store=self._key_store)
File "/usr/share/opscenter/lib/jvm/jython-standalone-2.7.0.3.jar/Lib/_sslcerts.py", line 136, in _get_openssl_key_manager
raise SSLError(SSL_ERROR_SSL, "key values mismatch")
SSLError: [Errno 1] key values mismatch
(MainThread)
2016-08-10 12:40:32,642 [opscenterd] ERROR: There was an error starting the OpsCenterd process: Traceback (most recent call last):
File "/usr/share/opscenter/jython/Lib/site-packages/opscenterd/OpsCenterdService.py", line 49, in startService
File "/usr/share/opscenter/jython/Lib/site-packages/opscenterd/OpsCenterdService.py", line 123, in setupWebServer
NameError: global name 'System' is not defined
(MainThread)
Cause
Post 6.0.x OpsCenter saw a migration of the opscenterd codebase to jython. There was a upstream bug identified in jython where SSL certificates are handled for which a patch was issued. This patch was not ported into OpsCenter at the time.
This is outlined in the following internal Jira:
OPSC-9999 - Opscenterd will not start up with HTTPs SSL certificates that use intermediate certificates
Solution
Upgrading to OpsCenter 6.0.3 will ensure the latest patch is included to resolve the issue.