RE: Fusion not leaving maintenance mode

@randall

Don't know your OS, but in case your error is related to what I found on a recent Windows/Postgres install:
https://fusionauth.io/community/forum/topic/2219/maintenance-mode-db-creation-fails-without-message-with-postgresql-15-on-windows

On Windows Server 2022, installed postgres 15, then attempted to install FusionAuth app and search (1.40.2). When Maintenance Mode came up, entered postgres user and password, used default fusionauth user and password, and clicked submit. Page came back to Maintenance Mode screen without any error message. Log showed stack trace with

 Cause: org.postgresql.util.PSQLException: ERROR: permission denied for schema public

Looking in postgres list of dbs, saw the fusionauth db had been created with UTF8 for Collate and Ctype params. Looking at the advanced installation instructions, saw manual db setup for Windows required:

CREATE DATABASE fusionauth ENCODING 'UTF-8' LC_CTYPE 'English_United States' LC_COLLATE 'English_United States' TEMPLATE template0;

Was able to use these instructions to create the db and user, then Maintenance Mode was able to complete table creation and setup.
If not possible for Maintenance Mode to detect that the db is on Windows, would be great to have an error message instead of having to interpret the log file trace.

Attempt to install app (result below) and search (not shown) as Windows services:

From cmd run as Administrator:

c:\fusionauth\fusionauth-app\bin>FusionAuthApp.exe /install

Installing service FusionAuthApp...
Service FusionAuthApp has been successfully installed.
Creating EventLog source FusionAuthApp in log Application...

Then nothing happens. After about 10-15 minutes I gave up, ctrl-c out. The app is able to run.

@voidmain Thank you!

Is adding an SSL cert to the keystore as described in https://fusionauth.io/docs/v1/tech/admin-guide/securing "Custom Certificate Authority" functionally equivalent to adding the cert to a standalone keystore, then using that keystore in Tomcat via the server.xml config file? Or is the "Custom Certificate Authority" for a different use?

With the switch from Tomcat to Netty in 1.37, is it possible to add an SSL certificate directly to Netty, as was possible with Tomcat? Perhaps via some configuration file?

Related post:
https://fusionauth.io/community/forum/topic/180/is-it-possible-to-set-up-ssl-for-fusionauth-directly

Received a notification from Google that they're discontinuing Google Sign-In JavaScript Platform Library for web (https://developers.googleblog.com/2021/08/gsi-jsweb-deprecation.html). They provided us "a list of your client ID(s) that use the legacy Google Sign-In web solution" and the only item was the client id we set up for FusionAuth's Google identity provider.

Will this affect the Google identity provider in FusionAuth, and if so, is it on the roadmap to be updated?

Two ideas:

• Does it help to specify the key id when creating your test SymmetricSecurityKey?

var key = new SymmetricSecurityKey(Encoding.ASCII.GetBytes( "My secret from application config" ) ) { KeyId = "Your Key Id" };

• You don't specify which algorithm you're using to sign your tokens. If you're using SymmetricSecurityKey, ensure you're using an symmetric algorithm to sign your tokens.

Thanks. I believe the RSS feed for the release announcements will work for us.

Is there an easy way to be notified when a new version of FusionAuth is released? I'm subscribed to your general email list, but am looking for something simple that just happens for a new version. I see there's an endpoint at https://metrics.fusionauth.io/api/latest-version that I could poll, but wondering if there's a better way, perhaps through GitHub, or if there's a way to only get version update emails from your mailing list.

In case it helps anyone, a version of the ASP.NET Core Identity PasswordHasher HashPasswordV3

package com.mycompany.fusionauth.plugins;

import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.util.Base64;
import io.fusionauth.plugin.spi.security.PasswordEncryptor;

/**
* Example password hashing based on Asp.Net Core Identity PasswordHasher HashPasswordV3.
*/
public class ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor implements PasswordEncryptor {

  @Override
  public int defaultFactor() {
    return 10_000;
  }

  @Override
  public String encrypt(String password, String salt, int factor) {
    if (factor <= 0) {
      throw new IllegalArgumentException("Invalid factor value [" + factor + "]");
    }

    SecretKeyFactory keyFactory;
    try {
      keyFactory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
    } catch (NoSuchAlgorithmException e) {
      throw new IllegalStateException("No such algorithm [PBKDF2WithHmacSHA256]");
    }

	int keyLength = 32; // numBytesRequested
	byte[] saltBytes = Base64.getDecoder().decode(salt); // assumes Base64 encoded salt. saltSize: 16 bytes

