[jira] [Commented] (ARTEMIS-3421) Brokers throw TLS errors after upgrading to v2.18.0

Wed, 18 Aug 2021 04:30:06 -0700 


    [ 
https://issues.apache.org/jira/browse/ARTEMIS-3421?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17400981#comment-17400981
 ] 

Robbie Gemmell commented on ARTEMIS-3421:
-----------------------------------------

ARTEMIS-3367 changed the verifyHost setting on connectors to be true by 
default, so the behaviour is expected based on your description and not a bug.

The exception is from Java's SSLEngine and is pointing out that the host being 
connected to isnt advertising a certificate with details matching where the TCP 
connection was made to (seemingly the raw ip of the host). You would need to 
either adjust your broker config so it is connecting to a hostname value the 
existing certificate details do allow matching, or alternatively update the 
certificate so it can match the IP, or if not then you would need need to 
explicitly disable hostname verification (<obligatory warning here>) to permit 
the mismatch.

(It appears ARTEMIS-3367 didnt update the documentation of the default 
accordingly, which should certainly be fixed.. [~brusdev] ).

 

> Brokers throw TLS errors after upgrading to v2.18.0
> ---------------------------------------------------
>
>                 Key: ARTEMIS-3421
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3421
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Broker
>    Affects Versions: 2.18.0
>            Reporter: Stephan Austermühle
>            Priority: Major
>
> Brokers throw TLS verification exceptions after upgrading to Artemis v2.18.0
> {code}
> 2021-08-18 10:15:41,933 WARN  [org.apache.activemq.artemis.core.server] 
> AMQ224091: Bridge ClusterConnectionBridge@40455191 
> [name=$.artemis.internal.sf.artemis-cluster.12adae96-fe90-11eb-807e-0ad2880c8414,
>  
> queue=QueueImpl[name=$.artemis.internal.sf.artemis-cluster.12adae96-fe90-11eb-807e-0ad2880c8414,
>  postOffice=PostOfficeImpl 
> [server=ActiveMQServerImpl::name=ha-asa-activemq-artemis-primary-0], 
> temp=false]@6ed36dc2 targetConnector=ServerLocatorImpl 
> (identity=(Cluster-connection-bridge::ClusterConnectionBridge@40455191 
> [name=$.artemis.internal.sf.artemis-cluster.12adae96-fe90-11eb-807e-0ad2880c8414,
>  
> queue=QueueImpl[name=$.artemis.internal.sf.artemis-cluster.12adae96-fe90-11eb-807e-0ad2880c8414,
>  postOffice=PostOfficeImpl 
> [server=ActiveMQServerImpl::name=ha-asa-activemq-artemis-primary-0], 
> temp=false]@6ed36dc2 targetConnector=ServerLocatorImpl 
> [initialConnectors=[TransportConfiguration(name=artemis-tls-connector, 
> factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory)
>  
> ?trustStorePassword=****&tcpReceiveBufferSize=1048576&port=61617&sslEnabled=true&host=100-65-179-203&trustStorePath=/var/lib/artemis/certs/truststore-jks&useEpoll=true&tcpSendBufferSize=1048576],
>  
> discoveryGroupConfiguration=null]]::ClusterConnectionImpl@1573349881[nodeUUID=12e511ec-fe90-11eb-898f-c26f402d9363,
>  connector=TransportConfiguration(name=artemis-tls-connector, 
> factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory)
>  
> ?trustStorePassword=****&tcpReceiveBufferSize=1048576&port=61617&sslEnabled=true&host=100-65-72-25&trustStorePath=/var/lib/artemis/certs/truststore-jks&useEpoll=true&tcpSendBufferSize=1048576,
>  address=, 
> server=ActiveMQServerImpl::name=ha-asa-activemq-artemis-primary-0])) 
> [initialConnectors=[TransportConfiguration(name=artemis-tls-connector, 
> factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory)
>  
> ?trustStorePassword=****&tcpReceiveBufferSize=1048576&port=61617&sslEnabled=true&host=100-65-179-203&trustStorePath=/var/lib/artemis/certs/truststore-jks&useEpoll=true&tcpSendBufferSize=1048576],
>  discoveryGroupConfiguration=null]] is unable to connect to destination. 
> Retrying
> 2021-08-18 10:15:42,001 ERROR [org.apache.activemq.artemis.core.client] 
> AMQ214016: Failed to create netty connection: 
> javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP 
> address 100.65.179.203 found
>         at java.base/sun.security.ssl.Alert.createSSLException(Unknown 
> Source) [java.base:]
>         at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) 
> [java.base:]
>         at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) 
> [java.base:]
>         at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown
>  Source) [java.base:]
>         at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown
>  Source) [java.base:]
>         at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown
>  Source) [java.base:]
>         at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source) 
> [java.base:]
>         at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown 
> Source) [java.base:]
>         at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown
>  Source) [java.base:]
>         at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown
>  Source) [java.base:]
>         at java.base/java.security.AccessController.doPrivileged(Native 
> Method) [java.base:]
>         at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown 
> Source) [java.base:]
>         at 
> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1550) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1396) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1237) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1286) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
>  [artemis-commons-2.18.0.jar:2.18.0]
> Caused by: java.security.cert.CertificateException: No subject alternative 
> names matching IP address 100.65.179.203 found
>         at java.base/sun.security.util.HostnameChecker.matchIP(Unknown 
> Source) [java.base:]
>         at java.base/sun.security.util.HostnameChecker.match(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown 
> Source) [java.base:]
>         ... 29 more
> {code}
> Since the instance is running as a Kubernetes Pod that obtains a new IP 
> address on every start, the IP address is not included in the TLS certificate.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to