You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@qpid.apache.org by Graham Leggett <mi...@sharp.fm> on 2013/10/09 15:27:51 UTC
qpid startup: error Failed to initialise SSL plugin: Failed to load certificate 'Server-Cert'
Hi all,
I am trying to configure an SSL enabled version of the qpid-cpp broker, and I am struggling to get it to work. The broker starts and runs as follows:
qpidd 17764 0.3 2.3 239728 11692 ? Ssl 13:15 0:00 /usr/sbin/qpidd --data-dir /var/lib/qpidd --daemon --ssl-cert-db sql:/etc/pki/nssdb --ssl-cert-name Server-Cert --ssl-port 5672 --ssl-require-client-authentication --ssl-sasl-no-dict
The logfile complains as follows:
Oct 9 13:15:29 localhost qpidd[17764]: 2013-10-09 13:15:29 error Failed to initialise SSL plugin: Failed to load certificate 'Server-Cert' (qpid/sys/ssl/SslSocket.cpp:184)
Oct 9 13:15:29 localhost qpidd[17764]: 2013-10-09 13:15:29 notice Broker running
Unfortunately the error "Failed to load certificate 'Server-Cert'" is incomplete as it refuses to reveal why it failed to load the server-cert, leaving me stuck.
The NSS database at sql:/etc/pki/nssdb contains the server certificate, the CA certificate, and the full intermediate chain, and the CA cert is trusted:
-bash-4.1$ certutil -L -d sql:/etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
"Server-Cert" u,u,u
[snip] ,,
[snip] ,,
CA-Cert CT,,
Anyone have any ideas?
Regards,
Graham
--
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid startup: error Failed to initialise SSL plugin: Failed to
load certificate 'Server-Cert'
Posted by Gordon Sim <gs...@redhat.com>.
On 10/09/2013 02:42 PM, Graham Leggett wrote:
> On 09 Oct 2013, at 3:27 PM, Graham Leggett <mi...@sharp.fm> wrote:
>
>> Oct 9 13:15:29 localhost qpidd[17764]: 2013-10-09 13:15:29 error Failed to initialise SSL plugin: Failed to load certificate 'Server-Cert' (qpid/sys/ssl/SslSocket.cpp:184)
>
>> "Server-Cert" u,u,u
>
> The cause of the problem was found - the nickname in the NSS certificate database had quotes around it.
>
> Is it possible to improve the error message to explicitly say the certificate was not found?
I'm not sure... The NSS function 'PK11_FindCertFromNickname' is called,
which returns the certificate if successful or NULL if 'unsuccessful'.
My assumption was there might be other reasons for not being able to
retrieve it, hence the more ambiguous error message. I'm not sure if
there is some other way of getting more details on why it was
'unsuccessful'.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org
Re: qpid startup: error Failed to initialise SSL plugin: Failed to load certificate 'Server-Cert'
Posted by Graham Leggett <mi...@sharp.fm>.
On 09 Oct 2013, at 3:27 PM, Graham Leggett <mi...@sharp.fm> wrote:
> Oct 9 13:15:29 localhost qpidd[17764]: 2013-10-09 13:15:29 error Failed to initialise SSL plugin: Failed to load certificate 'Server-Cert' (qpid/sys/ssl/SslSocket.cpp:184)
> "Server-Cert" u,u,u
The cause of the problem was found - the nickname in the NSS certificate database had quotes around it.
Is it possible to improve the error message to explicitly say the certificate was not found?
Regards,
Graham
--
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@qpid.apache.org
For additional commands, e-mail: users-help@qpid.apache.org