Docker - Unable to create api key - buffer overflow

j.smutek

Hi,
Im using docker version of FusionAuth version 1.47.1
I can create/edit users and applications but not api key(s) as it cause error:

fusionauth-fusionauth-1  | 2023-10-20 05:22:45.357 AM ERROR io.fusionauth.http.server.HTTPServerThread - An exception was thrown during processing
fusionauth-fusionauth-1  | java.lang.IllegalStateException: A buffer overflow is not expected during an unwrap operation. This occurs because the preamble or body buffers are too small. Increase their sizes to avoid this issue.
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPS11Processor.read(HTTPS11Processor.java:191)
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPServerThread.read(HTTPServerThread.java:298)
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPServerThread.run(HTTPServerThread.java:169)

At first I used .env file from repo .env, then increased memory for app to

FUSIONAUTH_APP_MEMORY=1024M

but this didn't help.

Here is screen of docker stats with running fusionauth:

CONTAINER ID   NAME                      CPU %     MEM USAGE / LIMIT     MEM %     NET I/O           BLOCK I/O         PIDS
f8fd1d7a3dda   fusionauth-fusionauth-1   0.18%     907MiB / 3.812GiB     23.23%    6.26MB / 1.45MB   819kB / 1.57MB    121
8e757ef046f1   fusionauth-search-1       0.39%     830.2MiB / 3.812GiB   21.27%    12.8kB / 9.97kB   2.27MB / 88.8MB   67
867feb08bc18   fusionauth-db-1           0.19%     42.66MiB / 3.812GiB   1.09%     1.11MB / 6.06MB   7.89MB / 3.51MB   18

Any way to prevent this issue?

dan

@j-smutek Hmm. How are you trying to create an API key? Via the admin UI, kickstart, or the API key API?

Can you share the details about the API key (obscuring any particulars that are sensitive)?

j.smutek

@dan
Hi, via admin UI (its fresh install there is no api yet), i don't need to fill anything just hit save and ti creates the error, I pasted above.

dan

@j-smutek Hmmm. I just stood up a docker instance, went through the setup wizard, logged in as the admin user and created an API key on this screen:

Screenshot 2023-10-24 at 7.46.44 AM.png

I was unable to recreate.

Are you using docker from the install guide?

What operating system are you on?

Does this error prevent the API key from being created?

What does your .env file look like?

j.smutek

@dan Hi,
Yes i'm using docker from install guide (docker compose yml is from repo),
Operating sys. 22.04.1-Ubuntu , kernel: 6.2.0-1014-azure #14~,
yes it prevents api key from beaing created, .env file as i said is based on one in repo with minimum changes (***** are not real values):

POSTGRES_USER=*****
POSTGRES_PASSWORD=*****
DATABASE_USERNAME=*****
DATABASE_PASSWORD=*****
ES_JAVA_OPTS="-Xms512m -Xmx512m"
FUSIONAUTH_APP_MEMORY=1024M
FUSIONAUTH_APP_HTTPS_ENABLED=true
FUSIONAUTH_APP_HTTPS_PORT=9013
FUSIONAUTH_APP_HTTPS_CERTIFICATE_FILE=/usr/local/fusionauth/fullchain.crt
FUSIONAUTH_APP_HTTPS_PRIVATE_KEY_FILE=/usr/local/fusionauth/key.key

j.smutek

@dan
Here is more info that could help.
Api key creation screen:

After clicking on save, end of url changes to "/admin/api-key/add" with ERR_EMPTY_RESPONSE

Here is log from start of fisionauth to me trying to create api key:

