I've followed this guide to enable https on aem (https://docs.adobe.com/docs/en/aem/6-1/deploy/configuring/config-ssl.html).
All good. After testing it I decide to change the https port. And I just can't, the value changes in crx but it doesn't get applied. No matter what value I use or how many times I restart aem. I don't see any errors in the log.
I suspect this has little to do with https itself and that it's a bundle caching thing. Any suggestions on where to look?
Same thing happens if I change the alias of key in the keystore.
However if I change the keystore path (org.apache.felix.https.keystore) it is picked up immediately.
ideally you shouldn't even need a restart. the updated config should be picked up. you should see logs about jetty service restarting and then listening to the configured port. Is the server still listening to requests at the old port ?
That is correct, it doesn't change.
Honestly I don't care much about the port, it was meant as a simple test.
However I do care about the key alias. And most importantly, after a lot of testing it seems to me that aem completely ignores the supplied key alias and just picks one from the keystore. The only "solution" I've found to this is to delete the key that is currently being picked so that it will pick another. I believe this is usually not a problem, because keystores tend to be local and have a single key, but since I'm integrating with an HSM it has many keys which I obviously can't arbitrarily delete.
I believe this to be a very serious bug. Is this the proper channel to report it?
Note: parameters as the keystore path & keystore password do work as expected and are reloaded immediately after being modified.
That is strange. I've played with this 2 months back on 6.1 with no issues. Can you check if there is a random node created under this path /system/sling/installer/jcr/pauseInstallation? If this path is clean, can you try configuring ssl from the console "Apache Felix Jetty Based Http Service"
Thanks a lot for your suggestion. I tried it and here are my findings:
- Nothing under /system/sling/installer/jcr/pauseInstallation
- Changing using it through the OSGI console as suggested did work for the port and it changed and worked even without a restart.
- As I've read elsewhere changing the values through the OSGI console destroyed my properties structure and generated a single entry (/apps/system/config.author/org.apache.felix.http.config) with content like:
# Configuration created by Apache Sling JCR Installer
Not a problem in this case, but something to be mindful about.
- And most importantly it generated a key for "org.apache.felix.https.keystore.key.password", BUT not for "org.apache.felix.https.keystore.key". To me this suggests that AEM is simply iterating the keystore for a key that it can access and once it founds one it just uses it. The alias (as specified in https://docs.adobe.com/docs/en/aem/6-1/deploy/configuring/config-ssl.html & felix documentation) is simply ignored. My testing matches this assumption. Can anyone at adobe confirm this?
Just finished some extra testing.
My conclusion is that the HTTPS configuration works as long as there's only one key in the keystore. Just adding an extra keys breaks it.
BTW this is AEM 6.1
THis is good information - can you post the steps that you did so community can try and reproduce.
Yes, it's actually very simple.
First configure HTTPS following this: https://docs.adobe.com/docs/en/aem/6-1/deploy/configuring/config-ssl.html
After it works just add an extra key to the keystore, for example:
$ keytool -genkeypair -keyalg RSA -validity 3650 -alias test111.com -keystore ssl/aem.keystore -keypass 111111 -storepass 123456 -dname "CN=test111.com, OU=Group Name, O=Company Name,L=City Name, S=State, C=AU"
Then it doesn't work anymore.
I am checking into this. Its either a product bug or a doc bug. If only 1 key is suppose to be used - then the docs should state that. Thank you for your feedback.
As per my understanding currently only one key is supported. You can have https enable on multiple ports using different keystore as in Apache Felix Jetty Based Http Service you can provide path for only 1 keystore.
Also see How to enable https in aem for more info.