You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@activemq.apache.org by "Charlie P." <cp...@kaya.io> on 2014/04/25 04:36:44 UTC

SSL problems with apollo 1.7, unknown_ca error

Hi all,

I'm trying to install Apollo 1.7 and set SSL with my own server 
certificate (issued by startcom).

Steps performed:

 1. Created JKS
 2. Imported my private key using keytool
 3. Configured apollo.xml to use my new keytool.

Now the web admin HTTPS interface works fine, but its the ssl connection 
to the mqtt broker that isn't working. I've been testing using 
mosquitto_pub and get this:

mosquitto_pub -h dev.kaya.io -p 61614 -f ~/input  -t chazman --cafile 
/media/truecrypt1/SSL/kaya-startssl/ca.pem -d
Client mosqpub/10571-brahma sending CONNECT
OpenSSL Error: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Protocol error

In my Stacktrace.log I get these errors below. Does anyone have any 
ideas whats wrong?

--- LOGS

==> connection.log <==
2014-04-25 10:35:47,614 connected: local:/127.0.0.1:61614, 
remote:/127.0.0.1:42632

==> apollo.log <==
2014-04-25 10:35:47,972 | INFO  | javax.net.ssl.SSLException: Received 
fatal alert: unknown_ca | 14596bd0785

==> stacktrace.log <==
2014-04-25 10:35:47,973 | INFO  | stackref=14596bd0785
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
     at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
     at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1630)
     at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1598)
     at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1767)
     at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1063)
     at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:887)
     at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761)
     at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
     at 
org.fusesource.hawtdispatch.transport.SslTransport.secure_read(SslTransport.java:369)
     at 
org.fusesource.hawtdispatch.transport.SslTransport.handshake(SslTransport.java:434)
     at 
org.fusesource.hawtdispatch.transport.SslTransport.drainInbound(SslTransport.java:274)
     at 
org.fusesource.hawtdispatch.transport.TcpTransport$6.run(TcpTransport.java:588)
     at 
org.fusesource.hawtdispatch.internal.NioDispatchSource$3.run(NioDispatchSource.java:209)
     at 
org.fusesource.hawtdispatch.internal.SerialDispatchQueue.run(SerialDispatchQueue.java:100)
     at 
org.fusesource.hawtdispatch.internal.pool.SimpleThread.run(SimpleThread.java:77)

==> connection.log <==
2014-04-25 10:35:47,977 disconnected: local:/127.0.0.1:61614, 
remote:/127.0.0.1:42632

Re: SSL problems with apollo 1.7, unknown_ca error

Posted by "Charlie P." <cp...@kaya.io>.

Problem was resolved by creating a new JKS with the entire certificate chain added. Interestingly, the web admin page worked fine without the chain but the MQTT connector did not.

Can anybody advise how we can get this fix added as a note in the docs?

On 25 April 2014 at 10:36:50 am, Charlie P. (cp@kaya.io) wrote:

Hi all,

I'm trying to install Apollo 1.7 and set SSL with my own server certificate (issued by startcom).

Steps performed:
Created JKS
Imported my private key using keytool
Configured apollo.xml to use my new keytool.
Now the web admin HTTPS interface works fine, but its the ssl connection to the mqtt broker that isn't working. I've been testing using mosquitto_pub and get this:

mosquitto_pub -h dev.kaya.io -p 61614 -f ~/input  -t chazman --cafile /media/truecrypt1/SSL/kaya-startssl/ca.pem -d
Client mosqpub/10571-brahma sending CONNECT
OpenSSL Error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Protocol error

In my Stacktrace.log I get these errors below. Does anyone have any ideas whats wrong?

--- LOGS

==> connection.log <==
2014-04-25 10:35:47,614 connected: local:/127.0.0.1:61614, remote:/127.0.0.1:42632

==> apollo.log <==
2014-04-25 10:35:47,972 | INFO  | javax.net.ssl.SSLException: Received fatal alert: unknown_ca | 14596bd0785

==> stacktrace.log <==
2014-04-25 10:35:47,973 | INFO  | stackref=14596bd0785
javax.net.ssl.SSLException: Received fatal alert: unknown_ca
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:208)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1630)
    at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1598)
    at sun.security.ssl.SSLEngineImpl.recvAlert(SSLEngineImpl.java:1767)
    at sun.security.ssl.SSLEngineImpl.readRecord(SSLEngineImpl.java:1063)
    at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:887)
    at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:761)
    at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
    at org.fusesource.hawtdispatch.transport.SslTransport.secure_read(SslTransport.java:369)
    at org.fusesource.hawtdispatch.transport.SslTransport.handshake(SslTransport.java:434)
    at org.fusesource.hawtdispatch.transport.SslTransport.drainInbound(SslTransport.java:274)
    at org.fusesource.hawtdispatch.transport.TcpTransport$6.run(TcpTransport.java:588)
    at org.fusesource.hawtdispatch.internal.NioDispatchSource$3.run(NioDispatchSource.java:209)
    at org.fusesource.hawtdispatch.internal.SerialDispatchQueue.run(SerialDispatchQueue.java:100)
    at org.fusesource.hawtdispatch.internal.pool.SimpleThread.run(SimpleThread.java:77)

==> connection.log <==
2014-04-25 10:35:47,977 disconnected: local:/127.0.0.1:61614, remote:/127.0.0.1:42632