[jira] [Closed] (ARTEMIS-3421) update doc for default change in ARTEMIS-3367

Clebert Suconic (Jira) Wed, 18 Aug 2021 12:20:04 -0700


     [ 
https://issues.apache.org/jira/browse/ARTEMIS-3421?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Clebert Suconic closed ARTEMIS-3421.
------------------------------------

> update doc for default change in ARTEMIS-3367
> ---------------------------------------------
>
>                 Key: ARTEMIS-3421
>                 URL: https://issues.apache.org/jira/browse/ARTEMIS-3421
>             Project: ActiveMQ Artemis
>          Issue Type: Bug
>          Components: Configuration
>    Affects Versions: 2.18.0
>            Reporter: Stephan Austermühle
>            Priority: Major
>             Fix For: 2.19.0
>
>
> The changes in ARTEMIS-3367 flipped the connector verifyHost default config, 
> but did not update the docs to reflect the new default value.
>  
> =================
> Original Description:
> Brokers throw TLS verification exceptions after upgrading to Artemis v2.18.0
> {code:java}
> 2021-08-18 10:15:41,933 WARN  [org.apache.activemq.artemis.core.server] 
> AMQ224091: Bridge ClusterConnectionBridge@40455191 
> [name=$.artemis.internal.sf.artemis-cluster.12adae96-fe90-11eb-807e-0ad2880c8414,
>  
> queue=QueueImpl[name=$.artemis.internal.sf.artemis-cluster.12adae96-fe90-11eb-807e-0ad2880c8414,
>  postOffice=PostOfficeImpl 
> [server=ActiveMQServerImpl::name=ha-asa-activemq-artemis-primary-0], 
> temp=false]@6ed36dc2 targetConnector=ServerLocatorImpl 
> (identity=(Cluster-connection-bridge::ClusterConnectionBridge@40455191 
> [name=$.artemis.internal.sf.artemis-cluster.12adae96-fe90-11eb-807e-0ad2880c8414,
>  
> queue=QueueImpl[name=$.artemis.internal.sf.artemis-cluster.12adae96-fe90-11eb-807e-0ad2880c8414,
>  postOffice=PostOfficeImpl 
> [server=ActiveMQServerImpl::name=ha-asa-activemq-artemis-primary-0], 
> temp=false]@6ed36dc2 targetConnector=ServerLocatorImpl 
> [initialConnectors=[TransportConfiguration(name=artemis-tls-connector, 
> factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory)
>  
> ?trustStorePassword=****&tcpReceiveBufferSize=1048576&port=61617&sslEnabled=true&host=100-65-179-203&trustStorePath=/var/lib/artemis/certs/truststore-jks&useEpoll=true&tcpSendBufferSize=1048576],
>  
> discoveryGroupConfiguration=null]]::ClusterConnectionImpl@1573349881[nodeUUID=12e511ec-fe90-11eb-898f-c26f402d9363,
>  connector=TransportConfiguration(name=artemis-tls-connector, 
> factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory)
>  
> ?trustStorePassword=****&tcpReceiveBufferSize=1048576&port=61617&sslEnabled=true&host=100-65-72-25&trustStorePath=/var/lib/artemis/certs/truststore-jks&useEpoll=true&tcpSendBufferSize=1048576,
>  address=, 
> server=ActiveMQServerImpl::name=ha-asa-activemq-artemis-primary-0])) 
> [initialConnectors=[TransportConfiguration(name=artemis-tls-connector, 
> factory=org-apache-activemq-artemis-core-remoting-impl-netty-NettyConnectorFactory)
>  
> ?trustStorePassword=****&tcpReceiveBufferSize=1048576&port=61617&sslEnabled=true&host=100-65-179-203&trustStorePath=/var/lib/artemis/certs/truststore-jks&useEpoll=true&tcpSendBufferSize=1048576],
>  discoveryGroupConfiguration=null]] is unable to connect to destination. 
> Retrying
> 2021-08-18 10:15:42,001 ERROR [org.apache.activemq.artemis.core.client] 
> AMQ214016: Failed to create netty connection: 
> javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP 
> address 100.65.179.203 found
>         at java.base/sun.security.ssl.Alert.createSSLException(Unknown 
> Source) [java.base:]
>         at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) 
> [java.base:]
>         at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) 
> [java.base:]
>         at java.base/sun.security.ssl.TransportContext.fatal(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.checkServerCerts(Unknown
>  Source) [java.base:]
>         at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.onConsumeCertificate(Unknown
>  Source) [java.base:]
>         at 
> java.base/sun.security.ssl.CertificateMessage$T13CertificateConsumer.consume(Unknown
>  Source) [java.base:]
>         at java.base/sun.security.ssl.SSLHandshake.consume(Unknown Source) 
> [java.base:]
>         at java.base/sun.security.ssl.HandshakeContext.dispatch(Unknown 
> Source) [java.base:]
>         at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown
>  Source) [java.base:]
>         at 
> java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask$DelegatedAction.run(Unknown
>  Source) [java.base:]
>         at java.base/java.security.AccessController.doPrivileged(Native 
> Method) [java.base:]
>         at java.base/sun.security.ssl.SSLEngineImpl$DelegatedTask.run(Unknown 
> Source) [java.base:]
>         at 
> io.netty.handler.ssl.SslHandler.runDelegatedTasks(SslHandler.java:1550) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1396) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1237) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1286) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:507)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:446)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:276)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.epoll.AbstractEpollStreamChannel$EpollStreamUnsafe.epollInReady(AbstractEpollStreamChannel.java:795)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.channel.epoll.EpollEventLoop.processReady(EpollEventLoop.java:480) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:378) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
>  [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) 
> [netty-all-4.1.66.Final.jar:4.1.66.Final]
>         at 
> org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118)
>  [artemis-commons-2.18.0.jar:2.18.0]
> Caused by: java.security.cert.CertificateException: No subject alternative 
> names matching IP address 100.65.179.203 found
>         at java.base/sun.security.util.HostnameChecker.matchIP(Unknown 
> Source) [java.base:]
>         at java.base/sun.security.util.HostnameChecker.match(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkTrusted(Unknown Source) 
> [java.base:]
>         at 
> java.base/sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(Unknown 
> Source) [java.base:]
>         ... 29 more
> {code}
> Since the instance is running as a Kubernetes Pod that obtains a new IP 
> address on every start, the IP address is not included in the TLS certificate.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Closed] (ARTEMIS-3421) update doc for default change in ARTEMIS-3367

Reply via email to