fusionauth-fusionauth-1  | ---------------------------------------------------------------------------------------------------------
fusionauth-fusionauth-1  | --------------------------------- Starting FusionAuth version [1.47.1] ----------------------------------
fusionauth-fusionauth-1  | ---------------------------------------------------------------------------------------------------------
fusionauth-fusionauth-1  |
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.220 AM INFO  io.fusionauth.api.plugin.guice.PluginModule - No plugins found
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.420 AM INFO  io.fusionauth.api.service.system.NodeService - Node [78094893-7c22-447e-ad2e-8ab48cc5231f] started.
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.928 AM INFO  io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Loading FusionAuth configuration file [/usr/local/fusionauth/config/fusionauth.properties]
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.929 AM INFO  io.fusionauth.api.configuration.DefaultFusionAuthConfiguration - Set property [fusionauth-app.url] set to [http://fusionauth:9011] using configured value.
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.930 AM INFO  com.inversoft.configuration.BasePropertiesFileInversoftConfiguration -
fusionauth-fusionauth-1  |   - Overriding default value of property [database.mysql.enforce-utf8mb4] with value [true]
fusionauth-fusionauth-1  |   - Overriding default value of property [FUSIONAUTH_APP_RUNTIME_MODE] with value [development]
fusionauth-fusionauth-1  |   - Overriding default value of property [SEARCH_TYPE] with value [elasticsearch]
fusionauth-fusionauth-1  |
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.932 AM INFO  com.inversoft.jdbc.hikari.DataSourceProvider - Connecting to PostgreSQL database at [jdbc:postgresql://db:5432/fusionauth]
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.933 AM WARN  com.zaxxer.hikari.HikariConfig - HikariPool-1 - idleTimeout has been set but has no effect because the pool is operating as a fixed size pool.
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.935 AM INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Starting...
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.955 AM INFO  com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Added connection org.postgresql.jdbc.PgConnection@243bf087
fusionauth-fusionauth-1  | 2023-10-25 05:54:06.965 AM INFO  com.zaxxer.hikari.HikariDataSource - HikariPool-1 - Start completed.
fusionauth-fusionauth-1  | 2023-10-25 05:54:08.234 AM INFO  com.inversoft.scheduler.DefaultScheduler - Starting up scheduler
fusionauth-fusionauth-1  | 2023-10-25 05:54:08.236 AM INFO  com.inversoft.scheduler.DefaultScheduler - Scheduler is running
fusionauth-fusionauth-1  | 2023-10-25 05:54:08.370 AM INFO  com.inversoft.search.ElasticRestClientHelper - Connecting to Elasticsearch at [http://search:9200]
fusionauth-fusionauth-1  | 2023-10-25 05:54:08.385 AM INFO  io.fusionauth.api.service.system.NodeService - Node [78094893-7c22-447e-ad2e-8ab48cc5231f] added with address [http://fusionauth:9011]
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.159 AM INFO  io.fusionauth.api.service.system.NodeService - Node [78094893-7c22-447e-ad2e-8ab48cc5231f] promoted to master at [2023-10-25T05:54:09.159586852Z], the previous master Node [76a0b959-f6fa-4085-b64f-7df990611db7] has been shutdown or removed
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.481 AM INFO  io.fusionauth.app.primeframework.FusionHTTPContextAuthSetup - Initializing the FusionAuth HTTP Context.
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.553 AM INFO  com.inversoft.search.ElasticRestClientHelper - Connecting to Elasticsearch at [http://search:9200]
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.646 AM INFO  org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.653 AM INFO  org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.653 AM INFO  org.primeframework.mvc.PrimeMVCRequestHandler - Initializing Prime
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.659 AM INFO  io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up!
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.669 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9011]
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.670 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server started successfully
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.670 AM INFO  io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up!
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.671 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9012]
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.671 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server started successfully
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.671 AM INFO  io.fusionauth.http.server.HTTPServer - Starting the HTTP server. Buckle up!
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.672 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server listening on port [9013]
fusionauth-fusionauth-1  | 2023-10-25 05:54:09.672 AM INFO  io.fusionauth.http.server.HTTPServer - HTTP server started successfully
fusionauth-fusionauth-1  | 2023-10-25 05:55:15.340 AM INFO  com.inversoft.search.ElasticSearchClient - Determine version of the search engine.
fusionauth-fusionauth-1  | 2023-10-25 05:55:15.348 AM WARN  org.elasticsearch.client.RestClient - request [GET http://search:9200/] returned 1 warnings: [299 Elasticsearch-7.17.0-bee86328705acaa9a6daede7140defd4d9ec56bd "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."]
fusionauth-fusionauth-1  | 2023-10-25 05:55:15.350 AM INFO  com.inversoft.search.ElasticSearchClient - Reported version [7.17.0]
fusionauth-fusionauth-1  | 2023-10-25 05:55:15.353 AM INFO  com.inversoft.search.ElasticSearchClient - Set major version to [7]
fusionauth-fusionauth-1  | 2023-10-25 05:55:15.419 AM WARN  org.elasticsearch.client.RestClient - request [PUT http://search:9200/fusionauth_user/_doc/91032242-efb0-4a2b-a38a-c8bb7c9d7243] returned 1 warnings: [299 Elasticsearch-7.17.0-bee86328705acaa9a6daede7140defd4d9ec56bd "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."]
fusionauth-fusionauth-1  | 2023-10-25 05:55:15.917 AM WARN  org.elasticsearch.client.RestClient - request [PUT http://search:9200/fusionauth_user/_doc/91032242-efb0-4a2b-a38a-c8bb7c9d7243] returned 1 warnings: [299 Elasticsearch-7.17.0-bee86328705acaa9a6daede7140defd4d9ec56bd "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."]
fusionauth-fusionauth-1  | 2023-10-25 05:55:48.832 AM WARN  org.elasticsearch.client.RestClient - request [PUT http://search:9200/fusionauth_user/_doc/91032242-efb0-4a2b-a38a-c8bb7c9d7243] returned 1 warnings: [299 Elasticsearch-7.17.0-bee86328705acaa9a6daede7140defd4d9ec56bd "Elasticsearch built-in security features are not enabled. Without authentication, your cluster could be accessible to anyone. See https://www.elastic.co/guide/en/elasticsearch/reference/7.17/security-minimal-setup.html to enable security."]
fusionauth-fusionauth-1  | 2023-10-25 05:57:14.945 AM ERROR io.fusionauth.http.server.HTTPServerThread - An exception was thrown during processing
fusionauth-fusionauth-1  | java.lang.IllegalStateException: A buffer overflow is not expected during an unwrap operation. This occurs because the preamble or body buffers are too small. Increase their sizes to avoid this issue.
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPS11Processor.read(HTTPS11Processor.java:191)
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPServerThread.read(HTTPServerThread.java:298)
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPServerThread.run(HTTPServerThread.java:169)
fusionauth-fusionauth-1  | 2023-10-25 05:57:45.456 AM ERROR io.fusionauth.http.server.HTTPServerThread - An exception was thrown during processing
fusionauth-fusionauth-1  | java.lang.IllegalStateException: A buffer overflow is not expected during an unwrap operation. This occurs because the preamble or body buffers are too small. Increase their sizes to avoid this issue.
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPS11Processor.read(HTTPS11Processor.java:191)
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPServerThread.read(HTTPServerThread.java:298)
fusionauth-fusionauth-1  |      at io.fusionauth.http.server.HTTPServerThread.run(HTTPServerThread.java:169)

Here are versions of nodejs and docker installed on my azure virtual where fusionauth docker is running:

nodejs --version
v20.8.0
docker --version
Docker version 24.0.6, build ed223bc

dan

@j-smutek Hmmm. Can you try it without using your SSL certificates and see if the same issue occurs?

j.smutek

@dan
After disabling https, I was unable to login to webUI as i was redirected back to login screen

Url after redirect: 
/oauth2/authorize?client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&response_type=code&redirect_uri=%2Fadmin%2Flogin&scope=offline_access&code_challenge=aAjtN7cCeIcKGNy98zdKVJLQGiFAhjE90WA3NeOkvH0&code_challenge_method=S256&state=iCNptKF_HgM7P_H74jFphFI_9pHzJ0gIu77LYPxNr0o

with front end error:

Authorize.js?version=1.48.1:34 Uncaught ReferenceError: PublicKeyCredential is not defined
    at new FusionAuth.OAuth2.Authorize (Authorize.js?version=1.48.1:34:43)
    at authorize?client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&response_type=code&redirect_uri=%2Fadmin%2Flogin&scope=offline_access&code_challenge=_Y6KAh3_n1H6hJB0yrTtbmhB-AtWm_0VpQf4xF7tHEE&code_challenge_method=S256&state=iLC0KrVXMrQ9BH63SYOQX7Q7QazQa8CVWiUx-YK8ZH0:78:9
    at HTMLDocument.value (PrimeDocument.js:377:9)

I will try after clean install.

j.smutek

@dan
After clean install (removed containers, volumes and images).
I can create api key.
Here is current docker usage, is it possible that https increases memory requirements?
What are actual system requirements? (512MB stated in doc is not enougth)

CONTAINER ID   NAME                      CPU %     MEM USAGE / LIMIT     MEM %     NET I/O           BLOCK I/O         PIDS
12f3678eddb5   fusionauth-fusionauth-1   0.17%     944.3MiB / 3.812GiB   24.19%    4.25MB / 1.78MB   63.7MB / 553kB    119
63fa5b302d5b   fusionauth-db-1           0.00%     48.48MiB / 3.812GiB   1.24%     1.04MB / 3.92MB   15.5MB / 65.3MB   17
6206fdf53f93   fusionauth-search-1       0.94%     839.8MiB / 3.812GiB   21.51%    40.4MB / 254kB    27.3MB / 174MB    72

dan

@j-smutek Hmm. 512 MB should be fine for typical usage.

Do you have a large number of applications or tenants or webhooks or keys or anything else? Or is this a pretty standard config?

I'm glad you were able to get the API key created. That is a weird error I've never seen before.

j.smutek

@dan Hi,
sorry about late reply.
No i have created 1 application, 1 tenant, 1 user and no webhooks, the rest is default.

dan

@j-smutek Thanks for the response.

The only thing I can think of that seems different is the certificates, but I can't see how that would affect the creating of an API key.

j.smutek

@dan Hi,
I don't think its certificate.
When i have time, i'll test it with and without certificates and see how i goes.

brian 0

@j-smutek

Hi, after a long bit of working on this issue.
I am quite certain that it is caused by setting a valid certificate in the configuration.
It happens when you configure it directly in the fusionauth.properties file ssl. Everything appears to work, then you find out you cannot create or edit tenants, and other areas do not work randomly. I would just get at no response in the browser and then this buffer overflow in your logs.. I struggled for quite some time with this. Just writing here so if someone else comes to this point.. Just stop and install a reverse proxy problem solved.

I also think honestly fusionauth's quick guide should include setup with caddy and/or nginx with ssl certs. Really I think it would be best to remove ssl setings and force users to setup a reverse proxy as it is simple to do. But I see that you maybe want flexibility here. I have done this now with Caddy and it works flawlessly.

Thanks again for a great product though and great community support.
Authfusion is by far the easiest alternative to Indentity Server for .net and probably the easiest auth server I found.