This is most likely something stupid on my part but I'd been banging my head against it for a while, so I thought I'd mention it. Might be a bug, but more likely just something weird with my env. I've tried with both the 0.5 C++ tar.gz and the checkout (as of yesterday) of the 0.5 svn source.
When using SSL in 0.5 (C++) on Debian Lenny i386, if the environment variable QPID_SSL_CERT_DB is set (even to a correct location), when I start the broker in 'daemon' mode, it fails to load the certificate correctly (hostname obfuscated): 2009-jun-02 13:28:17 notice Listening on TCP port 5672 2009-jun-02 13:28:17 error Failed to initialise SSL plugin: Failed to load certificate 'bosmsg01.xxxxxx' (qpid/sys/ssl/SslSocket.cpp:177) If, however, I start it in foreground mode even with that env variable set, it loads up the certificate just fine and listens on port 5671. It's the same qpidd.conf file and the only difference in command line options is literally just +/- the "-d". I'm guessing that the QPID_SSL_CERT_DB is confusing qpid into pulling in client code, though I'm not loading sslconnector.so explicitly either on the command line nor in qpidd.conf (below), so I'm not sure why it's loading that anyway. I had dropped QPID_SSL_CERT_DB into /etc/profile to make it easier to run python scripts using the qpid libraries. Starting in daemon mode without QPID_SSL_CERT_DB set: 2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/qpid/lib/qpid/daemon/ssl.so 2009-jun-02 13:27:48 info SSL connector not enabled, you must set QPID_SSL_CERT_DB to enable it. 2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/0.5/lib/qpid/client/sslconnector.so 2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/cluster.so 2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/acl.so 2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/replicating_listener.so 2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/replication_exchange.so 2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/ssl.so 2009-jun-02 13:27:48 info Management enabled 2009-jun-02 13:27:48 info No message store configured, persistence is disabled. 2009-jun-02 13:27:48 info SASL enabled 2009-jun-02 13:27:48 notice Listening on TCP port 5672 2009-jun-02 13:27:48 notice Listening for SSL connections on TCP port 5671 2009-jun-02 13:27:48 notice Read ACL file "/usr/qpid/qpid/etc/acl.conf" 2009-jun-02 13:27:48 info ACL Plugin loaded 2009-jun-02 13:27:48 info Registered replication exchange 2009-jun-02 13:27:48 notice Broker running Starting in daemon mode with QPID_SSL_CERT_DB set: 2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/qpid/lib/qpid/daemon/ssl.so 2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/0.5/lib/qpid/client/sslconnector.so 2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/cluster.so 2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/acl.so 2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/replicating_listener.so 2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/replication_exchange.so 2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/ssl.so 2009-jun-02 13:28:17 info Management enabled 2009-jun-02 13:28:17 info No message store configured, persistence is disabled. 2009-jun-02 13:28:17 info SASL enabled 2009-jun-02 13:28:17 notice Listening on TCP port 5672 2009-jun-02 13:28:17 error Failed to initialise SSL plugin: Failed to load certificate 'bosmsg01.xxxxxx' (qpid/sys/ssl/SslSocket.cpp:177) 2009-jun-02 13:28:17 notice Read ACL file "/usr/qpid/qpid/etc/acl.conf" 2009-jun-02 13:28:17 info ACL Plugin loaded 2009-jun-02 13:28:17 info Registered replication exchange 2009-jun-02 13:28:17 notice Broker running My qpidd.conf: # Logging log-enable="info+" log-to-file=/var/log/qpid/qpid.log # Do use authentication auth=yes # Dirs data-dir=/var/lib/qpid store-dir=/var/lib/qpid pid-dir=/var/lib/qpid # ACLs acl-file=/usr/qpid/qpid/etc/acl.conf # SSL ssl-port=5671 ssl-cert-db=/usr/qpid/qpid/etc/ssl ssl-cert-db-path=/usr/qpid/qpid/etc/ssl ssl-cert-name=bosmsg01.xxxxxx ssl-cert-password-file=/usr/qpid/qpid/etc/.pw BTW, it might be worth adding to the SSL docs that if you're importing PEM certificates that you created with openssl that using certutil to import doesn't seem to pull in the key (just the certificate). If you export the cert+key to PKCS#12 format using "openssl pkcs12 -export -in mycert.pem -inkey mycert.key -out mycert.p12 -name "<hostname>" and then import the outputted PKCS12 using "pk12util -i mycert.p12 -d /path/to/sslstore", it'll get both the cert and key. If you don't put a -name arg in the openssl pkcs12 export, it appears to grab the Organization from the CA cert (at least for me it did) and tack that onto the 'friendly name', so you end up with something like "<hostname> - <organization>" as the nickname of the cert, according to certutil -L. I'm curious though if anybody knows a better way to do the above. --------------------------------------------------------------------- Apache Qpid - AMQP Messaging Implementation Project: http://qpid.apache.org Use/Interact: mailto:[email protected]
