Hello all,
To provide some context - we've had a recent issue where the datastore/segmentstore of our Author crx-quickstart development environment became corrupted. Using the oak-run checks we confirmed there was no available checkpoint, and we also did not have backups.
As such we decided to zip the contents of the same environment's Publisher instance, specifically only the datastore and segmentstore directories, and unzipped them on the Author on the expected locations. Every other configuration was left untouched at the filesystem level.
Surprisingly, this worked and AEM started on the expected http port 8080, but not on the configured SSL port 8443. Unfortunately we do not have access to the http port of the server of the client and cannot access the UI - but we've sent some test curls and confirmed everything seemed to be working e.g. bundles started.
The issue now is with the SSL configuration. Without being able to access the UI we're trying to upload the key and crt via curl. We've found this endpoint which we are sending this curl, which also seems to be working:
curl -X POST -k -u admin:admin http://author-instance:8080/libs/granite/security/post/sslSetup.html -F "keystorePassword=admin" -F "keystorePasswordConfirm=admin" -F "truststorePassword=admin" -F "truststorePasswordConfirm=admin" -F "privatekeyFile=@key.der;type=application/x-x509-ca-cert" -F "certificateFile=@cert.crt;type=application/x-x509-ca-cert" -F "httpsPort=8443"
However, after finally finding the keystore password and overcoming the "Invalid password for existing key store" error, we received this response:
<!DOCTYPE html>
<html lang='en'>
<head>
<title>Error</title>
</head>
<body>
<h1>Error</h1>
<dl>
<dt class='foundation-form-response-status-code'>Status</dt>
<dd>500</dd>
<dt class='foundation-form-response-status-message'>Message</dt>
<dd>com.adobe.granite.crypto.CryptoException: Cannot convert byte data</dd>
<dt class='foundation-form-response-title'>Title</dt>
<dd>Error</dd>
</dl>
</body>
</html>
The error.log shows the following:
*ERROR* [10.27.132.251 [1730053257238] POST /libs/granite/security/post/sslSetup.html HTTP/1.1] com.adobe.granite.security.user.ui.internal.servlets.SSLConfigurationServlet Error while configuring SSL:
java.lang.SecurityException: com.adobe.granite.crypto.CryptoException: Cannot convert byte data
(...stack trace...)
I have a suspicion this may have to do with the fact that we've imported the datastore and segmentstore from the Publisher to the Author, where perhaps the crypto keys may have been pulled alongside it and now something is not matching? However that would mean there's some sort of other configuration outside of the datastore and segmentstore which we may have to also had pulled from the Publisher, or maybe we can just rollback from the Author backup made before pulling the datastore/segmentstore from the Publisher.
I found this article and this one as well which mention the "core.adobe.granite.crypto" bundle. Looking at the bundle in the filesystem, catting the "storage" file states "Bundle" which would mean the hmac and master files would be stored on the filesystem - but in that same bundle directory, I cannot find any mention of them, nor do I know what to look for exactly. Or even if this is why we're seeing this issue.
Perhaps someone could shine some light on this topic with some ideas. Thank you!