    KeySpec keySpec = new PBEKeySpec(password.toCharArray(), saltBytes, factor, keyLength * 8);
    SecretKey secret;
    try {
      secret = keyFactory.generateSecret(keySpec); // subkey
    } catch (InvalidKeySpecException e) {
      throw new IllegalArgumentException("Could not generate secret key for algorithm [PBKDF2WithHmacSHA256]");
    }
	
	byte[] outputBytes = new byte[13 + saltBytes.length + secret.getEncoded().length];
	outputBytes[0] = 0x01; // format marker
	WriteNetworkByteOrder(outputBytes, 1, 1);
	WriteNetworkByteOrder(outputBytes, 5, factor);
	WriteNetworkByteOrder(outputBytes, 9, saltBytes.length);
	System.arraycopy(saltBytes, 0, outputBytes, 13, saltBytes.length);
	System.arraycopy(secret.getEncoded(), 0, outputBytes, 13 + saltBytes.length, secret.getEncoded().length);
	
	return new String(Base64.getEncoder().encode(outputBytes));
  }
  
  private static void WriteNetworkByteOrder(byte[] buffer, int offset, int value)
  {
	buffer[offset + 0] = (byte)(value >> 24);
	buffer[offset + 1] = (byte)(value >> 16);
	buffer[offset + 2] = (byte)(value >> 8);
	buffer[offset + 3] = (byte)(value >> 0);
  }
}

package com.mycompany.fusionauth.plugins;

import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;
import static org.testng.Assert.assertEquals;

public class ExampleDotNetPBDKF2HMACSHA256PasswordEncryptorTest {
  @Test(dataProvider = "hashes")
  public void encrypt(String password, String salt, String hash) {
    ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor encryptor = new ExampleDotNetPBDKF2HMACSHA256PasswordEncryptor();
    assertEquals(encryptor.encrypt(password, salt, 10_000), hash);
  }

  @DataProvider(name = "hashes")
  public Object[][] hashes() {
    return new Object[][]{
        {"MyExamplePassword", "CVsv6SwPJr7WDrVvAb+7aw==", "AQAAAAEAACcQAAAAEAlbL+ksDya+1g61bwG/u2ssOcnQU6Q2xo9tmijJv0zM2GsxeOl04NSpXRsAveBBag=="},
    };
  }
}

Thanks for your response. The only thing I did was try to set up as close to a "standard" Windows installation as possible, then changed FusionAuth to Production mode. Will say that the DB (MySQL 8.0.22) is on the same machine as FusionAuth, so the fact that additional resources solved a timing issue wasn't surprising. I'm no MySQL expert, so very well could have been solved by a setup/configuration issue there.

Two updates:

• The workaround to use the explicit IP instead of localhost only works sometimes, indicating that there continues to be some kind of timing/timeout issue in Production mode, but not in Development mode.
• Adding a second processor seems to have actually fixed the issue.

Running on Windows Server 2019 with MySQL 8, FusionAuth v1.21.0. Not sure if this is a bug or just related to my own configuration.
Changed FusionAuth from Development mode to Production mode, and then couldn't connect to the database.
Database connection url property was:

jdbc:mysql://localhost:3306/fusionauth?serverTimezone=UTC&useSSL=false&allowPublicKeyRetrieval=true

After digging a little on the following errors, I worked around the issue by changing the database connection url property to the machine's explicit IP, and was able to connect.

jdbc:mysql://xxx.xxx.xxx.xxx:3306/fusionauth?serverTimezone=UTC&useSSL=false&allowPublicKeyRetrieval=true

For reference:
Tomcat startup showed these errors:

SEVERE: Exception sending context initialized event to listener instance of class [io.fusionauth.app.primeframework.FusionAuthAppPrimeServletContextListener]
org.primeframework.mvc.PrimeException
        at org.primeframework.mvc.guice.GuiceBootstrap.initialize(GuiceBootstrap.java:77)
        at org.primeframework.mvc.servlet.PrimeServletContextListener.contextInitialized(PrimeServletContextListener.java:61)
        at com.inversoft.maintenance.servlet.MaintenanceModePrimeServletContextListener.contextInitialized(MaintenanceModePrimeServletContextListener.java:45)
        at io.fusionauth.app.primeframework.FusionAuthAppPrimeServletContextListener.contextInitialized(FusionAuthAppPrimeServletContextListener.java:26)
        at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4689)
        at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5155)
        at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1412)
        at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1402)
        at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1130)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:630)
        at java.base/java.lang.Thread.run(Thread.java:832)

FusionAuth log showed these errors:

2020-11-24 11:11:05.863 AM ERROR com.zaxxer.hikari.pool.HikariPool - HikariPool-1 - Exception during pool initialization.
com.mysql.cj.jdbc.exceptions.CommunicationsException: Communications link failure
The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.
	at com.mysql.cj.jdbc.exceptions.SQLError.createCommunicationsException(SQLError.java:174)

        ...several hundred lines of stack...

Unable to start the server. Here's why: 
[Error in custom provider, com.zaxxer.hikari.pool.HikariPool$PoolInitializationException: Failed to initialize pool: Communications link failure

The last packet sent successfully to the server was 0 milliseconds ago. The driver has not received any packets from the server.] 
	-> [class com.zaxxer.hikari.pool.HikariPool$PoolInitializationException] Failed to initialize pool: Communications link failure

Thank you.
https://github.com/FusionAuth/fusionauth-issues/issues/971

Ran the install script on Windows Server 2019 to "C:\Program Files". In multiple places in the startup.bat script, the files and directories referenced by "%~dp0" are not quoted, meaning it gets set to "C:\Program". After fixing those, something within the fusionauth-app still appears to have a directory reference issue also.
One workaround is obviously installing to a directory without spaces. Would be nice to have the default install process work to the typical Windows program directories.