Fatal编程技术网
  • curl/
  • Curl ActiveMQ自签名证书导致错误

Curl ActiveMQ自签名证书导致错误

curl https jetty activemq

Curl ActiveMQ自签名证书导致错误,curl,https,jetty,activemq,keytool,Curl,Https,Jetty,Activemq,Keytool,Disclamier:对不起,这篇文章太长了!我正在尽可能的清晰和准确 我正在尝试为ActiveMQ(Mac OS X 10.9.4和ActiveMQ 5.9.1)设置HTTPS REST端点。通过使用 我能够将消息添加到队列中,并在ActiveMQ Web控制台中查看它(https://localhost:8162/)通过此命令: curl -k -u admin:admin -d "body=message" https://localhost:8162/api/message/TE

Disclamier:对不起,这篇文章太长了!我正在尽可能的清晰和准确

我正在尝试为ActiveMQ(Mac OS X 10.9.4和ActiveMQ 5.9.1)设置HTTPS REST端点。通过使用

  • 我能够将消息添加到队列中,并在ActiveMQ Web控制台中查看它(
    https://localhost:8162/
    )通过此命令:

    curl -k -u admin:admin -d "body=message" https://localhost:8162/api/message/TEST?type=queue
    但是,我希望使用自己的证书,而不是使用ActiveMQ提供的默认证书。另外,我希望能够在不使用
    -k(即--unsecure)
    参数的情况下使用cURL。我执行了以下操作来生成密钥:

    # create server (broker) keystore and certificate, create client truststore and import the server certificate to it.
keytool -genkey -alias amq-server -keyalg RSA -keysize 2048 -validity 90 -keystore amq-server.ks -keypass 123456 -storepass 123456 -dname CN=JohnSmith
keytool -export -alias amq-server -keystore amq-server.ks -storepass 123456 -file amq-server_cert
keytool -genkey -alias amq-client -keyalg RSA -keysize 2048 -validity 90 -keystore amq-client.ks -keypass 123456 -storepass 123456 -dname CN=ClientBlack
keytool -import -noprompt -alias amq-client -keystore amq-client.ts -storepass 123456 -keypass 123456 -file amq-server_cert
    另外,我修改了
    conf/jetty.xml
    ,如下所示:

    <bean id="SecureConnector" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
    <property name="port" value="8162" />
    <property name="keystore" value="file:${activemq.conf}/amq-server.ks" />
    <property name="password" value="123456" />
</bean>
    当我尝试使用以下任一选项时:

    curl --cacert ~/dev/apache-activemq-5.9.1/conf/amq-server.pem -u admin:admin -v -d "body=message7" https://localhost:8162/api/message/TEST?type=queue
   OR (just changing pem with p12)
curl --cacert ~/dev/apache-activemq-5.9.1/conf/amq-server.p12:123456 -u admin:admin -v -d "body=message7" https://localhost:8162/api/message/TEST?type=queue
    我得到以下错误:

    * Adding handle: conn: 0x7f897c80aa00
* Adding handle: send: 0
* Adding handle: recv: 0
* Curl_addHandleToPipeline: length: 1
* - Conn 0 (0x7f897c80aa00) send_pipe: 1, recv_pipe: 0
* About to connect() to localhost port 8162 (#0)
*   Trying ::1...
* Connected to localhost (::1) port 8162 (#0)
* SSL certificate problem: Invalid certificate chain
* Closing connection 0
curl: (60) SSL certificate problem: Invalid certificate chain
More details here: http://curl.haxx.se/docs/sslcerts.html
    现在,在这一点之后,我尝试了以下方法:

    cd /Library/Java/JavaVirtualMachines/jdk1.7.0_45.jdk/Contents/Home/jre/lib/security
sudo keytool -import -trustcacerts -file ~/dev/apache-activemq-5.9.1/conf/amq-server_cert -alias amq-server -keystore ./cacerts -storepass changeit -noprompt
    不幸的是,我仍然得到相同的旋度误差。我还发现cURL在Mac OS X Mavericks中的证书存在问题,并在中尝试了解决方法(基本上,将服务器密钥库amq-server.p12添加到Mac OS密钥链登录和系统证书中,还尝试使用
    --cacert amq server.p12:123456
    格式的cURL),但这些也没有解决问题。然后我尝试将以下内容添加到
    activemq.xml

