You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by bryce <br...@mbsys.us> on 2012/08/16 16:42:03 UTC

Certificate unknown error AFTER failover enabled

It shouldn't matter too much, but here is the way in which I am utilizing
ActiveMQ...

I am using an embedded ActiveMQ broker (via SslBrokerService) in Java code
for our company's software. I connect to the ActiveMQ broker (via
ActiveMQSslConnectionFactory) from two places: inside the Java code and from
Mirth Connect. 

Everything worked fine until I wanted to enable failover support. I first
set the broker failover flag to true. Then I changed the URL for the
connection from ssl://192.168.1.7:61616 to
failover:(ssl://192.168.1.7:61616)?initialReconnectDelay=100.

The failover seems to be working, but I get this error almost every second:
6936 [ActiveMQ Task-1] ERROR org.apache.activemq.broker.TransportConnector -
Could not accept connection : javax.net.ssl.SSLHandshakeException: Received
fatal alert: certificate_unknown

The certificate used in encryption worked fine before using failover.

Any suggestions?



--
View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Certificate unknown error AFTER failover enabled

Posted by bryce <br...@mbsys.us>.

I'm sorry.

I just realized Thread.setSslContext is wrong. I meant
SslContext.setCurrentSslContext



--
View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655544.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Certificate unknown error AFTER failover enabled

Posted by bryce <br...@mbsys.us>.

I created a new JIRA (linking to the old one) here:

https://issues.apache.org/jira/browse/AMQ-3989

Please vote for it so Apache will look at the issue.

Thanks.



--
View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655499.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Certificate unknown error AFTER failover enabled

Posted by bryce <br...@mbsys.us>.

Yes it is related to that JIRA. The JIRA says that 5.7 fixes this is, BUT I
have re-tested my test code with the 5.7 snapshot and setKeyAndTrustManagers
does not work.

I find two workaround: one using System.setProperty, the other using
Thread.setSslContext. But these are workarounds and I'd rather do things the
appropriate way.

http://activemq.2283324.n4.nabble.com/file/n4655495/ActiveMQFailoverTest.zip
ActiveMQFailoverTest.zip 

The above zip file contains a modified version of what I previously posted
(included is a readme.txt of how to compile and run). This version uses the
5.7 snapshot Jars with the same error coming up as with the 5.5.1 Jars. 

I don't know why the JIRA says this issue is resolved. Maybe for them it
worked. I'll try and add a different JIRA linking to the old JIRA. 





--
View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655495.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Certificate unknown error AFTER failover enabled

Posted by Gary Tully <ga...@gmail.com>.

I think this is a case of https://issues.apache.org/jira/browse/AMQ-3785

On 22 August 2012 16:12, bryce <br...@mbsys.us> wrote:
> The problem is now solved...
>
> It turns out that ActiveMQSslConnectionFactory.setKeyAndTrustManagers does
> not work (at least in this context).
>
> Replacing that the following does work:
>
> System.setProperty("javax.net.ssl.keyStore",KEY_STORE_FILE_NAME);
> System.setProperty("javax.net.ssl.keyStorePassword",KEY_STORE_PASSWORD);
> System.setProperty("javax.net.ssl.trustStore",TRUST_STORE_FILE_NAME);
> System.setProperty("javax.net.ssl.trustStorePassword",TRUST_STORE_PASSWORD);
>
> For Mirth (in case anyone out there is using it) I added command line flags
> (-Djavax...) corresponding to the ones above to the vmoptions file.
>
> Just wanted to let everyone know in case they have similar problems.
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655433.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.



-- 
http://fusesource.com
http://blog.garytully.com

Re: Certificate unknown error AFTER failover enabled

Posted by bryce <br...@mbsys.us>.

The problem is now solved...

It turns out that ActiveMQSslConnectionFactory.setKeyAndTrustManagers does
not work (at least in this context).

Replacing that the following does work:

System.setProperty("javax.net.ssl.keyStore",KEY_STORE_FILE_NAME);
System.setProperty("javax.net.ssl.keyStorePassword",KEY_STORE_PASSWORD);
System.setProperty("javax.net.ssl.trustStore",TRUST_STORE_FILE_NAME); 
System.setProperty("javax.net.ssl.trustStorePassword",TRUST_STORE_PASSWORD);

For Mirth (in case anyone out there is using it) I added command line flags
(-Djavax...) corresponding to the ones above to the vmoptions file.

Just wanted to let everyone know in case they have similar problems.



