"unable to find valid certification path to requested target" after adding new Keystore to ActiveMQ_问答_开发者

"unable to find valid certification path to requested target" after adding new Keystore to ActiveMQ

开发者 https://www.devze.com 2023-03-21 15:09 出处：网络

We use ActiveMQ to queue up messages from remote clients. The clients use the following URL to connect to ActiveMQ on our server;

We use ActiveMQ to queue up messages from remote clients.

The clients use the following URL to connect to ActiveMQ on our server;

ssl://www.mydomain.com:61616

This worked fine in the past and was set up by a developer know longer with the company.

Recently we had to update our SSL Cert as the old one had ran out. We did this successfully for our http server but have only now realised that a copy of the original keystore still resided in the ActiveMQ config folders.

We have tried to place the new keystore into the ActiveMQ config folders, overwriting the old keystore. However this does not appear to work and all connections are rejected with the following stack trace;

Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.cer开发者_C百科tpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)

What are we doing wrong here? We've listed the contents of both the old and new keystore using the keytool -list command and they appear to be very similar (apart from the dates of course). Is there additional updates we need to make to the clients calling the above url to accept our new keystore?

It may be that your truststore is out of synch with your keystore. Here is the general way to set it up from scratch; your config will differ, so adapt as needed:

Generate certs for each of the clients, and register the client certs with the broker truststore.

> keytool -genkey -alias producer -keyalg RSA -keystore myproducer.ks
> keytool -genkey -alias consumer -keyalg RSA -keystore myconsumer.ks

Export both certs

> keytool -export -alias producer -keystore myproducer.ks -file producer_cert
> keytool -export -alias consumer -keystore myconsumer.ks -file consumer_cert

Import the certs into the producer truststore (new file)

> keytool -import -alias producer -keystore mybroker.ts -file producer_cert
> keytool -import -alias consumer -keystore mybroker.ts -file consumer_cert

Copy the broker truststore to whichever location you had the old one in, usually {ACTIVEMQ_HOME}/conf. You can generally see this in your broker config:

<broker ...>
  <sslContext>
    <sslContext keyStore="file:${activemq.base}/conf/mybroker.ks"
        keyStorePassword="test123"
        trustStore="file:${activemq.base}/conf/mybroker.ts"
        trustStorePassword="test123"/>
  </sslContext>
</broker>