AEM Author 6.5 cold standby is unable to sync due to invalid certificate

Question

Hello Team,

We are setting up AEM Author Cold Standby with SSL and attempting to configure the certificates. However, we're encountering the following error:
"File does not contain valid certificates: D:\aem-author-sit2-2024\certificate.crt"
This is the certificate referenced in the chain certificate configuration. We have been unable to find any documentation outlining the required certificate format for AEM.

Could you provide the steps or commands necessary to generate a self-signed certificate with Open SSL support that AEM Cold Standby will accept?

Error message:

26.09.2024 07:42:48.143 *WARN* [primary-2] org.apache.jackrabbit.oak.segment.standby.server.ExceptionHandler Exception caught on the server
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at java.base/sun.security.ssl.SSLSessionImpl.getPeerCertificateChain(SSLSessionImpl.java:611)
at org.apache.jackrabbit.oak.segment.standby.netty.SSLSubjectMatcher.userEventTriggered(SSLSubjectMatcher.java:47) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:400) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.AbstractChannelHandlerContext.invokeUserEventTriggered(AbstractChannelHandlerContext.java:376) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.AbstractChannelHandlerContext.fireUserEventTriggered(AbstractChannelHandlerContext.java:368) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.ssl.SslHandler.setHandshakeSuccess(SslHandler.java:1940) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.ssl.SslHandler.wrapNonAppData(SslHandler.java:999) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1511) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1338) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1387) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:529) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:468) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:290) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:444) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:412) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:440) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:420) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:788) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:724) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:650) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:562) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:997) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at java.base/java.lang.Thread.run(Thread.java:834)
26.09.2024 07:42:49.466 *ERROR* [CM Event Dispatcher (Fire ConfigurationEvent: pid=org.apache.jackrabbit.oak.segment.standby.store.StandbyStoreService)] org.apache.jackrabbit.oak.segment.standby.server.StandbyServer Server could not be started.
java.lang.IllegalArgumentException: File does not contain valid certificates: D:\aem-author-sit2-2024\certificate.crt
at io.netty.handler.ssl.SslContextBuilder.keyManager(SslContextBuilder.java:385) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at io.netty.handler.ssl.SslContextBuilder.forServer(SslContextBuilder.java:120) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at org.apache.jackrabbit.oak.segment.standby.server.StandbyServer.<init>(StandbyServer.java:221) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at org.apache.jackrabbit.oak.segment.standby.server.StandbyServer.<init>(StandbyServer.java:60) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at org.apache.jackrabbit.oak.segment.standby.server.StandbyServer$Builder.build(StandbyServer.java:212) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at org.apache.jackrabbit.oak.segment.standby.server.StandbyServerSync.start(StandbyServerSync.java:263) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at org.apache.jackrabbit.oak.segment.standby.store.StandbyStoreService.bootstrapPrimary(StandbyStoreService.java:214) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at org.apache.jackrabbit.oak.segment.standby.store.StandbyStoreService.activate(StandbyStoreService.java:170) [org.apache.jackrabbit.oak-segment-tar:1.22.20]
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.apache.felix.scr.impl.inject.methods.BaseMethod.invokeMethod(BaseMethod.java:244) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.inject.methods.BaseMethod.access$500(BaseMethod.java:41) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.inject.methods.BaseMethod$Resolved.invoke(BaseMethod.java:685) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.inject.methods.BaseMethod.invoke(BaseMethod.java:529) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:318) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.inject.methods.ActivateMethod.invoke(ActivateMethod.java:308) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.manager.SingleComponentManager.createImplementationObject(SingleComponentManager.java:354) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.manager.SingleComponentManager.createComponent(SingleComponentManager.java:115) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.manager.SingleComponentManager.getService(SingleComponentManager.java:1000) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.manager.SingleComponentManager.getServiceInternal(SingleComponentManager.java:973) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.manager.AbstractComponentManager.activateInternal(AbstractComponentManager.java:785) [org.apache.felix.scr:2.1.30]
at org.apache.felix.scr.impl.manager.SingleComponentManager.reconfigure(SingleComponentManager.java:750) [org.apache.felix.scr:2.1.30]

madalavenkat7 · Accepted Answer

Hello @sarav_prakash ,Thanks for the reply.The SSL certificates are working fine, as confirmed by the SSL wizard. The primary instance is serving over HTTPS with a valid SSL certificate. The sync process was working fine before SSL was enabled, but the issue occurred after enabling SSL. On the cold standby, no additional configuration is needed (and actually can't be done, since the console isn't available) because all content syncs from the primary.

sarav_prakash · Answer

@madalavenkat7 , did you check SSL Wizard?There is good documentation here and here. Most times its corrupted certificate that fails. There are different ways to verify certificate before uploading. Also in past, we faced issues generating cert with windows machine vs mac machine. Windows handles CLRF differently from mac machines. Windows certificate failed but certificate from mac machine worked. Try out if possible.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded