Have a question? Want to report an issue? Contact JFrog support

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Expand
titleAn exception is thrown for "java.lang.IllegalStateException: Provided private key and latest private key fingerprints mismatch"
Symptoms

During startup, Artifactory fails to start and an error is thrown:

java.lang.IllegalStateException: Provided private key and latest private key fingerprints mismatch.

Cause

Artifactory tries to validate and compare access keys' fingerprint that reside on Artifactory's database and the local file system. If the keys do not match, the exception above will be thrown along with the mismatching fingerprint IDs.

Scenarios:

A. During an attempted upgrade/installation of an Artifactory HA cluster node.

B. When setting up your circle of trust, something has gone wrong and the different participating Artifactory installations do not share the same private key and root certificate. This causes cross-site authentication to fail since keys between the different sites cannot be validated.

Resolution

Follow the steps below to make sure that all instances in your circle of trust have the same private key and root certificate:

Warning
titleKey rotation will invalidate any issued access tokens

The procedure below will create new key pairs which in turn will invalidate any existing Access Tokens.

  1. Copy the private key and root certificate files from the first Artifactory instance to a location on your file system that is accessible by all other instances/nodes that are in your circle of trust.

  2. Before bootstrapping, for each of the other instances/nodes:
    1. Delete the existing private key and root certificate files (private.key and root.cert) from the $ARTIFACTORY_HOME/access/etc folder.
    2. Create the $ARTIFACTORY_HOME/access/etc/access.bootstrap.config with the following contents:

      Code Block
      key=/path/to/private.key
      crt=/path/to/root.crt
    3. Add the following JVM property to $ARTIFACTORY_HOME/bin/artifactory.default (or $ARTIFACTORY_HOME/etc/default for service installations):

      Code Block
      -Djfrog.access.force.replace.existing.root.keys=true
    4. Start up the new instance and verify that the artifactory.log file shows the following entry: 

      Code Block
      *******************************************************************
      *** Forcing replacement of the root private key and certificate ***
      *******************************************************************
    5. Delete the JVM property you added to $ARTIFACTORY_HOME/bin/artifactory.default (or $ARTIFACTORY_HOME/etc/default for service installations) in step c.

...