Mark Moseley wrote:
On Wed, Jun 3, 2009 at 2:44 AM, Gordon Sim <[email protected]> wrote:
Mark Moseley wrote:
This is most likely something stupid on my part but I'd been banging
my head against it for a while, so I thought I'd mention it. Might be
a bug, but more likely just something weird with my env. I've tried
with both the 0.5 C++ tar.gz and the checkout (as of yesterday) of the
0.5 svn source.
When using SSL in 0.5 (C++) on Debian Lenny i386, if the environment
variable QPID_SSL_CERT_DB is set (even to a correct location), when I
start the broker in 'daemon' mode, it fails to load the certificate
correctly (hostname obfuscated):
Is the environment variable set to a relative path by any chance? When I do
that I can see an error in daemon mode that does not occur running in the
foreground (though in my case it was the inability to find the certificate
database at all, your error looks like perhaps it may have found the wrong
one?).
QPID_SSL_CERT_DB was set to an absolute path. The straces I was doing
showed it opening the correct certificate dbs though, with or without
that env var being set, which was why it was so baffling. It'd help if
there was more error output instead of just "Failed to load
certificate", to know if it couldn't find the cert or if it couldn't
open the db files or if it didn't have the right password for the db,
etc.
I don't think its an issue with the password or you would I believe get
"Failed to retrieve private key from certificate". The error you are
seeing is a result of the PK11_FindCertFromNickname() NSS call returning
null.
The only way I can trigger that is to use a value for ssl-cert-name that
doesn't exist in the certificate database. However in your case it
sounds like you have verified that the same database and nickname are
being used in both the failing and successful cases, so I'm a little
baffled at present.
---------------------------------------------------------------------
Apache Qpid - AMQP Messaging Implementation
Project: http://qpid.apache.org
Use/Interact: mailto:[email protected]
