ActiveMQ Apollo - 警告 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
记录日期:2019年6月19日 17点32分
Apache apollo 已被弃用,如无必要推荐使用 Apache ActiveMQ 5。
1、下载 apollo 1.7.1 按照官方示例,创建broker,出现了如下警告:
Creating apollo instance at: testBroker Generating ssl keystore... Warning: JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12" 迁移到行业 标准格式 PKCS12。 You can now start the broker by executing: "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker" run Or you can setup the broker as Windows service and run it in the background: "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker-service" install "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker-service" start
运行后出现如下警告。
WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
根据警告的内容,大概可以猜测出,需要升级 JKS 密钥库的使用格式。
找到创建 broker 时生成的 keystore,一般在 broker 目录下名为 etc 的文件夹中。
windows 打开命令提示符,进入 etc 目录,输入如下命令。
keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12
提示输入源密钥库口令。
查看 apache-apollo 源码查找口令,在目录 apollo-broker\src\main\scala\org\apache\activemq\apollo\broker 下的 BrokerCreate.scala 文件中找到生成密钥库的地方,如下:
// Generate a keystore with a new key val ssl = with_ssl && { out.println("Generating ssl keystore...") val rc = system(etc, Array( "keytool", "-genkey", "-storetype", "JKS", "-storepass", "password", "-keystore", "keystore", "-keypass", "password", "-alias", host, "-keyalg", "RSA", "-keysize", "4096", "-dname", "cn=%s".format(host), "-validity", "3650"))==0 if(!rc) { out.println("WARNING: Could not generate the keystore, make sure the keytool command is in your PATH") } rc }
口令为 password,输入该口令,显示如下信息:
已成功导入别名 mybroker 的条目。 已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消 Warning: 已将 "keystore" 迁移到 Non JKS/JCEKS。将 JKS 密钥库作为 "keystore.old" 进行了备份。
运行broker,输出的内容中仍然存在如下警告信息,但是不影响基本使用。
WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown WARN | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown WARN | javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack? WARN | javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?