Apache Pekko doesn't support autogenerated TLS certs

[cornim]

The Play 3.0 documentation states:

By default, Play will generate itself a self-signed certificate ...

But after upgradinig to Play 3.0 and thereby switching from Akka to Apache Pekko, when ich run

<my-project-executable> -Dhttp.port=disabled -Dhttps.port=9443 -Dpidfile.path=/dev/null -Dlogger.resource=dev-logback.xml

I get the following error message

[error] play.core.server.PekkoHttpServer - Cannot load SSL context

Full stack trace below:

java.lang.reflect.InvocationTargetException: null at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.> at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAcces> at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:122) at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:39) at play.core.server.PekkoHttpServer.sslContext$lzyINIT1(PekkoHttpServer.scala:245) at play.core.server.PekkoHttpServer.sslContext(PekkoHttpServer.scala:245) at play.core.server.PekkoHttpServer.$init$$$anonfun$5(PekkoHttpServer.scala:260) Caused by: java.lang.IllegalAccessError: class com.typesafe.sslconfig.ssl.FakeKeyStore (in unnamed module @0xfdc81> at com.typesafe.sslconfig.ssl.FakeKeyStore.certificateTooWeak(FakeKeyStore.scala:169) at com.typesafe.sslconfig.ssl.FakeKeyStore.shouldGenerate$$anonfun$2$$anonfun$1(FakeKeyStore.scala:152) at scala.Option.exists(Option.scala:406) at com.typesafe.sslconfig.ssl.FakeKeyStore.shouldGenerate$$anonfun$1(FakeKeyStore.scala:152) at scala.collection.IterableOnceOps.exists(IterableOnce.scala:604) at scala.collection.IterableOnceOps.exists$(IterableOnce.scala:601) at scala.collection.AbstractIterator.exists(Iterator.scala:1300) at com.typesafe.sslconfig.ssl.FakeKeyStore.shouldGenerate(FakeKeyStore.scala:152) at com.typesafe.sslconfig.ssl.FakeKeyStore.createKeyStore(FakeKeyStore.scala:179) at com.typesafe.sslconfig.ssl.FakeKeyStore.keyManagerFactory(FakeKeyStore.scala:218) [debug] org.apache.pekko.io.TcpListener - Successfully bound to /[0:0:0:0:0:0:0:0]:9443 [info] play.core.server.PekkoHttpServer - Listening for HTTPS on /[0:0:0:0:0:0:0:0]:9443 [warn] play.core.server.ssl.DefaultSSLEngineProvider - Using generated key with self signed certificate for HTTPS.> Oops, cannot start the server. java.lang.reflect.InvocationTargetException at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method) at java.base/jdk.internal.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.> at java.base/jdk.internal.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAcces> at java.base/java.lang.reflect.Constructor.newInstanceWithCaller(Constructor.java:499) at java.base/java.lang.reflect.Constructor.newInstance(Constructor.java:480) at play.core.server.ssl.ServerSSLEngine$.createScalaSSLEngineProvider(ServerSSLEngine.scala:122) at play.core.server.ssl.ServerSSLEngine$.createSSLEngineProvider(ServerSSLEngine.scala:39) at play.core.server.PekkoHttpServer.sslContext$lzyINIT1(PekkoHttpServer.scala:245) at play.core.server.PekkoHttpServer.sslContext(PekkoHttpServer.scala:245) at play.core.server.PekkoHttpServer.Http1Encrypted$lzyINIT1$$anonfun$2(PekkoHttpServer.scala:607) at scala.Option.map(Option.scala:242) at play.core.server.PekkoHttpServer.Http1Encrypted$lzyINIT1(PekkoHttpServer.scala:608) at play.core.server.PekkoHttpServer.Http1Encrypted(PekkoHttpServer.scala:597) at play.core.server.PekkoHttpServer.(PekkoHttpServer.scala:641) at play.core.server.PekkoHttpServerProvider.createServer(PekkoHttpServer.scala:742) at play.core.server.PekkoHttpServerProvider.createServer(PekkoHttpServer.scala:741) at play.core.server.ServerProvider.createServer(ServerProvider.scala:30) at play.core.server.ServerProvider.createServer$(ServerProvider.scala:21) at play.core.server.PekkoHttpServerProvider.createServer(PekkoHttpServer.scala:740) at play.core.server.ProdServerStart$.start(ProdServerStart.scala:58) at play.core.server.ProdServerStart$.main(ProdServerStart.scala:28) at play.core.server.ProdServerStart.main(ProdServerStart.scala) Caused by: java.lang.IllegalAccessError: class com.typesafe.sslconfig.ssl.FakeKeyStore (in unnamed module @0xfdc81> at com.typesafe.sslconfig.ssl.FakeKeyStore.certificateTooWeak(FakeKeyStore.scala:169) at com.typesafe.sslconfig.ssl.FakeKeyStore.shouldGenerate$$anonfun$2$$anonfun$1(FakeKeyStore.scala:152) at scala.Option.exists(Option.scala:406) at com.typesafe.sslconfig.ssl.FakeKeyStore.shouldGenerate$$anonfun$1(FakeKeyStore.scala:152) at scala.collection.IterableOnceOps.exists(IterableOnce.scala:604) at scala.collection.IterableOnceOps.exists$(IterableOnce.scala:601) at scala.collection.AbstractIterator.exists(Iterator.scala:1300) at com.typesafe.sslconfig.ssl.FakeKeyStore.shouldGenerate(FakeKeyStore.scala:152) at com.typesafe.sslconfig.ssl.FakeKeyStore.createKeyStore(FakeKeyStore.scala:179) at com.typesafe.sslconfig.ssl.FakeKeyStore.keyManagerFactory(FakeKeyStore.scala:218) at play.core.server.ssl.DefaultSSLEngineProvider.createSSLContext(DefaultSSLEngineProvider.scala:67) at play.core.server.ssl.DefaultSSLEngineProvider.(DefaultSSLEngineProvider.scala:32) ... 22 more

