Activemq 5.8.0 - SSL networkConnector fails with certificate_unknown but HTTPs works?

Mon, 03 Feb 2014 12:14:53 -0800 

Hi All,

We have run into an interesting issue while attempting to connect two ActiveMQ 
clusters over SSL and/or NIO+SSL. We receive "certificate_unknown" exceptions 
when attempting to use SSL or NIO+SSL, but not when using HTTPs. Preferably, we 
would like to use the former. For the sake of this example, I have only 
included the config/log results of testing with SSL and HTTPs. I have reviewed 
the docs at both http://activemq.apache.org/certificateunknown.html  and 
http://activemq.apache.org/how-do-i-use-ssl.html  making certain that the 
certificate that exists on the public AMQ cluster (Cluster A) has been imported 
into both the trustStore AND keysStore on the private AMQ cluster (Cluster B) 
for good measure. We have also imported the certificate that exists on the 
private AMQ cluster (Cluster A) into both the trustStore AND the keyStore on 
the public AMQ cluster (Cluster A). I am including two non-working configs 
(defining SSL as the protocol for the networkConnector) and one working config 
which utilizes HTTPS as the protocol. Any suggestions or insight as to what we 
may be doing wrong would be greatly appreciated!

PROBLEM CONFIG #1:

Cluster-A "public broker" at 10.x.x.189 config:

<networkConnector name="staging-amq-broker-public-1" duplex="true" 
uri="masterslave:(ssl://10.x.x.119:61617,ssl://10.x.x.229:61617)?randomize=false&amp;timeout=15000"
            userName="public.gateway" password="${public.gateway.password}">

Cluster-B "private broker" at 10.x.x.119 logs:

2014-01-31 00:21:02,399 | ERROR | Could not accept connection from 
tcp://10.x.x.189:51015: javax.net.ssl.SSLHandshakeException: Received fatal 
alert: certificate_unknown | org.apache.activemq.broker.TransportConnector | 
ActiveMQ BrokerService[staging-amq-broker-private-1] Task-17
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
        at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1748)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:991)
        at 
sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1175)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:657)
        at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:108)
        at 
org.apache.activemq.transport.tcp.TcpBufferedOutputStream.flush(TcpBufferedOutputStream.java:115)
        at java.io.DataOutputStream.flush(DataOutputStream.java:123)
        at 
org.apache.activemq.transport.tcp.TcpTransport.oneway(TcpTransport.java:176)
        at 
org.apache.activemq.transport.AbstractInactivityMonitor.doOnewaySend(AbstractInactivityMonitor.java:322)
        at 
org.apache.activemq.transport.AbstractInactivityMonitor.oneway(AbstractInactivityMonitor.java:304)
        at 
org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:168)
        at 
org.apache.activemq.transport.WireFormatNegotiator.sendWireFormat(WireFormatNegotiator.java:84)
        at 
org.apache.activemq.transport.WireFormatNegotiator.start(WireFormatNegotiator.java:74)
        at 
org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:58)
        at 
org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:988)
        at 
org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:215)
        at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1146)
        at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at java.lang.Thread.run(Thread.java:679)

=========================================

PROBLEM CONFIG #2 (using FQDN):

Cluster-A "public broker" at 10.x.x.189 config:

<networkConnector name="staging-amq-broker-public-1" duplex="true" 
uri="masterslave:(ssl://staging-master-prviate.mydomain.com:61617,ssl://staging-slave-private.mydomain.com:61617)?randomize=false&amp;timeout=15000"
            userName="public.gateway" password="${public.gateway.password}">

Cluster-B "private broker" at 10.x.x.119/staging-master-prviate.mydomain.com 
logs:

2014-02-03 19:33:11,221 | WARN  | Transport Connection to: 
tcp://10.x.x.189:36648 failed: javax.net.ssl.SSLException: Connection has been 
shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: 
certificate_unknown | org.apache.activemq.broker.TransportConnection.Transport 
| ActiveMQ Transport: ssl:///10.x.x.189:36648
2014-02-03 19:33:11,224 | ERROR | Could not accept connection from 
tcp://10.x.x.189:36648: javax.net.ssl.SSLHandshakeException: Received fatal 
alert: certificate_unknown | org.apache.activemq.broker.TransportConnector | 
ActiveMQ BrokerService[staging-amq-broker-private-1] Task-5
2014-02-03 19:33:11,378 | WARN  | Transport Connection to: 
tcp://10.x.x.189:36651 failed: javax.net.ssl.SSLException: Connection has been 
shutdown: javax.net.ssl.SSLHandshakeException: Received fatal alert: 
certificate_unknown | org.apache.activemq.broker.TransportConnection.Transport 
| ActiveMQ Transport: ssl:///10.x.x.189:36651
2014-02-03 19:33:11,379 | ERROR | Could not accept connection from 
tcp://10.x.x.189:36651: javax.net.ssl.SSLHandshakeException: Received fatal 
alert: certificate_unknown | org.apache.activemq.broker.TransportConnector | 
ActiveMQ BrokerService[staging-amq-broker-private-1] Task-5




=========================================

WORKING config:

Cluster-A "public broker" at 10.x.x.189 config:

<networkConnector name="staging-amq-broker-public-1" duplex="true" 
uri="masterslave:(https://staging-master-prviate.mydomain.com:443,https://staging-slave-private.mydomain.com:443)?randomize=false&amp;timeout=15000"
            userName="public.gateway" password="${public.gateway.password}">


Cluster-B "private broker" at 10.x.x.119 logs:


2014-02-03 19:28:54,388 | INFO  | Connector vm://staging-amq-broker-private-1 
Started | org.apache.activemq.broker.TransportConnector | qtp472942585-55
2014-02-03 19:28:54,419 | INFO  | Started responder end of duplex bridge 
staging-amq-broker-public-1@ID:ip-10-x-x-189-52867-1391455827816-0:1 | 
org.apache.activemq.broker.TransportConnection | qtp472942585-55
2014-02-03 19:28:54,489 | INFO  | Network connection between 
vm://staging-amq-broker-private-1#0 and 
org.apache.activemq.transport.http.BlockingQueueTransport@6ff0ccc2(staging-amq-broker-public-1)
 has been established. | 
org.apache.activemq.network.DemandForwardingBridgeSupport | 
triggerStartAsyncNetworkBridgeCreation: 
remoteBroker=org.apache.activemq.transport.http.BlockingQueueTransport@6ff0ccc2,
 localBroker= vm://staging-amq-broker-private-1#0



Best regards,
-David Laube

Reply via email to