Daily Log for #alfresco IRC Channel

Alfresco discussion and collaboration. Stick around a few hours after asking a question.

Official support for Enterprise subscribers: support.alfresco.com.

Joining the Channel:

Join in the conversation by getting an IRC client and connecting to #alfresco at Freenode. Our you can use the IRC web chat.

More information about the channel is in the wiki.

Getting Help

More help is available in this list of resources.

Daily Log for #alfresco

2019-07-26 19:05:17 GMT <alfresco-discord> <jpotts> Has anyone had trouble getting 6.1 to authenticate against LDAP using LDAPS on port 636? 5.2 works great. 6.1 with the same LDAP config gets a handshake exception.

2019-07-26 19:05:22 GMT <alfresco-discord> <jpotts> org.alfresco.repo.security.authentication.AuthenticationException: 06260033 Failed to communicate with ldaps://ldap-sn.foo.bar.baz:636. Reason javax.naming.CommunicationException, simple bind failed: ldap-sn.foo.bar.baz:636, javax.net.ssl.SSLHandshakeException, Remote host terminated the handshake, java.io.EOFException, SSL peer shut down incorrectly

2019-07-26 19:06:04 GMT <alfresco-discord> <jpotts> I've imported the LDAP server's certificates into a JKS file and pointed to that from LDAP config. I've also imported those certs into OpenJDK 11.0.1 cacerts just in case.

2019-07-26 19:07:29 GMT <alfresco-discord> <jpotts> No other Alfresco 5.2 servers are having this problem and this exact machine was working fine prior to the upgrade to 6.1, so the only diff is the Alfresco version and the JDK version.

2019-07-26 20:12:13 GMT <alfresco-discord> <dgradecak> @jpotts on 6.0.x I had no issue with ldaps, unfortunately don't know yet for 6.1

2019-07-26 20:13:00 GMT <alfresco-discord> <dgradecak> certs are valid?

2019-07-26 20:14:13 GMT <alfresco-discord> <jpotts> yes

2019-07-26 20:14:16 GMT <alfresco-discord> <dgradecak> self signed?

2019-07-26 20:14:18 GMT <alfresco-discord> <jpotts> no

2019-07-26 20:14:28 GMT <alfresco-discord> <jpotts> I don't actually think this is a cert issue

2019-07-26 20:14:42 GMT <alfresco-discord> <jpotts> I am thinking it is an OpenJDK 11.0.1 issue

2019-07-26 20:15:03 GMT <alfresco-discord> <dgradecak> ah could be who knows indeed

2019-07-26 20:15:39 GMT <alfresco-discord> <dgradecak> I hope you do not need a specific module for that 😉 I went crazy with xml stuff lately

2019-07-26 20:15:53 GMT <alfresco-discord> <dgradecak> and openjdk 11

2019-07-26 20:16:47 GMT <alfresco-discord> <dgradecak> I know you did check, but I think people had such issues because they added the certs in the wrong "JAVA_HOME"

2019-07-26 20:20:54 GMT <alfresco-discord> <dgradecak> something similar on jenkins ... https://issues.jenkins-ci.org/browse/JENKINS-58603

2019-07-26 20:22:43 GMT <alfresco-discord> <dgradecak> would like to hear how you solved it, as I will have a 6.1 with jdk 11 install next week 😦

2019-07-26 20:44:04 GMT <alfresco-discord> <jpotts> That's definitely a good thought, but I've added the certs to cacerts in $JAVA_HOME/lib/security where JAVA_HOME is the JDK 11.0.1 home

2019-07-26 20:45:23 GMT <alfresco-discord> <jpotts> That TLS workaround in that Jenkins issue looks very promising. I'm going to try it and report back

2019-07-26 20:48:45 GMT <AFaust> jpotts: Just recently done an upgrade to 6.1 with LDAPS using just the custom keystore/truststore config properties of the ldap subsystem, and worked like a charm. Using Alfresco Docker images with OpenJDK 11

2019-07-26 20:50:13 GMT <AFaust> I really hate when people mess with the cacerts truststore of the Java install. That's typically a sign of badly designed software (lack of truststore config options), lack of documentation or lack of RTFM

2019-07-26 21:02:37 GMT <alfresco-discord> <jpotts> The workaround documented in the Jenkins issue that @dgradecak found is the solution

2019-07-26 21:03:15 GMT <alfresco-discord> <jpotts> You must add JAVA_OPTS="$JAVA_OPTS -Djdk.tls.client.protocols=TLSv1.1,TLSv1 -Dhttps.protocols=TLSv1.1,TLSv1" to catalina.sh (or similar)

2019-07-26 21:03:36 GMT <alfresco-discord> <jpotts> Or JDK 11.0.1 will get a handshake exception when talking to LDAP over SSL

2019-07-26 21:04:52 GMT <alfresco-discord> <jpotts> This is manually-installed enterprise with OpenJDK 11.0.1 reference build from https://jdk.java.net/archive/

2019-07-26 21:04:53 GMT <alfbot> Title:Archived OpenJDK GA Releases (at jdk.java.net)

2019-07-26 21:06:02 GMT <alfresco-discord> <jpotts> I did not see this referenced anywhere in the docs, so I chalk this up as another case of Alfresco saying, "If you aren't going to use Kubernetes you are on your own"

2019-07-26 21:42:43 GMT <AFaust> No surprise there. Have to keep that in mind for my custom Docker images - only use the default images for really "standard"-focused customers.

End of Daily Log

The other logs are at http://esplins.org/hash_alfresco