SSL Setup

[Mrm83]

I am having trouble setting up SSL.

Server doesnt seem to start with my jks ssl file.

The following error shows up on server start.
Any ideas what this is? I am using a positiveSSL cert from namecheap.

Code: Select all

java.lang.reflect.InvocationTargetException
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
   at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
   at java.lang.reflect.Method.invoke(Method.java:498)
   at org.eclipse.jetty.start.Main.invokeMain(Main.java:214)
   at org.eclipse.jetty.start.Main.start(Main.java:457)
   at org.eclipse.jetty.start.Main.main(Main.java:75)
   at com.smartfoxserver.v2.http.JettyServer.start(JettyServer.java:35)
   at com.smartfoxserver.v2.SmartFoxServer.start(SmartFoxServer.java:321)
   at com.smartfoxserver.v2.Main.main(Main.java:14)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
   at sun.security.provider.KeyProtector.recover(KeyProtector.java:328)
   at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:146)
   at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:56)
   at sun.security.provider.KeyStoreDelegator.engineGetKey(KeyStoreDelegator.java:96)
   at sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(JavaKeyStore.java:70)
   at java.security.KeyStore.getKey(KeyStore.java:1023)
   at sun.security.ssl.SunX509KeyManagerImpl.<init>(SunX509KeyManagerImpl.java:133)
   at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:70)
   at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:256)
   at org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1074)
   at org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:378)
   at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
   at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
   at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
   at org.eclipse.jetty.server.SslConnectionFactory.doStart(SslConnectionFactory.java:67)
   at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
   at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)
   at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)
   at org.eclipse.jetty.server.AbstractConnector.doStart(AbstractConnector.java:260)
   at org.eclipse.jetty.server.AbstractNetworkConnector.doStart(AbstractNetworkConnector.java:81)
   at org.eclipse.jetty.server.ServerConnector.doStart(ServerConnector.java:235)
   at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
   at org.eclipse.jetty.server.Server.doStart(Server.java:390)
   at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)
   at org.eclipse.jetty.xml.XmlConfiguration$1.run(XmlConfiguration.java:1510)
   at java.security.AccessController.doPrivileged(Native Method)
   at org.eclipse.jetty.xml.XmlConfiguration.main(XmlConfiguration.java:1435)
   ... 10 more


[Mrm83]

ok, i managed to fix this error by making a p12 file from the ca-bundle and cert provided, and then converting that to jks.

going to my https://domain:8443 shows the sfs landing page, and https://ip:8443 fails which is expected i guess.

Now my problem is that Unity standalone is unable to connect to the server at all.

ive made sure cfg.Host = "domain.com" and the cfg.Port is 8443 as configured in the ssl.ini file, but OnConnection(BaseEvent evt) returns failure instead of success.

I am suspecting this is an issue with the port? because non ssl uses 9933 and not 8080 as mentioned from the tutorial, so i am guessing i shouldnt be using 8443 for ssl?

[Mrm83]

I tried using port 8443, it doesn't connect at all. error message is "Connection closed by the remote side ==> NotSocket"

So I reverted back to 9933 and tried calling sfs.InitCrypto (); on connection instead of login, but there is no handshake. nothing comes back, no event for SFSEvent.CRYPTO_INIT.

i am stumped and i cant find any post regarding this problem.

UPDATE:
after hours of digging and trial and error, ive decided to look at the advanced connector tutorial instead of using the forums and site documentations..

and then i spotted this:

Code: Select all

         // Enable protocol encryption on non-WebGL builds only (WebGL build uses WSS protocol already)
         if (useEncryption) {
            // Initialize encryption
            // All builds except Windows Store require a coroutine
            #if UNITY_EDITOR || !UNITY_WINRT_8_1
            StartCoroutine(sfs.InitCrypto());
            #else
            sfs.InitCrypto();
            #endif
         } else {
            // Attempt login
            login();
         }


// All builds except Windows Store require a coroutine

problem solved

[Lapo]

UPDATE:
after hours of digging and trial and error, ive decided to look at the advanced connector tutorial instead of using the forums and site documentations..

I am glad you solved it.
For reference here you find all the instructions to setup your SSL certificate and client connection examples for all platforms:
http://docs2x.smartfoxserver.com/Gettin ... yptography

Also in the documentation website there's a search function that should help you find what you need. (At the top of the left hand menu)

Cheers

[Mrm83]

http://docs2x.smartfoxserver.com/Gettin ... yptography

that was the page i followed and the page that gave me all the grief.

1) nowhere on that page did it mentioned a coroutine was needed
2) using those steps to create the JKS file resulted in the Caused by: java.security.UnrecoverableKeyException: Cannot recover key error on sfs start.
3) all examples referenced the port 8443 when it should remain using 9933 (the page was tailored for ws?)

Using the advanced connector source code was much more accurate.

[Lapo]

that was the page i followed and the page that gave me all the grief.

1) nowhere on that page did it mentioned a coroutine was needed
2) using those steps to create the JKS file resulted in the Caused by: java.security.UnrecoverableKeyException: Cannot recover key error on sfs start.
3) all examples referenced the port 8443 when it should remain using 9933 (the page was tailored for ws?)

Using the advanced connector source code was much more accurate.

I think there's a bit of misunderstanding going on.
In October 2018 we have launched release 1.7.9 of the SFS2X C# API which no longer requires the use of coroutines, and with that the documentation and examples have been updated.

I think you're still using the previous batch of API and examples, which has likely led to the confusion.
You can obtain the latest API and examples here: https://www.smartfoxserver.com/download/#p=client

As regards your point #2, those steps are well tested and they work for most cases as far as we know. Unfortunately it is quite hard to cover all possible situations as every certificate provider can deliver different number of files in different file types etc.

Hope it helps