Disclamier:对不起这篇冗长的帖子!我想尽可能清晰准确。
我正在尝试为ActiveMQ(Mac OS X 10.9.4和ActiveMQ 5.9.1)设置HTTPS REST端点。通过使用,
我能够通过以下命令将消息添加到队列并在ActiveMQ Web控制台(https://localhost:8162/)中查看:
curl -k -u admin:admin -d "body=message" https://localhost:8162/api/message/TEST?type=queue
但是,我想使用自己的证书,而不是使用ActiveMQ提供的默认证书。另外,我希望能够在没有-k (i.e. --insecure)参数的情况下使用cURL。我做了以下生成密钥:
# create server (broker) keystore and certificate, create client truststore and import the server certificate to it.
keytool -genkey -alias amq-server -keyalg RSA -keysize 2048 -validity 90 -keystore amq-server.ks -keypass 123456 -storepass 123456 -dname CN=JohnSmith
keytool -export -alias amq-server -keystore amq-server.ks -storepass 123456 -file amq-server_cert
keytool -genkey -alias amq-client -keyalg RSA -keysize 2048 -validity 90 -keystore amq-client.ks -keypass 123456 -storepass 123456 -dname CN=ClientBlack
keytool -import -noprompt -alias amq-client -keystore amq-client.ts -storepass 123456 -keypass 123456 -file amq-server_cert
另外,我修改了conf/jetty.xml如下:
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8162" />
<property name="keystore" value="file:${activemq.conf}/amq-server.ks" />
<property name="password" value="123456" />
</bean>
最后,我使用以下命令将我的服务器(代理)密钥库转换为PEM格式:
keytool -importkeystore -srckeystore amq-server.ks -destkeystore amq-server.p12 -srcstoretype jks -deststoretype pkcs12 -srcstorepass 123456 -deststorepass 123456
openssl pkcs12 -in amq-server.p12 -out amq-server.pem
当我尝试使用以下任何一种时:
curl --cacert ~/dev/apache-activemq-5.9.1/conf/amq-server.pem -u admin:admin -v -d "body=message7" https://localhost:8162/api/message/TEST?type=queue
OR (just changing pem with p12)
curl --cacert ~/dev/apache-activemq-5.9.1/conf/amq-server.p12:123456 -u admin:admin -v -d "body=message7" https://localhost:8162/api/message/TEST?type=queue
我收到以下错误:
* Adding handle: conn: 0x7f897c80aa00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f897c80aa00) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8162 (#0)
* Trying ::1...
* Connected to localhost (::1) port 8162 (#0)
* SSL certificate problem: Invalid certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
现在,在此之后我尝试了以下内容:
cd /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security
sudo keytool -import -trustcacerts -file ~/dev/apache-activemq-5.9.1/conf/amq-server_cert -alias amq-server -keystore ./cacerts -storepass changeit -noprompt
不幸的是,我仍然得到相同的cURL错误。我还发现cURL在Mac OS X Mavericks中存在证书问题,并在SSL Certificates - OS X Mavericks中尝试了补救措施(实质上,将服务器密钥库amq-server.p12添加到Mac OS Keychain登录和系统证书中,并且还尝试过使用--cacert amq-server.p12:123456格式的cURL)这些也没有解决问题。然后我尝试将以下内容添加到activemq.xml:
<transportConnector name="https" uri="https://0.0.0.0:61684"/>
然后,我发现我无法再在浏览器中打开https://localhost:8162/(此网页不可用),而且cURL给我curl: (7) Failed connect to localhost:8162; Connection refused错误。
顺便说一下,在上面说明的每个步骤之后,我用:
停止ActiveMQbin/activemq stop
然后重新开始:
bin/activemq start -Djavax.net.ssl.keyStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ks -Djavax.net.ssl.keyStorePassword=123456 -Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ts -Djavax.net.ssl.trustStorePassword=123456 -Djavax.net.debug=all
所以,我的问题是:
transportConnector添加到activemq.xml时,为什么会出现“拒绝连接”错误?8162和61684的确切角色是什么?谢谢!
编辑1:
我发现了bin/activemq console命令,它给了我更多的信息。我也意识到我正在通过-Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ts参数,即使我没有amq-server.ts。我创建了一个,并将amq-client_cert和amq-server_cert放入其中。另外,我用绝对路径名改变了所有相对路径名。我仍然有问题,但我相信这些都需要修复。此外,这是来自ActiveMQ控制台的相关调试转储(编辑一些不必要的原始字节等):
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
[Raw read]: length = 5
0000: 16 03 01 00 BF .....
[Raw read]: length = 191
0000: 01 00 00 BB 03 03 53 D2 A5 8D 34 17 06 07 58 85 ......S...4...X.
0010: 4D A5 66 8E E6 42 B4 0A BA 36 B3 71 E5 AD 71 58 M.f..B...6.q..qX
0020: 40 61 69 B5 D0 1D 00 00 5E 00 FF C0 24 C0 23 C0 @ai.....^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<.
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9...............
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost...
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03 ...............
qtp912856016-98, READ: TLSv1 Handshake, length = 191
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1389470861 bytes = { 52, 23, 6, 7, 88, 133, 77, 165, 102, 142, 230, 66, 180, 10, 186, 54, 179, 113, 229, 173, 113, 88, 64, 97, 105, 181, 208, 29 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_AES_256_CBC_SHA384, TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_256_CBC_SHA, TLS_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_RC4_128_SHA, TLS_PSK_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_NULL_SHA384, TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256]
Compression Methods: { 0 }
Extension server_name, server_name: [host_name: localhost]
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA384withRSA, SHA256withRSA, SHA1withRSA, SHA256withECDSA, SHA1withECDSA
***
[read] MD5 and SHA1 hashes: len = 191
0000: 01 00 00 BB 03 03 53 D2 A5 8D 34 17 06 07 58 85 ......S...4...X.
