Mark Moseley wrote:
This is most likely something stupid on my part but I'd been banging
my head against it for a while, so I thought I'd mention it. Might be
a bug, but more likely just something weird with my env. I've tried
with both the 0.5 C++ tar.gz and the checkout (as of yesterday) of the
0.5 svn source.
When using SSL in 0.5 (C++) on Debian Lenny i386, if the environment
variable QPID_SSL_CERT_DB is set (even to a correct location), when I
start the broker in 'daemon' mode, it fails to load the certificate
correctly (hostname obfuscated):
Is the environment variable set to a relative path by any chance? When I
do that I can see an error in daemon mode that does not occur running in
the foreground (though in my case it was the inability to find the
certificate database at all, your error looks like perhaps it may have
found the wrong one?).
2009-jun-02 13:28:17 notice Listening on TCP port 5672
2009-jun-02 13:28:17 error Failed to initialise SSL plugin: Failed to
load certificate 'bosmsg01.xxxxxx' (qpid/sys/ssl/SslSocket.cpp:177)
If, however, I start it in foreground mode even with that env variable
set, it loads up the certificate just fine and listens on port 5671.
It's the same qpidd.conf file and the only difference in command line
options is literally just +/- the "-d". I'm guessing that the
QPID_SSL_CERT_DB is confusing qpid into pulling in client code, though
I'm not loading sslconnector.so explicitly either on the command line
nor in qpidd.conf (below), so I'm not sure why it's loading that
anyway.
The cluster module will get loaded by default and this causes all the
client modules also to be loaded. That shouldn't cause any problems but
if you don't want that you can set --no-module-dir and then explicitly
load only the modules you want (e.g. acl, store and ssl). You can also
setup a different module directory (--module-dir option) and add
symbolic links for the modules you want to load.
I had dropped QPID_SSL_CERT_DB into /etc/profile to make it
easier to run python scripts using the qpid libraries.
Starting in daemon mode without QPID_SSL_CERT_DB set:
2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/qpid/lib/qpid/daemon/ssl.so
2009-jun-02 13:27:48 info SSL connector not enabled, you must set
QPID_SSL_CERT_DB to enable it.
2009-jun-02 13:27:48 info Loaded Module:
/usr/qpid/0.5/lib/qpid/client/sslconnector.so
2009-jun-02 13:27:48 info Loaded Module:
/usr/qpid/0.5/lib/qpid/daemon/cluster.so
2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/acl.so
2009-jun-02 13:27:48 info Loaded Module:
/usr/qpid/0.5/lib/qpid/daemon/replicating_listener.so
2009-jun-02 13:27:48 info Loaded Module:
/usr/qpid/0.5/lib/qpid/daemon/replication_exchange.so
2009-jun-02 13:27:48 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/ssl.so
2009-jun-02 13:27:48 info Management enabled
2009-jun-02 13:27:48 info No message store configured, persistence is disabled.
2009-jun-02 13:27:48 info SASL enabled
2009-jun-02 13:27:48 notice Listening on TCP port 5672
2009-jun-02 13:27:48 notice Listening for SSL connections on TCP port 5671
2009-jun-02 13:27:48 notice Read ACL file "/usr/qpid/qpid/etc/acl.conf"
2009-jun-02 13:27:48 info ACL Plugin loaded
2009-jun-02 13:27:48 info Registered replication exchange
2009-jun-02 13:27:48 notice Broker running
Starting in daemon mode with QPID_SSL_CERT_DB set:
2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/qpid/lib/qpid/daemon/ssl.so
2009-jun-02 13:28:17 info Loaded Module:
/usr/qpid/0.5/lib/qpid/client/sslconnector.so
2009-jun-02 13:28:17 info Loaded Module:
/usr/qpid/0.5/lib/qpid/daemon/cluster.so
2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/acl.so
2009-jun-02 13:28:17 info Loaded Module:
/usr/qpid/0.5/lib/qpid/daemon/replicating_listener.so
2009-jun-02 13:28:17 info Loaded Module:
/usr/qpid/0.5/lib/qpid/daemon/replication_exchange.so
2009-jun-02 13:28:17 info Loaded Module: /usr/qpid/0.5/lib/qpid/daemon/ssl.so
2009-jun-02 13:28:17 info Management enabled
2009-jun-02 13:28:17 info No message store configured, persistence is disabled.
2009-jun-02 13:28:17 info SASL enabled
2009-jun-02 13:28:17 notice Listening on TCP port 5672
2009-jun-02 13:28:17 error Failed to initialise SSL plugin: Failed to
load certificate 'bosmsg01.xxxxxx' (qpid/sys/ssl/SslSocket.cpp:177)
2009-jun-02 13:28:17 notice Read ACL file "/usr/qpid/qpid/etc/acl.conf"
2009-jun-02 13:28:17 info ACL Plugin loaded
2009-jun-02 13:28:17 info Registered replication exchange
2009-jun-02 13:28:17 notice Broker running
My qpidd.conf:
# Logging
log-enable="info+"
log-to-file=/var/log/qpid/qpid.log
# Do use authentication
auth=yes
# Dirs
data-dir=/var/lib/qpid
store-dir=/var/lib/qpid
pid-dir=/var/lib/qpid
# ACLs
acl-file=/usr/qpid/qpid/etc/acl.conf
# SSL
ssl-port=5671
ssl-cert-db=/usr/qpid/qpid/etc/ssl
ssl-cert-db-path=/usr/qpid/qpid/etc/ssl
ssl-cert-name=bosmsg01.xxxxxx
ssl-cert-password-file=/usr/qpid/qpid/etc/.pw
BTW, it might be worth adding to the SSL docs that if you're importing
PEM certificates that you created with openssl that using certutil to
import doesn't seem to pull in the key (just the certificate). If you
export the cert+key to PKCS#12 format using "openssl pkcs12 -export
-in mycert.pem -inkey mycert.key -out mycert.p12 -name "<hostname>"
and then import the outputted PKCS12 using "pk12util -i mycert.p12 -d
/path/to/sslstore", it'll get both the cert and key. If you don't put
a -name arg in the openssl pkcs12 export, it appears to grab the
Organization from the CA cert (at least for me it did) and tack that
onto the 'friendly name', so you end up with something like
"<hostname> - <organization>" as the nickname of the cert, according
to certutil -L. I'm curious though if anybody knows a better way to do
the above.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