--
View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655433.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Certificate unknown error AFTER failover enabled

Posted by bryce <br...@mbsys.us>.

Sorry, the previous post was truncated by the forum. Here it is again:

1. Create an embedded ActiveMQ TCP broker with failover enabled

2. Connect to the embedded ActiveMQ TCP broker with failover URL

3. Stop connection and embedded ActiveMQ TCP broker

4. Create an embedded ActiveMQ SSL broker with failover enabled

5. Connect to the embedded ActiveMQ SSL broker with failover URL (THIS IS
WHERE THE CERTIFICATE UNKNOWN ERROR OCCURS)

Optionally, a non-failover ActiveMQ SSL broker can be started and connected
to in order to prove that SSL and the certificates work. 

No need to create producers or consumers since the error occurs before
getting that far.



--
View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655315.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Certificate unknown error AFTER failover enabled

Posted by bryce <br...@mbsys.us>.

Attached is a ZIP file with all necessary code, libraries, and certificates.

The project can be opened in Netbeans. Make sure to change the running
directory to the folder enclosed in the ZIP file. Everything else is
specified as a relative path.

The code is very simple and demonstrates the test case perfectly. The
version of the ActiveMQ Jar is 5.5.1 (5.6 has the same error; I include
5.5.1 because it what I am currently using and it outputs to the console by
default). Here is the test case that the code demon
http://activemq.2283324.n4.nabble.com/file/n4655312/ActiveMQFailoverTest.zip
ActiveMQFailoverTest.zip 

4. Start an embedded SSL ActiveMQ broker with failover support enabled

5. Connect to embedded SSL ActiveMQ broker using failover URL (THIS IS WHERE
THE CERTIFICATE UNKNOWN ERROR OCCURS)

Optionally, a non-failover ActiveMQ SSL broker can be started and connected
to in order to prove that SSL and the certificates work.

No need to create producers or consumers since the error occurs before
getting that far.



--
View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655312.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Certificate unknown error AFTER failover enabled

Posted by Timothy Bish <ta...@gmail.com>.

On Fri, 2012-08-17 at 12:22 -0700, bryce wrote: 
> I might try to post some test code later. For now...
> 
> Does failover work with SSL?
> 
> I ask because once I disable SSL it works fine. 
> 

Its just work just fine with SSL, that's why a test case would be of use
here.  

> 
> 
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655257.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.

-- 
Tim Bish
Sr Software Engineer | FuseSource Corp
tim.bish@fusesource.com | www.fusesource.com
skype: tabish121 | twitter: @tabish121
blog: http://timbish.blogspot.com/

Re: Certificate unknown error AFTER failover enabled

Posted by bryce <br...@mbsys.us>.

I might try to post some test code later. For now...

Does failover work with SSL?

I ask because once I disable SSL it works fine. 



--
View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212p4655257.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.

Re: Certificate unknown error AFTER failover enabled

Posted by Dejan Bosanac <de...@nighttale.net>.

Hi,

can you create a test case that demonstrates it and raise a Jira?

Regards
-- 
Dejan Bosanac
Senior Software Engineer | FuseSource Corp.
dejanb@fusesource.com | fusesource.com
skype: dejan.bosanac | twitter: @dejanb
blog: http://www.nighttale.net
ActiveMQ in Action: http://www.manning.com/snyder/


On Thu, Aug 16, 2012 at 4:42 PM, bryce <br...@mbsys.us> wrote:
> It shouldn't matter too much, but here is the way in which I am utilizing
> ActiveMQ...
>
> I am using an embedded ActiveMQ broker (via SslBrokerService) in Java code
> for our company's software. I connect to the ActiveMQ broker (via
> ActiveMQSslConnectionFactory) from two places: inside the Java code and from
> Mirth Connect.
>
> Everything worked fine until I wanted to enable failover support. I first
> set the broker failover flag to true. Then I changed the URL for the
> connection from ssl://192.168.1.7:61616 to
> failover:(ssl://192.168.1.7:61616)?initialReconnectDelay=100.
>
> The failover seems to be working, but I get this error almost every second:
> 6936 [ActiveMQ Task-1] ERROR org.apache.activemq.broker.TransportConnector -
> Could not accept connection : javax.net.ssl.SSLHandshakeException: Received
> fatal alert: certificate_unknown
>
> The certificate used in encryption worked fine before using failover.
>
> Any suggestions?
>
>
>
> --
> View this message in context: http://activemq.2283324.n4.nabble.com/Certificate-unknown-error-AFTER-failover-enabled-tp4655212.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.