Skip to content

DSF Fails to Start with Certain ECC Client Certificates #405

New issue
New issue
Closed
#409
#408
Closed
DSF Fails to Start with Certain ECC Client Certificates#405
#409
#408
Assignees
hhund
Labels
bugSomething isn't workingready for releaseIssue is fixed and merged into develop, ready for next release
Milestone
2.0.1
@schwzr

Description

@schwzr
schwzr
opened on Nov 26, 2025

Description

The DSF fails to start with certain ECC Client Certificate, where the keyEncipherment key usage is not set.

Effected DSF Version

  • 2.0.0

Logs

Details 
2025-11-26 16:14:45,549 [main] ERROR org.springframework.web.context.ContextLoader - Context initialization failed
org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'activityDefinitionAuthorizationRule' defined in dev.dsf.fhir.spring.config.AuthorizationConfig: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: First certificate from '/run/secrets/app_client_certificate.pem' not a client certificate
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.instantiateSingleton(DefaultListableBeanFactory.java:1228)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingleton(DefaultListableBeanFactory.java:1194)
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:1130)
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:990)
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:627)
	at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:394)
	at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:274)
	at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:126)
	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.callContextInitialized(ServletContextHandler.java:1614)
	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.contextInitialized(ServletContextHandler.java:501)
	at org.eclipse.jetty.ee10.servlet.ServletHandler.initialize(ServletHandler.java:675)
	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.startContext(ServletContextHandler.java:1348)
	at org.eclipse.jetty.ee10.webapp.WebAppContext.startWebapp(WebAppContext.java:1429)
	at org.eclipse.jetty.ee10.webapp.WebAppContext.startContext(WebAppContext.java:1387)
	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.lambda$doStart$0(ServletContextHandler.java:1066)
	at org.eclipse.jetty.server.handler.ContextHandler$ScopedContext.call(ContextHandler.java:1636)
	at org.eclipse.jetty.ee10.servlet.ServletContextHandler.doStart(ServletContextHandler.java:1063)
	at org.eclipse.jetty.ee10.webapp.WebAppContext.doStart(WebAppContext.java:520)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:170)
	at org.eclipse.jetty.server.Server.start(Server.java:689)
	at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:121)
	at org.eclipse.jetty.server.Handler$Abstract.doStart(Handler.java:545)
	at org.eclipse.jetty.server.Server.doStart(Server.java:630)
	at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:92)
	at dev.dsf.common.jetty.JettyServer.start(JettyServer.java:374)
	at dev.dsf.fhir.FhirJettyServer.main(FhirJettyServer.java:56)
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.authorization.AuthorizationRule]: Factory method 'activityDefinitionAuthorizationRule' threw exception with message: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: First certificate from '/run/secrets/app_client_certificate.pem' not a client certificate
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
	... 36 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'referenceResolver' defined in dev.dsf.fhir.spring.config.ReferenceConfig: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: First certificate from '/run/secrets/app_client_certificate.pem' not a client certificate
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)
	at dev.dsf.fhir.spring.config.AuthorizationConfig.activityDefinitionAuthorizationRule(AuthorizationConfig.java:123)
	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.CGLIB$activityDefinitionAuthorizationRule$2(<generated>)
	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
	at dev.dsf.fhir.spring.config.AuthorizationConfig$$SpringCGLIB$$0.activityDefinitionAuthorizationRule(<generated>)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
	... 39 more
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.service.ReferenceResolver]: Factory method 'referenceResolver' threw exception with message: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: First certificate from '/run/secrets/app_client_certificate.pem' not a client certificate
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
	... 60 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'clientProvider' defined in dev.dsf.fhir.spring.config.ClientConfig: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: First certificate from '/run/secrets/app_client_certificate.pem' not a client certificate
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:657)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:489)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1375)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1205)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:569)
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:529)
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:339)
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:373)
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:337)
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202)
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.resolveBeanReference(ConfigurationClassEnhancer.java:432)
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:403)
	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
	at dev.dsf.fhir.spring.config.ReferenceConfig.referenceResolver(ReferenceConfig.java:54)
	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.CGLIB$referenceResolver$1(<generated>)
	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
	at dev.dsf.fhir.spring.config.ReferenceConfig$$SpringCGLIB$$0.referenceResolver(<generated>)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
	... 63 more
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [dev.dsf.fhir.client.ClientProvider]: Factory method 'clientProvider' threw exception with message: java.io.IOException: First certificate from '/run/secrets/app_client_certificate.pem' not a client certificate
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:200)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiateWithFactoryMethod(SimpleInstantiationStrategy.java:89)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:169)
	at org.springframework.beans.factory.support.ConstructorResolver.instantiate(ConstructorResolver.java:653)
	... 84 more
Caused by: java.lang.RuntimeException: java.io.IOException: First certificate from '/run/secrets/app_client_certificate.pem' not a client certificate
	at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:92)
	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.CGLIB$clientProvider$1(<generated>)
	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$FastClass$$1.invoke(<generated>)
	at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:258)
	at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:400)
	at dev.dsf.fhir.spring.config.ClientConfig$$SpringCGLIB$$0.clientProvider(<generated>)
	at java.base/jdk.internal.reflect.DirectMethodHandleAccessor.invoke(DirectMethodHandleAccessor.java:104)
	at java.base/java.lang.reflect.Method.invoke(Method.java:565)
	at org.springframework.beans.factory.support.SimpleInstantiationStrategy.lambda$instantiate$0(SimpleInstantiationStrategy.java:172)
	... 87 more
Caused by: java.io.IOException: First certificate from '/run/secrets/app_client_certificate.pem' not a client certificate
	at dev.dsf.fhir.spring.config.ClientConfig.createKeyStore(ClientConfig.java:117)
	at dev.dsf.fhir.spring.config.ClientConfig.clientProvider(ClientConfig.java:79)
	... 95 more

To Reproduce

  • Start a DSF FHIR Server with an ECC Client Certicate where the keyEncipherment key usage is not set
  • Startup will fail

Metadata

Metadata

Assignees

Labels

bugSomething isn't workingready for releaseIssue is fixed and merged into develop, ready for next release

Type

No type

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions