Curl ActiveMQ自签名证书导致错误
Disclamier:对不起,这篇文章太长了!我正在尽可能的清晰和准确 我正在尝试为ActiveMQ(Mac OS X 10.9.4和ActiveMQ 5.9.1)设置HTTPS REST端点。通过使用 我能够将消息添加到队列中,并在ActiveMQ Web控制台中查看它(Curl ActiveMQ自签名证书导致错误,curl,https,jetty,activemq,keytool,Curl,Https,Jetty,Activemq,Keytool,Disclamier:对不起,这篇文章太长了!我正在尽可能的清晰和准确 我正在尝试为ActiveMQ(Mac OS X 10.9.4和ActiveMQ 5.9.1)设置HTTPS REST端点。通过使用 我能够将消息添加到队列中,并在ActiveMQ Web控制台中查看它(https://localhost:8162/)通过此命令: curl -k -u admin:admin -d "body=message" https://localhost:8162/api/message/TE
https://localhost:8162/
)通过此命令:
curl -k -u admin:admin -d "body=message" https://localhost:8162/api/message/TEST?type=queue
但是,我希望使用自己的证书,而不是使用ActiveMQ提供的默认证书。另外,我希望能够在不使用-k(即--unsecure)
参数的情况下使用cURL。我执行了以下操作来生成密钥:
# create server (broker) keystore and certificate, create client truststore and import the server certificate to it.
keytool -genkey -alias amq-server -keyalg RSA -keysize 2048 -validity 90 -keystore amq-server.ks -keypass 123456 -storepass 123456 -dname CN=JohnSmith
keytool -export -alias amq-server -keystore amq-server.ks -storepass 123456 -file amq-server_cert
keytool -genkey -alias amq-client -keyalg RSA -keysize 2048 -validity 90 -keystore amq-client.ks -keypass 123456 -storepass 123456 -dname CN=ClientBlack
keytool -import -noprompt -alias amq-client -keystore amq-client.ts -storepass 123456 -keypass 123456 -file amq-server_cert
另外,我修改了conf/jetty.xml
,如下所示:
<bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
<property name="port" value="8162" />
<property name="keystore" value="file:${activemq.conf}/amq-server.ks" />
<property name="password" value="123456" />
</bean>
当我尝试使用以下任一选项时:
curl --cacert ~/dev/apache-activemq-5.9.1/conf/amq-server.pem -u admin:admin -v -d "body=message7" https://localhost:8162/api/message/TEST?type=queue
OR (just changing pem with p12)
curl --cacert ~/dev/apache-activemq-5.9.1/conf/amq-server.p12:123456 -u admin:admin -v -d "body=message7" https://localhost:8162/api/message/TEST?type=queue
我得到以下错误:
* Adding handle: conn: 0x7f897c80aa00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f897c80aa00) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8162 (#0)
* Trying ::1...
* Connected to localhost (::1) port 8162 (#0)
* SSL certificate problem: Invalid certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
现在,在这一点之后,我尝试了以下方法:
cd /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security
sudo keytool -import -trustcacerts -file ~/dev/apache-activemq-5.9.1/conf/amq-server_cert -alias amq-server -keystore ./cacerts -storepass changeit -noprompt
不幸的是,我仍然得到相同的旋度误差。我还发现cURL在Mac OS X Mavericks中的证书存在问题,并在中尝试了解决方法(基本上,将服务器密钥库amq-server.p12添加到Mac OS密钥链登录和系统证书中,还尝试使用--cacert amq server.p12:123456
格式的cURL),但这些也没有解决问题。然后我尝试将以下内容添加到activemq.xml
:
<transportConnector name="https" uri="https://0.0.0.0:61684"/>
再从以下几点开始:
bin/activemq start -Djavax.net.ssl.keyStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ks -Djavax.net.ssl.keyStorePassword=123456 -Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ts -Djavax.net.ssl.trustStorePassword=123456 -Djavax.net.debug=all
因此,我的问题是:
- 我怎样才能做到这一点
- 当我将
添加到transportConnector
时,为什么会出现“连接被拒绝”错误activemq.xml
- 端口
和8162
的确切作用是什么61684
- 如果这是cURL的问题,那么最简单的方法是什么
bin/activemq console
命令,这给了我更多的信息。我还意识到我正在传递-Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq server.ts
参数,即使我没有amq server.ts
。我创建了一个,并将amq-client\u cert
和amq-server\u cert
放入其中。此外,我将所有相对路径名更改为绝对路径名。我仍然有问题,但我相信这些问题需要解决。此外,这里还有一个来自ActiveMQ控制台的相关调试转储(编辑一些不必要的原始字节等):
使用SSLEngineImpl。
允许不安全的重新协商:false
允许旧版hello消息:true
第一次握手是否正确
是否安全重新谈判:错误
[原始读取]:长度=5
0000:16030100 BF。。。。。
[原始读取]:长度=191
0000:01 00 00 BB 03 53 D2 A5 8D 34 17 06 07 58 85…S…4…X。
0010:4D A5 66 8E E6 42 B4 0A BA 36 B3 71 E5 AD 71 58 M.f..B..6.q..qX
0020:40 61 69 B5 D0 1D 00 5E 00 FF C0 24 C0 23 C0@ai…^…$。
0030:0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0…….(.....)。。。。。
0040:11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0…..&.%.*)。。。。。
0050:02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00………..。最后,我能够解决我的问题。主要的问题是卷曲被打破了。以下是必要的步骤:
生成密钥时,使用localhost
作为公共名称(CN)
“-dname CN=localhost
”
使用wget而不是cURL:
wget--http user=admin--http password=admin--post data=“body=foowget22”https://localhost:8162/api/message/TEST\?type\=队列--ca证书=~/dev/apache-activemq-5.9.1/conf/amq server.pem
此外,您可以使用openssl s_client-connectlocalhost:8162-CAfile~/dev/apache-activemq-5.9.1/conf/amq server.pem进行验证,并查看它是否返回验证返回代码:0(确定)
bin/activemq stop
bin/activemq start -Djavax.net.ssl.keyStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ks -Djavax.net.ssl.keyStorePassword=123456 -Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ts -Djavax.net.ssl.trustStorePassword=123456 -Djavax.net.debug=all
Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
[Raw read]: length = 5
0000: 16 03 01 00 BF .....
[Raw read]: length = 191
0000: 01 00 00 BB 03 03 53 D2 A5 8D 34 17 06 07 58 85 ......S...4...X.
0010: 4D A5 66 8E E6 42 B4 0A BA 36 B3 71 E5 AD 71 58 M.f..B...6.q..qX
0020: 40 61 69 B5 D0 1D 00 00 5E 00 FF C0 24 C0 23 C0 @ai.....^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<.
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9...............
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost...
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03 ...............
qtp912856016-98, READ: TLSv1 Handshake, length = 191
*** ClientHello, TLSv1.2
RandomCookie: GMT: 1389470861 bytes = { 52, 23, 6, 7, 88, 133, 77, 165, 102, 142, 230, 66, 180, 10, 186, 54, 179, 113, 229, 173, 113, 88, 64, 97, 105, 181, 208, 29 }
Session ID: {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_AES_256_CBC_SHA384, TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_256_CBC_SHA, TLS_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_RC4_128_SHA, TLS_PSK_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_NULL_SHA384, TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256]
Compression Methods: { 0 }
Extension server_name, server_name: [host_name: localhost]
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA384withRSA, SHA256withRSA, SHA1withRSA, SHA256withECDSA, SHA1withECDSA
***
[read] MD5 and SHA1 hashes: len = 191
0000: 01 00 00 BB 03 03 53 D2 A5 8D 34 17 06 07 58 85 ......S...4...X.
0010: 4D A5 66 8E E6 42 B4 0A BA 36 B3 71 E5 AD 71 58 M.f..B...6.q..qX
0020: 40 61 69 B5 D0 1D 00 00 5E 00 FF C0 24 C0 23 C0 @ai.....^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0 ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0 ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00 ............=.<.
0060: 2F 00 05 00 04 00 35 00 0A 00 67 00 6B 00 33 00 /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00 8D 00 8C 00 8A 00 8B 00 9...............
0080: B1 00 B0 00 2C 00 3B 01 00 00 34 00 00 00 0E 00 ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61 6C 68 6F 73 74 00 0A 00 ....localhost...
00A0: 08 00 06 00 17 00 18 00 19 00 0B 00 02 01 00 00 ................
00B0: 0D 00 0C 00 0A 05 01 04 01 02 01 04 03 02 03 ...............
%% Initialized: [Session-6, SSL_NULL_WITH_NULL_NULL]
%% Negotiating: [Session-6, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
*** ServerHello, TLSv1.2
RandomCookie: GMT: 1389470861 bytes = { 253, 146, 229, 68, 48, 212, 3, 8, 113, 71, 109, 110, 184, 188, 198, 5, 154, 125, 169, 214, 91, 62, 7, 160, 209, 234, 192, 113 }
Session ID: {83, 210, 165, 141, 67, 144, 76, 190, 108, 169, 166, 110, 244, 43, 203, 94, 33, 250, 61, 25, 173, 144, 78, 5, 18, 237, 44, 62, 216, 239, 136, 216}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
Version: V3
Subject: CN=JohnSmith
Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11
Key: Sun RSA public key, 2048 bits
modulus: 23443053568440042246531872968622973697701206618166078931212659460396425391980877938302410947640918723945398633811909745246922517027436466308653487666338280101966482309719126372779122526329803061293848183628816382389433439362099975823230525386905011886252381517523892058843409147388887295981911246906888339817495259393348887347266311244472033630192873726881579789730820158345394536738010457875814538778722469498249439501737234201246276532676924740000249757406932101045895162819707223648268675317346645714862960034871361001771712210647437473089523986958365303768943687792233055665803773956096876559907271222453818932683
public exponent: 65537
Validity: [From: Fri Jul 25 15:14:25 BST 2014,
To: Thu Oct 23 15:14:25 BST 2014]
Issuer: CN=JohnSmith
SerialNumber: [ 4bbf23ad]
Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 11 8B 53 73 97 BE 8B AA 23 06 CD 34 86 F8 14 58 ..Ss....#..4...X
0010: B0 F9 E9 8D ....
]
]
]
Algorithm: [SHA256withRSA]
Signature:
0000: A4 96 FE 04 D2 21 17 6E ED 00 DA AE 05 A0 45 E1 .....!.n......E.
0010: 9B C7 8D DD BA 97 11 CE 5A 02 D1 05 0E 0E 90 6F ........Z......o
0020: 75 26 59 E4 2B A8 8E A4 C1 3B 2C AC 20 1E 5F E9 u&Y.+....;,. ._.
0030: 78 97 58 1B F1 8D B0 41 95 0A C7 69 67 22 76 2C x.X....A...ig"v,
0040: BF 3A B6 5A A1 CC FE 16 1A 18 5A 53 D2 E8 51 7C .:.Z......ZS..Q.
0050: 1A BF 23 0F C1 75 FB F5 01 72 A8 3F 3F D0 86 C6 ..#..u...r.??...
0060: EB C3 AF 70 BB 1D E6 B6 96 44 BD 21 2B E0 9A 83 ...p.....D.!+...
0070: 04 C2 E9 4B D6 84 BC 03 7A BA 12 38 A7 36 82 03 ...K....z..8.6..
0080: C5 C3 77 3B 83 64 19 38 E8 03 26 64 5A AF F3 FB ..w;.d.8..&dZ...
0090: A1 0E 07 24 AC 77 39 31 67 4C 13 CD 19 A5 55 53 ...$.w91gL....US
00A0: BB B9 F8 CA 57 19 E6 B2 3A B1 6A F7 2E 0A 6D 1A ....W...:.j...m.
00B0: 03 96 A0 F1 19 51 45 A1 66 67 DD 5E CC 03 9A C1 .....QE.fg.^....
00C0: 93 A2 6F D0 D1 26 23 DB B8 1B 10 6C 46 D8 20 6C ..o..&#....lF. l
00D0: 34 CE 7C FD 8B 57 37 4C C0 E5 DB 7B 45 27 8A C7 4....W7L....E'..
00E0: 0A 19 60 E0 7F 2F 9F 7A CE E2 C0 99 ED 8E 65 74 ..`../.z......et
00F0: E5 16 63 3C DC EB 6F C2 E0 F9 68 E7 4D 4D 42 9A ..c<..o...h.MMB.
]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA384withRSA
Server key: Sun EC public key, 256 bits
public x coord: 24723137471290150466369886238486766785229281750738143116146132931059687741723
public y coord: 45716326424554000158606804317014537804446576101681363567734642117747889965832
parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
[write] MD5 and SHA1 hashes: len = 1143
!!!! REDACTED
qtp912856016-98, WRITE: TLSv1.2 Handshake, length = 1143
[Raw write]: length = 1148
!!!! REDACTED
[Raw read]: length = 5
0000: 15 03 03 00 02 .....
[Raw read]: length = 2
0000: 02 2E ..
qtp912856016-98, READ: TLSv1.2 Alert, length = 2
qtp912856016-98, RECV TLSv1.2 ALERT: fatal, certificate_unknown
qtp912856016-98, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
qtp912856016-98, fatal: engine already closed. Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown