Return-Path: X-Original-To: apmail-activemq-users-archive@www.apache.org Delivered-To: apmail-activemq-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 6ECE110367 for ; Mon, 17 Feb 2014 20:01:14 +0000 (UTC) Received: (qmail 54893 invoked by uid 500); 17 Feb 2014 20:01:13 -0000 Delivered-To: apmail-activemq-users-archive@activemq.apache.org Received: (qmail 54814 invoked by uid 500); 17 Feb 2014 20:01:13 -0000 Mailing-List: contact users-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@activemq.apache.org Delivered-To: mailing list users@activemq.apache.org Received: (qmail 54805 invoked by uid 99); 17 Feb 2014 20:01:12 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Feb 2014 20:01:12 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of dave@stormpath.com designates 209.85.160.45 as permitted sender) Received: from [209.85.160.45] (HELO mail-pb0-f45.google.com) (209.85.160.45) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 17 Feb 2014 20:01:08 +0000 Received: by mail-pb0-f45.google.com with SMTP id un15so15683749pbc.18 for ; Mon, 17 Feb 2014 12:00:47 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:content-type:content-transfer-encoding :subject:message-id:date:to:mime-version; bh=0lHj4f19BgIZ6UWrC4HDQ9oNYrA52hZJYgyyB8apmWI=; b=GEWGChhIEtNGThuwMelhXi45R0Cljgct6SpYwEa6iuztG+j0NrWvuW6BBqWtYG1kS7 +7CWFlWXAj6wupsZ+1UlJnBURZ0NrjSx+i4xeFWzRdWbnr8pRMtFkbbCXYpIpw3YpQJE T/10reo/eh5NQy9pgkTJGWcRPMLyXyle+muny0H8owvyNTIweRbRiFdxdBH0jlCVkKv0 Ild1mle93kI61/gokRl85ZGor6UxWb5t+3lK5CudB9Vwu2tmy15N0x8Qt9mhKaTQK0ci JXP511h8VHRKB0F804auOVoD/JIPi1s89Z/rJHalqBJT2tChXqFrpqC2DvpN4OZOP38H S9yg== X-Gm-Message-State: ALoCoQnqvoiIEBvsM+GZii2nrVL7uyWS7QQsFeJYRVdqRxIVeZYo7g/3XeO6XWu0vchfFuckcV5p X-Received: by 10.66.249.202 with SMTP id yw10mr27788477pac.111.1392667247639; Mon, 17 Feb 2014 12:00:47 -0800 (PST) Received: from ?IPv6:2601:9:6a80:137:95a2:a54f:78e6:258d? ([2601:9:6a80:137:95a2:a54f:78e6:258d]) by mx.google.com with ESMTPSA id e6sm48507787pbg.4.2014.02.17.12.00.45 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Mon, 17 Feb 2014 12:00:46 -0800 (PST) From: David Laube Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Subject: networkConnector over SSL results in certificate exception - AMQ 5.9.0 Message-Id: <45435BDF-DF02-412A-8D97-D443DDF36B59@stormpath.com> Date: Mon, 17 Feb 2014 12:00:43 -0800 To: "users@activemq.apache.org" Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) X-Mailer: Apple Mail (2.1510) X-Virus-Checked: Checked by ClamAV on apache.org Hi All, We're experiencing some issues trying to get two brokers running on a = single host (for simplicity) talking to each other using a = networkConnector over SSL. I suspect I'm missing something somewhere, I = just haven't found it yet ;) I've packaged two ActiveMQ 5.9.0 = installations into a single project available at = https://github.com/dlaube/amq-example along with a script (see below) to = generate broker and client keyStores and trustStores according to = http://activemq.apache.org/how-do-i-use-ssl.html The script to generate the broker/client trustStore and keyStores is = amq-example/apache-activemq-5.9.0-b/conf/gen-certs.sh Broker-a =3D (directory apache-activemq-5.9.0) Default 5.9.0 config with = sslContext and a single networkConnector which connects to Broker-b = using the SSL protocol/transport via the following; Broker-b =3D (directory apache-activemq-5.9.0-b) An ActiveMQ 5.9.0 = config with sslContext and a single transportConnector using the = following; Broker-a logs: 2014-02-17 11:16:20,357 | WARN | Could not start network bridge = between: vm://broker-a?async=3Dfalse&network=3Dtrue and: = ssl://localhost:61626 due to: javax.net.ssl.SSLHandshakeException: = sun.security.validator.ValidatorException: PKIX path validation failed: = java.security.cert.CertPathValidatorException: signature check failed | = org.apache.activemq.network.DiscoveryNetworkConnector | ActiveMQ Task-7 Broker-b logs: 2014-02-17 11:15:20,302 | ERROR | Could not accept connection from = tcp://127.0.0.1:50663: javax.net.ssl.SSLHandshakeException: Received = fatal alert: certificate_unknown | = org.apache.activemq.broker.TransportConnector | ActiveMQ = BrokerService[broker-b] Task-9 I have followed http://activemq.apache.org/certificateunknown.html in = that the client ts has been copied to broker-a. I have also tried = setting the following properties inside the ACTIVEMQ_OPTS variable = within bin/activemq; javax.net.ssl.keyStore=3D/path/to/client.ks javax.net.ssl.keyStorePassword=3Dpassword javax.net.ssl.trustStore=3D/path/to/client.ts Does anyone see any problems with my config or keyStore/trustStore = setup? Any insight would be greatly appreciated. Thanks in advance! Best regards, -David Laube=