Play Version

3.0.2

API

Scala 3.3.1

Operating System

22.04.1-Ubuntu

JDK

openjdk version "17.0.10" 2024-01-16
OpenJDK Runtime Environment (build 17.0.10+7-Ubuntu-122.04.1)
OpenJDK 64-Bit Server VM (build 17.0.10+7-Ubuntu-122.04.1, mixed mode, sharing)

Expected Behavior

1. Server should start with autogenerated ssl cert.

Actual Behavior

Server isn't started. (Stack trace see above.)

Reproducible Test Case

Set up a empty Play project in InteliJ and run

sbt -J"-Dhttp.port=disabled" -J"-Dhttps.port=9443" run

[mkurz]

This has nothing to do with Pekko nor Akka.
The exception is caused by the upgrade to Java 17. We already mention this in the Play 2.9. release highlights (see "Please be aware that..." in the linked section) which links to the migration guide which describes the --add-exports=... workaround for Java 17 (which does not work for Java 21 unfortunately however...)

In the end this is a lack of documentation, which I am fixing with

• Document flag to use self-signed certificates in DEV and when staging #12563

In that PR I add the same note linked above on the highlights page to the section you referenced on the Configuring HTTPS page.
Also I enhanced the migration notes to show how to apply the flag in dev mode and when staging/packaging the application for production use.

Using your snippets, you have to use:

<my-project-executable> -Dhttp.port=disabled -Dhttps.port=9443 -Dpidfile.path=/dev/null -Dlogger.resource=dev-logback.xml -J--add-exports=java.base/sun.security.x509=ALL-UNNAMED

sbt -J"-Dhttp.port=disabled" -J"-Dhttps.port=9443" -J"--add-exports=java.base/sun.security.x509=ALL-UNNAMED" run

Just take a look at my PR to see other approaches.