    <transportConnector name="https" uri="https://0.0.0.0:61684"/>
    再从以下几点开始:

    bin/activemq start -Djavax.net.ssl.keyStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ks  -Djavax.net.ssl.keyStorePassword=123456  -Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ts  -Djavax.net.ssl.trustStorePassword=123456 -Djavax.net.debug=all
    因此,我的问题是:

    • 我怎样才能做到这一点
    • 当我将
      transportConnector
      添加到
      activemq.xml
      时,为什么会出现“连接被拒绝”错误
    • 端口
      8162
      61684
      的确切作用是什么
    • 如果这是cURL的问题,那么最简单的方法是什么
    谢谢

    编辑1: 我发现了
    bin/activemq console
    命令,这给了我更多的信息。我还意识到我正在传递
    -Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq server.ts
    参数,即使我没有
    amq server.ts
    。我创建了一个,并将
    amq-client\u cert
    amq-server\u cert
    放入其中。此外,我将所有相对路径名更改为绝对路径名。我仍然有问题,但我相信这些问题需要解决。此外,这里还有一个来自ActiveMQ控制台的相关调试转储(编辑一些不必要的原始字节等):

    使用SSLEngineImpl。
允许不安全的重新协商:false
允许旧版hello消息:true
第一次握手是否正确
是否安全重新谈判:错误
[原始读取]:长度=5
0000:16030100 BF。。。。。
[原始读取]:长度=191
0000:01 00 00 BB 03 53 D2 A5 8D 34 17 06 07 58 85…S…4…X。
0010:4D A5 66 8E E6 42 B4 0A BA 36 B3 71 E5 AD 71 58 M.f..B..6.q..qX
0020:40 61 69 B5 D0 1D 00 5E 00 FF C0 24 C0 23 C0@ai…^…$。
0030:0A C0 09 C0 07 C0 08 C0 28 C0 27 C0 14 C0 13 C0…….(.....)。。。。。
0040:11 C0 12 C0 26 C0 25 C0 2A C0 29 C0 05 C0 04 C0…..&.%.*)。。。。。

    0050:02 C0 03 C0 0F C0 0E C0 0C C0 0D 00 3D 00 3C 00………..。最后,我能够解决我的问题。主要的问题是卷曲被打破了。以下是必要的步骤:
    

  • 生成密钥时,使用
    localhost
    作为公共名称(CN)
“
    -dname CN=localhost
    • 

  • 使用wget而不是cURL:

    wget--http user=admin--http password=admin--post data=“body=foowget22”https://localhost:8162/api/message/TEST\?type\=队列--ca证书=~/dev/apache-activemq-5.9.1/conf/amq server.pem
    • 
此外,您可以使用
    openssl s_client-connectlocalhost:8162-CAfile~/dev/apache-activemq-5.9.1/conf/amq server.pem进行验证,并查看它是否返回
    验证返回代码:0(确定)
    

    bin/activemq stop

    

    bin/activemq start -Djavax.net.ssl.keyStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ks  -Djavax.net.ssl.keyStorePassword=123456  -Djavax.net.ssl.trustStore=~/dev/apache-activemq-5.9.1/conf/amq-server.ts  -Djavax.net.ssl.trustStorePassword=123456 -Djavax.net.debug=all

    

    Using SSLEngineImpl.
Allow unsafe renegotiation: false
Allow legacy hello messages: true
Is initial handshake: true
Is secure renegotiation: false
[Raw read]: length = 5
0000: 16 03 01 00 BF                                     .....
[Raw read]: length = 191
0000: 01 00 00 BB 03 03 53 D2   A5 8D 34 17 06 07 58 85  ......S...4...X.
0010: 4D A5 66 8E E6 42 B4 0A   BA 36 B3 71 E5 AD 71 58  M.f..B...6.q..qX
0020: 40 61 69 B5 D0 1D 00 00   5E 00 FF C0 24 C0 23 C0  @ai.....^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0   28 C0 27 C0 14 C0 13 C0  ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0   2A C0 29 C0 05 C0 04 C0  ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0   0C C0 0D 00 3D 00 3C 00  ............=.<.
0060: 2F 00 05 00 04 00 35 00   0A 00 67 00 6B 00 33 00  /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00   8D 00 8C 00 8A 00 8B 00  9...............
0080: B1 00 B0 00 2C 00 3B 01   00 00 34 00 00 00 0E 00  ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61   6C 68 6F 73 74 00 0A 00  ....localhost...
00A0: 08 00 06 00 17 00 18 00   19 00 0B 00 02 01 00 00  ................
00B0: 0D 00 0C 00 0A 05 01 04   01 02 01 04 03 02 03     ...............
qtp912856016-98, READ: TLSv1 Handshake, length = 191
*** ClientHello, TLSv1.2
RandomCookie:  GMT: 1389470861 bytes = { 52, 23, 6, 7, 88, 133, 77, 165, 102, 142, 230, 66, 180, 10, 186, 54, 179, 113, 229, 173, 113, 88, 64, 97, 105, 181, 208, 29 }
Session ID:  {}
Cipher Suites: [TLS_EMPTY_RENEGOTIATION_INFO_SCSV, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_SHA, SSL_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_AES_256_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_AES_256_CBC_SHA384, TLS_PSK_WITH_AES_128_CBC_SHA256, TLS_PSK_WITH_AES_256_CBC_SHA, TLS_PSK_WITH_AES_128_CBC_SHA, TLS_PSK_WITH_RC4_128_SHA, TLS_PSK_WITH_3DES_EDE_CBC_SHA, TLS_PSK_WITH_NULL_SHA384, TLS_PSK_WITH_NULL_SHA256, TLS_PSK_WITH_NULL_SHA, TLS_RSA_WITH_NULL_SHA256]
Compression Methods:  { 0 }
Extension server_name, server_name: [host_name: localhost]
Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1}
Extension ec_point_formats, formats: [uncompressed]
Extension signature_algorithms, signature_algorithms: SHA384withRSA, SHA256withRSA, SHA1withRSA, SHA256withECDSA, SHA1withECDSA
***
[read] MD5 and SHA1 hashes:  len = 191
0000: 01 00 00 BB 03 03 53 D2   A5 8D 34 17 06 07 58 85  ......S...4...X.
0010: 4D A5 66 8E E6 42 B4 0A   BA 36 B3 71 E5 AD 71 58  M.f..B...6.q..qX
0020: 40 61 69 B5 D0 1D 00 00   5E 00 FF C0 24 C0 23 C0  @ai.....^...$.#.
0030: 0A C0 09 C0 07 C0 08 C0   28 C0 27 C0 14 C0 13 C0  ........(.'.....
0040: 11 C0 12 C0 26 C0 25 C0   2A C0 29 C0 05 C0 04 C0  ....&.%.*.).....
0050: 02 C0 03 C0 0F C0 0E C0   0C C0 0D 00 3D 00 3C 00  ............=.<.
0060: 2F 00 05 00 04 00 35 00   0A 00 67 00 6B 00 33 00  /.....5...g.k.3.
0070: 39 00 16 00 AF 00 AE 00   8D 00 8C 00 8A 00 8B 00  9...............
0080: B1 00 B0 00 2C 00 3B 01   00 00 34 00 00 00 0E 00  ....,.;...4.....
0090: 0C 00 00 09 6C 6F 63 61   6C 68 6F 73 74 00 0A 00  ....localhost...
00A0: 08 00 06 00 17 00 18 00   19 00 0B 00 02 01 00 00  ................
00B0: 0D 00 0C 00 0A 05 01 04   01 02 01 04 03 02 03     ...............
%% Initialized:  [Session-6, SSL_NULL_WITH_NULL_NULL]
%% Negotiating:  [Session-6, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256]
*** ServerHello, TLSv1.2
RandomCookie:  GMT: 1389470861 bytes = { 253, 146, 229, 68, 48, 212, 3, 8, 113, 71, 109, 110, 184, 188, 198, 5, 154, 125, 169, 214, 91, 62, 7, 160, 209, 234, 192, 113 }
Session ID:  {83, 210, 165, 141, 67, 144, 76, 190, 108, 169, 166, 110, 244, 43, 203, 94, 33, 250, 61, 25, 173, 144, 78, 5, 18, 237, 44, 62, 216, 239, 136, 216}
Cipher Suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
Compression Method: 0
Extension renegotiation_info, renegotiated_connection: <empty>
***
Cipher suite:  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
*** Certificate chain
chain [0] = [
[
  Version: V3
  Subject: CN=JohnSmith
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  Sun RSA public key, 2048 bits
  modulus: 23443053568440042246531872968622973697701206618166078931212659460396425391980877938302410947640918723945398633811909745246922517027436466308653487666338280101966482309719126372779122526329803061293848183628816382389433439362099975823230525386905011886252381517523892058843409147388887295981911246906888339817495259393348887347266311244472033630192873726881579789730820158345394536738010457875814538778722469498249439501737234201246276532676924740000249757406932101045895162819707223648268675317346645714862960034871361001771712210647437473089523986958365303768943687792233055665803773956096876559907271222453818932683
  public exponent: 65537
  Validity: [From: Fri Jul 25 15:14:25 BST 2014,
               To: Thu Oct 23 15:14:25 BST 2014]
  Issuer: CN=JohnSmith
  SerialNumber: [    4bbf23ad]

Certificate Extensions: 1
[1]: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 11 8B 53 73 97 BE 8B AA   23 06 CD 34 86 F8 14 58  ..Ss....#..4...X
0010: B0 F9 E9 8D                                        ....
]
]

]
  Algorithm: [SHA256withRSA]
  Signature:
0000: A4 96 FE 04 D2 21 17 6E   ED 00 DA AE 05 A0 45 E1  .....!.n......E.
0010: 9B C7 8D DD BA 97 11 CE   5A 02 D1 05 0E 0E 90 6F  ........Z......o
0020: 75 26 59 E4 2B A8 8E A4   C1 3B 2C AC 20 1E 5F E9  u&Y.+....;,. ._.
0030: 78 97 58 1B F1 8D B0 41   95 0A C7 69 67 22 76 2C  x.X....A...ig"v,
0040: BF 3A B6 5A A1 CC FE 16   1A 18 5A 53 D2 E8 51 7C  .:.Z......ZS..Q.
0050: 1A BF 23 0F C1 75 FB F5   01 72 A8 3F 3F D0 86 C6  ..#..u...r.??...
0060: EB C3 AF 70 BB 1D E6 B6   96 44 BD 21 2B E0 9A 83  ...p.....D.!+...
0070: 04 C2 E9 4B D6 84 BC 03   7A BA 12 38 A7 36 82 03  ...K....z..8.6..
0080: C5 C3 77 3B 83 64 19 38   E8 03 26 64 5A AF F3 FB  ..w;.d.8..&dZ...
0090: A1 0E 07 24 AC 77 39 31   67 4C 13 CD 19 A5 55 53  ...$.w91gL....US
00A0: BB B9 F8 CA 57 19 E6 B2   3A B1 6A F7 2E 0A 6D 1A  ....W...:.j...m.
00B0: 03 96 A0 F1 19 51 45 A1   66 67 DD 5E CC 03 9A C1  .....QE.fg.^....
00C0: 93 A2 6F D0 D1 26 23 DB   B8 1B 10 6C 46 D8 20 6C  ..o..&#....lF. l
00D0: 34 CE 7C FD 8B 57 37 4C   C0 E5 DB 7B 45 27 8A C7  4....W7L....E'..
00E0: 0A 19 60 E0 7F 2F 9F 7A   CE E2 C0 99 ED 8E 65 74  ..`../.z......et
00F0: E5 16 63 3C DC EB 6F C2   E0 F9 68 E7 4D 4D 42 9A  ..c<..o...h.MMB.

]
***
*** ECDH ServerKeyExchange
Signature Algorithm SHA384withRSA
Server key: Sun EC public key, 256 bits
  public x coord: 24723137471290150466369886238486766785229281750738143116146132931059687741723
  public y coord: 45716326424554000158606804317014537804446576101681363567734642117747889965832
  parameters: secp256r1 [NIST P-256, X9.62 prime256v1] (1.2.840.10045.3.1.7)
*** ServerHelloDone
[write] MD5 and SHA1 hashes:  len = 1143
!!!! REDACTED
qtp912856016-98, WRITE: TLSv1.2 Handshake, length = 1143
[Raw write]: length = 1148
!!!! REDACTED
[Raw read]: length = 5
0000: 15 03 03 00 02                                     .....
[Raw read]: length = 2
0000: 02 2E                                              ..
qtp912856016-98, READ: TLSv1.2 Alert, length = 2
qtp912856016-98, RECV TLSv1.2 ALERT:  fatal, certificate_unknown
qtp912856016-98, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
qtp912856016-98, fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
 WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown