activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Laube <d...@stormpath.com>
Subject Activemq 5.8.0 - SSL networkConnector fails with certificate_unknown but HTTPs works?
Date Mon, 03 Feb 2014 20:13:58 GMT
Hi All,

We have run into an interesting issue while attempting to connect two ActiveMQ clusters over
SSL and/or NIO+SSL. We receive "certificate_unknown" exceptions when attempting to use SSL
or NIO+SSL, but not when using HTTPs. Preferably, we would like to use the former. For the
sake of this example, I have only included the config/log results of testing with SSL and
HTTPs. I have reviewed the docs at both http://activemq.apache.org/certificateunknown.html
 and http://activemq.apache.org/how-do-i-use-ssl.html  making certain that the certificate
that exists on the public AMQ cluster (Cluster A) has been imported into both the trustStore
AND keysStore on the private AMQ cluster (Cluster B) for good measure. We have also imported
the certificate that exists on the private AMQ cluster (Cluster A) into both the trustStore
AND the keyStore on the public AMQ cluster (Cluster A). I am including two non-working configs
(defining SSL as the protocol for the networkConnector) and one working config which utilizes
HTTPS as the protocol. Any suggestions or insight as to what we may be doing wrong would be
greatly appreciated!

PROBLEM CONFIG #1:

Cluster-A "public broker" at 10.x.x.189 config:

<networkConnector name="staging-amq-broker-public-1" duplex="true" uri="masterslave:(ssl://10.x.x.119:61617,ssl://10.x.x.229:61617)?randomize=false&amp;timeout=15000"
            userName="public.gateway" password="${public.gateway.password}">

Cluster-B "private broker" at 10.x.x.119 logs:

2014-01-31 00:21:02,399 | ERROR | Could not accept connection from tcp://10.x.x.189:51015:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown | org.apache.activemq.broker.TransportConnector
| ActiveMQ BrokerService[staging-amq-broker-private-1] Task-17
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
        at org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
        at java.io.DataOutputStream.flush(DataOutputStream.java:123)
        at org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:176)
        at org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:322)
        at org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:304)
        at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:168)
        at org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
        at org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
        at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:58)
        at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:988)
        at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:215)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:679)

=========================================

PROBLEM CONFIG #2 (using FQDN):

Cluster-A "public broker" at 10.x.x.189 config:

<networkConnector name="staging-amq-broker-public-1" duplex="true" uri="masterslave:(ssl://staging-master-prviate.mydomain.com:61617,ssl://staging-slave-private.mydomain.com:61617)?randomize=false&amp;timeout=15000"
            userName="public.gateway" password="${public.gateway.password}">

Cluster-B "private broker" at 10.x.x.119/staging-master-prviate.mydomain.com logs:

2014-02-03 19:33:11,221 | WARN  | Transport Connection to: tcp://10.x.x.189:36648 failed:
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown | org.apache.activemq.broker.TransportConnection.Transport
| ActiveMQ Transport: ssl:///10.x.x.189:36648
2014-02-03 19:33:11,224 | ERROR | Could not accept connection from tcp://10.x.x.189:36648:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown | org.apache.activemq.broker.TransportConnector
| ActiveMQ BrokerService[staging-amq-broker-private-1] Task-5
2014-02-03 19:33:11,378 | WARN  | Transport Connection to: tcp://10.x.x.189:36651 failed:
javax.net.ssl.SSLException: Connection has been shutdown: javax.net.ssl.SSLHandshakeException:
Received fatal alert: certificate_unknown | org.apache.activemq.broker.TransportConnection.Transport
| ActiveMQ Transport: ssl:///10.x.x.189:36651
2014-02-03 19:33:11,379 | ERROR | Could not accept connection from tcp://10.x.x.189:36651:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown | org.apache.activemq.broker.TransportConnector
| ActiveMQ BrokerService[staging-amq-broker-private-1] Task-5




=========================================

WORKING config:

Cluster-A "public broker" at 10.x.x.189 config:

<networkConnector name="staging-amq-broker-public-1" duplex="true" uri="masterslave:(https://staging-master-prviate.mydomain.com:443,https://staging-slave-private.mydomain.com:443)?randomize=false&amp;timeout=15000"
            userName="public.gateway" password="${public.gateway.password}">


Cluster-B "private broker" at 10.x.x.119 logs:


2014-02-03 19:28:54,388 | INFO  | Connector vm://staging-amq-broker-private-1 Started | org.apache.activemq.broker.TransportConnector
| qtp472942585-55
2014-02-03 19:28:54,419 | INFO  | Started responder end of duplex bridge staging-amq-broker-public-1@ID:ip-10-x-x-189-52867-1391455827816-0:1
| org.apache.activemq.broker.TransportConnection | qtp472942585-55
2014-02-03 19:28:54,489 | INFO  | Network connection between vm://staging-amq-broker-private-1#0
and org.apache.activemq.transport.http.BlockingQueueTransport@6ff0ccc2(staging-amq-broker-public-1)
has been established. | org.apache.activemq.network.DemandForwardingBridgeSupport | triggerStartAsyncNetworkBridgeCreation:
remoteBroker=org.apache.activemq.transport.http.BlockingQueueTransport@6ff0ccc2, localBroker=
vm://staging-amq-broker-private-1#0



Best regards,
-David Laube



Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message