0010: 4D A5 66 8E E6 42 B4 0A BA 36 B3 71 E5 AD 71 58 M.f..B...6.q..qX
0020: 40 61 69 B5 D0 1D 00 00 5E 00 FF C0 24 C0 23 C0 @ai.....^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<.
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9...............
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost...
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03 ...............
%% Initialized: [Session-6, SSL_NULL_WITH_NULL_NULL]
%% Negotiating: [Session-6, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1389470861 bytes = { 253, 146, 229, 68, 48, 212, 3, 8, 113, 71, 109, 110, 184, 188, 198, 5, 154, 125, 169, 214, 91, 62, 7, 160, 209, 234, 192, 113 }
Session ID: {83, 210, 165, 141, 67, 144, 76, 190, 108, 169, 166, 110, 244, 43, 203, 94, 33, 250, 61, 25, 173, 144, 78, 5, 18, 237, 44, 62, 216, 239, 136, 216}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=JohnSmith
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 23443053568440042246531872968622973697701206618166078931212659460396425391980877938302410947640918723945398633811909745246922517027436466308653487666338280101966482309719126372779122526329803061293848183628816382389433439362099975823230525386905011886252381517523892058843409147388887295981911246906888339817495259393348887347266311244472033630192873726881579789730820158345394536738010457875814538778722469498249439501737234201246276532676924740000249757406932101045895162819707223648268675317346645714862960034871361001771712210647437473089523986958365303768943687792233055665803773956096876559907271222453818932683
public exponent: 65537
Validity: [From: Fri Jul 25 15:14:25 BST 2014,
To: Thu Oct 23 15:14:25 BST 2014]
Issuer: CN=JohnSmith
SerialNumber: [ 4bbf23ad]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 11 8B 53 73 97 BE 8B AA 23 06 CD 34 86 F8 14 58 ..Ss....#..4...X
0010: B0 F9 E9 8D ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: A4 96 FE 04 D2 21 17 6E ED 00 DA AE 05 A0 45 E1 .....!.n......E.
0010: 9B C7 8D DD BA 97 11 CE 5A 02 D1 05 0E 0E 90 6F ........Z......o
0020: 75 26 59 E4 2B A8 8E A4 C1 3B 2C AC 20 1E 5F E9 u&Y.+....;,. ._.
0030: 78 97 58 1B F1 8D B0 41 95 0A C7 69 67 22 76 2C x.X....A...ig"v,
0040: BF 3A B6 5A A1 CC FE 16 1A 18 5A 53 D2 E8 51 7C .:.Z......ZS..Q.
0050: 1A BF 23 0F C1 75 FB F5 01 72 A8 3F 3F D0 86 C6 ..#..u...r.??...
0060: EB C3 AF 70 BB 1D E6 B6 96 44 BD 21 2B E0 9A 83 ...p.....D.!+...
0070: 04 C2 E9 4B D6 84 BC 03 7A BA 12 38 A7 36 82 03 ...K....z..8.6..
0080: C5 C3 77 3B 83 64 19 38 E8 03 26 64 5A AF F3 FB ..w;.d.8..&dZ...
0090: A1 0E 07 24 AC 77 39 31 67 4C 13 CD 19 A5 55 53 ...$.w91gL....US
00A0: BB B9 F8 CA 57 19 E6 B2 3A B1 6A F7 2E 0A 6D 1A ....W...:.j...m.
00B0: 03 96 A0 F1 19 51 45 A1 66 67 DD 5E CC 03 9A C1 .....QE.fg.^....
00C0: 93 A2 6F D0 D1 26 23 DB B8 1B 10 6C 46 D8 20 6C ..o..&#....lF. l
00D0: 34 CE 7C FD 8B 57 37 4C C0 E5 DB 7B 45 27 8A C7 4....W7L....E'..
00E0: 0A 19 60 E0 7F 2F 9F 7A CE E2 C0 99 ED 8E 65 74 ..`../.z......et
00F0: E5 16 63 3C DC EB 6F C2 E0 F9 68 E7 4D 4D 42 9A ..c<..o...h.MMB.
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA384withRSA
Server key: Sun EC public key, 256 bits
public x coord: 24723137471290150466369886238486766785229281750738143116146132931059687741723
public y coord: 45716326424554000158606804317014537804446576101681363567734642117747889965832
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 1143
!!!! REDACTED
qtp912856016-98, WRITE: TLSv1.2 Handshake, length = 1143
[Raw write]: length = 1148
!!!! REDACTED
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 2E ..
qtp912856016-98, READ: TLSv1.2 Alert, length = 2
qtp912856016-98, RECV TLSv1.2 ALERT: fatal, certificate_unknown
qtp912856016-98, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
qtp912856016-98, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
答案 0 :(得分:1)
最后,我能够解决我的问题。主要问题是cURL被破坏了。以下是必要的步骤:
生成密钥时,使用localhost作为公用名(CN)
&#34; -dname CN=localhost&#34; as it is apparently used too when verifying
the certificate.
使用wget而不是cURL:
wget --http-user=admin --http-password=admin --post-data="body=foowget22" https://localhost:8162/api/message/TEST\?type\=queue --ca-certificate=~/dev/apache-activemq-5.9.1/conf/amq-server.pem
此外,您可以使用openssl s_client -connect localhost:8162 -CAfile ~/dev/apache-activemq-5.9.1/conf/amq-server.pem进行验证,看看它是否返回Verify return code: 0 (ok)