On Wed, Jun 3, 2009 at 2:44 AM, Gordon Sim <[email protected]> wrote: > Mark Moseley wrote: >> >> This is most likely something stupid on my part but I'd been banging >> my head against it for a while, so I thought I'd mention it. Might be >> a bug, but more likely just something weird with my env. I've tried >> with both the 0.5 C++ tar.gz and the checkout (as of yesterday) of the >> 0.5 svn source. >> >> When using SSL in 0.5 (C++) on Debian Lenny i386, if the environment >> variable QPID_SSL_CERT_DB is set (even to a correct location), when I >> start the broker in 'daemon' mode, it fails to load the certificate >> correctly (hostname obfuscated): > > Is the environment variable set to a relative path by any chance? When I do > that I can see an error in daemon mode that does not occur running in the > foreground (though in my case it was the inability to find the certificate > database at all, your error looks like perhaps it may have found the wrong > one?).
QPID_SSL_CERT_DB was set to an absolute path. The straces I was doing showed it opening the correct certificate dbs though, with or without that env var being set, which was why it was so baffling. It'd help if there was more error output instead of just "Failed to load certificate", to know if it couldn't find the cert or if it couldn't open the db files or if it didn't have the right password for the db, etc. Is it possible that the env var being set meant that it loaded the sslconnector.so library that's for client connections and because of that it was expecting the cert to be a client cert instead of a server cert? I know that in PEM there's that differentiation, i.e. the expected use, but I'm not sure if PKCS#12 has that. >> 2009-jun-02 13:28:17 notice Listening on TCP port 5672 >> 2009-jun-02 13:28:17 error Failed to initialise SSL plugin: Failed to >> load certificate 'bosmsg01.xxxxxx' (qpid/sys/ssl/SslSocket.cpp:177) >> >> >> If, however, I start it in foreground mode even with that env variable >> set, it loads up the certificate just fine and listens on port 5671. >> It's the same qpidd.conf file and the only difference in command line >> options is literally just +/- the "-d". I'm guessing that the >> QPID_SSL_CERT_DB is confusing qpid into pulling in client code, though >> I'm not loading sslconnector.so explicitly either on the command line >> nor in qpidd.conf (below), so I'm not sure why it's loading that >> anyway. > > The cluster module will get loaded by default and this causes all the client > modules also to be loaded. That shouldn't cause any problems but if you > don't want that you can set --no-module-dir and then explicitly load only > the modules you want (e.g. acl, store and ssl). You can also setup a > different module directory (--module-dir option) and add symbolic links for > the modules you want to load. That's good to know. As it is the cluster stuff seems to work just fine with SSL in the prepackage C++ 0.5 source. Incidentally (and not a big deal since it is after all the svn copy), after building from both the 6/1 and 6/2 svn checkout of the 0.5 C++ code, the first node in the cluster immediately segfaults when a second node joins. That doesn't happen with the prepackaged 0.5 source. Again, not a big deal, just thought I'd mention it. I had originally been trying the SVN checkouts due to the fact that the rhstore checkout will only build against the 0.5 SVN code. I finally smartened up and just checked out an older version of rhstore which still compiled against the prepackaged 0.5 C++ code (if anybody's curious: svn checkout -r 3373 http://anonsvn.jboss.org/repos/rhmessaging/store/trunk/cpp store). > >> I had dropped QPID_SSL_CERT_DB into /etc/profile to make it >> easier to run python scripts using the qpid libraries. >> >> >> Starting in daemon mode without QPID_SSL_CERT_DB set: >> >> 2009-jun-02 13:27:48 info Loaded Module: >> /usr/qpid/qpid/lib/qpid/daemon/ssl.so >> 2009-jun-02 13:27:48 info SSL connector not enabled, you must set >> QPID_SSL_CERT_DB to enable it. >> 2009-jun-02 13:27:48 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/client/sslconnector.so >> 2009-jun-02 13:27:48 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/cluster.so >> 2009-jun-02 13:27:48 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/acl.so >> 2009-jun-02 13:27:48 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/replicating_listener.so >> 2009-jun-02 13:27:48 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/replication_exchange.so >> 2009-jun-02 13:27:48 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/ssl.so >> 2009-jun-02 13:27:48 info Management enabled >> 2009-jun-02 13:27:48 info No message store configured, persistence is >> disabled. >> 2009-jun-02 13:27:48 info SASL enabled >> 2009-jun-02 13:27:48 notice Listening on TCP port 5672 >> 2009-jun-02 13:27:48 notice Listening for SSL connections on TCP port 5671 >> 2009-jun-02 13:27:48 notice Read ACL file "/usr/qpid/qpid/etc/acl.conf" >> 2009-jun-02 13:27:48 info ACL Plugin loaded >> 2009-jun-02 13:27:48 info Registered replication exchange >> 2009-jun-02 13:27:48 notice Broker running >> >> >> Starting in daemon mode with QPID_SSL_CERT_DB set: >> >> 2009-jun-02 13:28:17 info Loaded Module: >> /usr/qpid/qpid/lib/qpid/daemon/ssl.so >> 2009-jun-02 13:28:17 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/client/sslconnector.so >> 2009-jun-02 13:28:17 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/cluster.so >> 2009-jun-02 13:28:17 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/acl.so >> 2009-jun-02 13:28:17 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/replicating_listener.so >> 2009-jun-02 13:28:17 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/replication_exchange.so >> 2009-jun-02 13:28:17 info Loaded Module: >> /usr/qpid/0.5/lib/qpid/daemon/ssl.so >> 2009-jun-02 13:28:17 info Management enabled >> 2009-jun-02 13:28:17 info No message store configured, persistence is >> disabled. >> 2009-jun-02 13:28:17 info SASL enabled >> 2009-jun-02 13:28:17 notice Listening on TCP port 5672 >> 2009-jun-02 13:28:17 error Failed to initialise SSL plugin: Failed to >> load certificate 'bosmsg01.xxxxxx' (qpid/sys/ssl/SslSocket.cpp:177) >> 2009-jun-02 13:28:17 notice Read ACL file "/usr/qpid/qpid/etc/acl.conf" >> 2009-jun-02 13:28:17 info ACL Plugin loaded >> 2009-jun-02 13:28:17 info Registered replication exchange >> 2009-jun-02 13:28:17 notice Broker running >> >> >> My qpidd.conf: >> >> # Logging >> log-enable="info+" >> log-to-file=/var/log/qpid/qpid.log >> >> # Do use authentication >> auth=yes >> >> # Dirs >> data-dir=/var/lib/qpid >> store-dir=/var/lib/qpid >> pid-dir=/var/lib/qpid >> >> # ACLs >> acl-file=/usr/qpid/qpid/etc/acl.conf >> >> # SSL >> ssl-port=5671 >> ssl-cert-db=/usr/qpid/qpid/etc/ssl >> ssl-cert-db-path=/usr/qpid/qpid/etc/ssl >> ssl-cert-name=bosmsg01.xxxxxx >> ssl-cert-password-file=/usr/qpid/qpid/etc/.pw >> >> >> BTW, it might be worth adding to the SSL docs that if you're importing >> PEM certificates that you created with openssl that using certutil to >> import doesn't seem to pull in the key (just the certificate). If you >> export the cert+key to PKCS#12 format using "openssl pkcs12 -export >> -in mycert.pem -inkey mycert.key -out mycert.p12 -name "<hostname>" >> and then import the outputted PKCS12 using "pk12util -i mycert.p12 -d >> /path/to/sslstore", it'll get both the cert and key. If you don't put >> a -name arg in the openssl pkcs12 export, it appears to grab the >> Organization from the CA cert (at least for me it did) and tack that >> onto the 'friendly name', so you end up with something like >> "<hostname> - <organization>" as the nickname of the cert, according >> to certutil -L. I'm curious though if anybody knows a better way to do >> the above. >> >> --------------------------------------------------------------------- >> Apache Qpid - AMQP Messaging Implementation >> Project: http://qpid.apache.org >> Use/Interact: mailto:[email protected] >> > > > --------------------------------------------------------------------- > Apache Qpid - AMQP Messaging Implementation > Project: http://qpid.apache.org > Use/Interact: mailto:[email protected] > > --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
