ActiveMQ Apollo - 警告 javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

 

记录日期：2019年6月19日 17点32分

Apache apollo 已被弃用，如无必要推荐使用 Apache ActiveMQ 5。

 

1、下载 apollo 1.7.1 按照官方示例，创建broker，出现了如下警告：

Creating apollo instance at: testBroker
Generating ssl keystore...

Warning:
JKS 密钥库使用专用格式。建议使用 "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12" 迁移到行业 标准格式 PKCS12。

You can now start the broker by executing:

   "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker" run

Or you can setup the broker as Windows service and run it in the background:

   "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker-service" install
   "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker-service" start

 

运行后出现如下警告。

WARN  | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

 

根据警告的内容，大概可以猜测出，需要升级 JKS 密钥库的使用格式。

找到创建 broker 时生成的 keystore，一般在 broker 目录下名为 etc 的文件夹中。

windows 打开命令提示符，进入 etc 目录，输入如下命令。

keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12

提示输入源密钥库口令。

查看 apache-apollo 源码查找口令，在目录 apollo-broker\src\main\scala\org\apache\activemq\apollo\broker 下的 BrokerCreate.scala 文件中找到生成密钥库的地方，如下：

// Generate a keystore with a new key
      val ssl = with_ssl && {
        out.println("Generating ssl keystore...")
        val rc = system(etc, Array(
          "keytool", "-genkey",
          "-storetype", "JKS",
          "-storepass", "password",
          "-keystore", "keystore",
          "-keypass", "password",
          "-alias", host,
          "-keyalg", "RSA",
          "-keysize", "4096",
          "-dname", "cn=%s".format(host),
          "-validity", "3650"))==0
        if(!rc) {
          out.println("WARNING: Could not generate the keystore, make sure the keytool command is in your PATH")
        }
        rc
      }

口令为 password，输入该口令，显示如下信息：

已成功导入别名 mybroker 的条目。
已完成导入命令: 1 个条目成功导入, 0 个条目失败或取消

Warning:
已将 "keystore" 迁移到 Non JKS/JCEKS。将 JKS 密钥库作为 "keystore.old" 进行了备份。

 

运行broker，输出的内容中仍然存在如下警告信息，但是不影响基本使用。

WARN  | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN  | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN  | javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
WARN  | javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?