Configuring SSL on Jetty

I'm trying to configure my jetty environment to be able to have a secure connection.

I've run the steps described on the official jetty documentation :https://www.eclipse.org/jetty/documentation/9.4.31.v20200723/jetty-ssl-distribution.html. but with no success..

Steps to recreate:

1. java -jar start.jar --create-startd --add-to-start=ssl
2. java -jar start.jar --add-to-start=ssl,conscrypt
3. java -jar start.jar --add-to-startd=ssl,https
4. update start.d/ssl.ini with the values:

--module=ssl
jetty.ssl.host=0.0.0.0
jetty.ssl.port=8583
jetty.sslContext.keyStorePath=etc/keystore
jetty.sslContext.trustStorePath=etc/keystore
jetty.sslContext.keyStorePassword=OBF:
jetty.sslContext.keyManagerPassword=OBF:
jetty.sslContext.trustStorePassword=OBF:
 #Enable client certificate authentication.
jetty.sslContext.needClientAuth=true

For generating the keystore I followed the steps:

openssl genrsa -des3 -out jetty.key
openssl req -new -x509 -key jetty.key -out jetty.crt
keytool -keystore keystore -import -alias jetty -file jetty.crt -trustcacerts
openssl req -new -key jetty.key -out jetty.csr
openssl pkcs12 -inkey jetty.key -in jetty.crt -export -out jetty.pkcs12
keytool -importkeystore -srckeystore jetty.pkcs12 -srcstoretype PKCS12 -destkeystore keystore

As last step I've obfuscated the password and updated it into start.d/ssl.ini file.

ISSUE

I'm facing with an error which say something like

2020-09-28 13:51:46.896:INFO::main: Logging initialized @523ms to org.eclipse.jetty.util.log.StdErrLog
2020-09-28 13:51:47.387:WARN:oejs.HomeBaseWarning:main: This instance of Jetty is not running from a separate {jetty.base} directory, this is not recommended.  See documentation at http://www.eclipse.org/jetty/documentation/current/startup.html
2020-09-28 13:51:47.414:INFO:oejs.Server:main: jetty-9.4.31.v20200723; built: 2020-07-23T17:57:36.812Z; git: 450ba27947e13e66baa8cd1ce7e85a4461cacc1d; jvm 11.0.8+10-LTS
2020-09-28 13:51:47.460:INFO:oejdp.ScanningAppProvider:main: Deployment monitor [file:///opt/jetty-distribution-9.4.31.v20200723/webapps/] at interval 1
2020-09-28 13:51:47.796:INFO:oejus.SslContextFactory:main: x509=X509@6853425f(jetty,h=[jettyhttp2sample.organicdesign.org],w=[]) for Server@5a9f4771[provider=Conscrypt,keyStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore,trustStore=file:///opt/jetty-distribution-9.4.31.v20200723/etc/keystore]
2020-09-28 13:51:47.799:INFO:oejus.SslContextFactory:main: Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default
2020-09-28 13:51:47.882:INFO:oejs.AbstractConnector:main: Started ServerConnector@46c1a1fc{SSL, (ssl, http/1.1)}{localhost:8443}
2020-09-28 13:51:47.886:INFO:oejs.AbstractConnector:main: Started ServerConnector@7b205dbd{HTTP/1.1, (http/1.1)}{0.0.0.0:8080}
2020-09-28 13:51:47.887:INFO:oejs.Server:main: Started @1514ms

Unable to get KeyManagerFactory instance for algorithm [SunX509] on provider [Conscrypt], using default

Any help is appreciated

Thanks.

There's no error being reported here, this is normal fallback operations for alternate providers (conscrypt in your case).

The Conscrypt security provider doesn't support the SunX509 algorithm for KeyManagerFactory, so it falls back to the JVM default implementation.

Also, don't edit files in your jetty-home / jetty-distribution directly, that's a much bigger WARN, use the distribution correctly and separate your jetty-home from your jetty-base per the documentation linked in that WARN message. This ancient technique for managing the configuration of Jetty standalone has been completely removed in Jetty 10 and Jetty 11!