Bug 996558 - Https connection hangs after adding https connector
Https connection hangs after adding https connector
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: Web (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: CR2
: EAP 6.2.0
Assigned To: Jean-frederic Clere
Radim Hatlapatka
Russell Dickenson
Depends On:
  Show dependency treegraph
Reported: 2013-08-13 08:43 EDT by Petr Sakař
Modified: 2017-08-07 09:36 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When adding an HTTPS connector via the management CLI, any attempted connection would hang, despite each command completing successful. The cause of the issue was that the connector was started as soon as it was created, yet its configuration was incomplete, preventing the connector working as expected. A workaround in this instance was to wrap the configuration commands in a `batch`, `end-batch` sequence, so that all configuration statements were completed together. The root cause of this issue has been resolved and access to a HTTP connector is successful, whether or not the configuration statements are completed in sequence or as a management CLI batch.
Story Points: ---
Clone Of:
Last Closed: 2013-12-15 11:17:27 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
server certificate (1.31 KB, application/octet-stream)
2013-08-13 08:43 EDT, Petr Sakař
no flags Details
war with index.html (1.11 KB, application/zip)
2013-08-13 08:44 EDT, Petr Sakař
no flags Details

  None (edit)
Description Petr Sakař 2013-08-13 08:43:57 EDT
Created attachment 786135 [details]
server certificate

Description of problem:

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Start AS standalone server
1. Download attached war and keystore to /tmp/
2. Execute CLI command /core-service=management/security-realm=jbossws-cli-tests-https-realm/:add
Result {"outcome" => "success"}
3. Execute CLI command /subsystem=web/connector=jbossws-cli-tests-https-connector/:add(protocol="HTTP/1.1",scheme="https",secure=true, socket-binding=https,enabled=true)
Result {"outcome" => "success"}
4. Execute CLI command /subsystem=web/connector=jbossws-cli-tests-https-connector/ssl=configuration:add(password="changeit",certificate-key-file="/tmp/server.keystore",verify-client=false, key-alias=tomcat, protocol=https)
Result {"outcome" => "success"}
5. Execute CLI command deploy /tmp/test.war
Result {"outcome" => "success","result" => {"step-1" => {"outcome" => "success"},"step-2" => {"outcome" => "success"}}}
6. open in browser https://localhost:8443/test/index.html

Actual results:
page is not loaded, connection hangs

Expected results:
either page is correctly loaded 
operation result is reload required and page should not be available

Additional info:
after reload page is available
Comment 1 Petr Sakař 2013-08-13 08:44:58 EDT
Created attachment 786136 [details]
war with index.html
Comment 2 Aleksandar Kostadinov 2013-09-21 13:17:00 EDT
I'm also experiencing the same behavior when trying to add a native ssl connector. If I add the connector with two separate cli commands, then attempting to open a https URL results in connection hand and eventually timing out in the browser. Server restart fixes the issue.
On the other hand, using the same two commands to within a batch, makes everything work correctly.

The problem is that there is no error message in cli console or server log to indicate any problem. So user wouldn't know what's wrong.

FYI here is how I do that:
1. change native="true" in server config
2. start server
3. generate self-signed certificate with openssl
> openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=localhost" -keyout certs/localhost.key -out certs/localhost.cert
4. use the following cli commands:
> /subsystem=web/connector=https:add(enabled="true", enable-lookups="false", secure="true", scheme="https", socket-binding="https", protocol="HTTP/1.1")
> {"outcome" => "success"}
> /subsystem=web/connector=https/configuration=ssl:add(name="native-https", certificate-file="/tmp/certs/localhost.cert", certificate-key-file="/tmp/certs/localhost.key")
> {"outcome" => "success"}
5. try to open https URL

As I already said, if I wrap the cli commands within batch/run-batch, then everything works correctly.
Comment 3 Jean-frederic Clere 2013-10-23 09:41:17 EDT
I think that is unknown bug and no possible to fix it.
The connector starts without ssl and adding ssl doesn't tell to restart the server.
Comment 4 Jean-frederic Clere 2013-10-23 09:42:11 EDT
if you use http:// instead https:// you should get a working connection.
Comment 5 Tomaz Cerar 2013-10-24 17:51:56 EDT
This could be quite easily fixed, by restart-parent service handler on ssl:add() operation.

A workaround would be to add whole ssl connector configuration as part of batch.
Comment 8 John Doyle 2013-10-28 15:26:19 EDT

Do you have a comment on Tomaz's suggestion?  Can we try this for 6.2?
Comment 9 Jean-frederic Clere 2013-10-30 09:06:09 EDT
Tomaz gave me an example I have a patch I need to test...
Comment 10 Jean-frederic Clere 2013-10-30 09:59:50 EDT
Actually when adding ssl there is already a  message:
[standalone@localhost:9999 /] /subsystem=web/connector=https/:add(socket-binding=https,protocol="HTTP/1.1",scheme="https")
{"outcome" => "success"}
[standalone@localhost:9999 /] /subsystem=web/connector=https/ssl=configuration:add
    "outcome" => "success",
    "response-headers" => {
        "operation-requires-reload" => true,
        "process-state" => "reload-required"
Comment 11 Jean-frederic Clere 2013-11-01 10:39:37 EDT
A quick try with "restart-parent service handler on ssl:add() " doesn't seem to work. I think we should move this one to 6.3.
Comment 12 Jean-frederic Clere 2013-11-04 11:37:56 EST
Tomaz helped me today on the topic. It is working I will do the pull request soon.
Comment 13 Jean-frederic Clere 2013-11-04 15:56:03 EST
See https://github.com/jbossas/jboss-eap/pull/662
Comment 16 mark yarborough 2013-11-07 14:08:08 EST
Tried to re-approve for 6.2 based on comments 14, 15 from Brian and John.
Comment 20 Petr Sakař 2013-11-18 02:41:44 EST
Verified for EAP 6.2.0.CR2 preview using procedure described in comment#0

Result of command from step 4 is "Reload-required", page is not available before reload and is available after reload
Comment 21 Aleksandar Kostadinov 2013-11-18 03:06:40 EST
Was not the fix to make the restart automatic on ssl add?
Comment 22 Jean-frederic Clere 2013-11-18 04:06:08 EST
it does you need {allow-resource-service-restart=true }
Comment 23 Jean-frederic Clere 2013-11-22 06:07:10 EST
When adding a connector it is started immediately.
So when a SSL connector in 2 steps (first the connector, then ssl to the connector) the connector was running without ssl.
Note that a message is displayed asking for restart.

the rest is in the BZ...
Comment 24 Aleksandar Kostadinov 2013-11-28 00:42:08 EST
Russel, as far as I see now the change is that reload required is returned as status instead of success. It's not like connector is restarted by default.
Comment 25 Jean-frederic Clere 2013-11-28 03:59:40 EST
The reload required was already returned but the connector wasn't restarted.

Note You need to log in before you can comment on or make changes to this bug.