Can't connect to broker over SSL

Question

I have an ActiveMQ instance running on localhost that's trying to connect to another instance running on AWS (Amazon MQ). The broker running on AWS requires the broker-to-broker connection to be made over SSL.

In my localhost broker's activemq.xml, I added the following to create a connection with the broker running on AWS (just one way for now):

If I try starting my localhost broker with that, I get the following error in my activemy.log file:

2021-01-29 20:19:32,638 | WARN  | Could not start network bridge between: vm://localhost and:
    ssl://###.mq.ca-central-1.amazonaws.com:61617 due to: java.security.NoSuchAlgorithmException: 
    Error constructing implementation (algorithm: Default, provider: SunJSSE, class: 
    sun.security.ssl.SSLContextImpl$DefaultSSLContext) | 
    org.apache.activemq.network.DiscoveryNetworkConnector | Simple Discovery Agent-2

So to try and fix that, I added the following in the localhost broker's activemq.xml config:

The broker.ks and client.ts were generated using the following commands:

Using keytool, create a certificate for the broker:
    keytool -genkey -alias broker -keyalg RSA -keystore broker.ks

Export the broker's certificate so it can be shared with clients:
    keytool -export -alias broker -keystore broker.ks -file broker_cert

Create a certificate/keystore for the client:
    keytool -genkey -alias client -keyalg RSA -keystore client.ks

Create a truststore for the client, and import the broker's certificate. This establishes that the client "trusts" the broker:
    keytool -import -alias broker -keystore client.ts -file broker_cert

And that's all I did to enable SSL on my localhost broker, and I'm not sure if there's anything else I need to do besides adding that element to my config.

When I try starting the localhost broker after having made that change, I now get a different error in activemq.log:

2021-01-29 20:07:03,686 | INFO  | Error with pending remote brokerInfo on: 
   ssl://###.mq.ca-central-1.amazonaws.com/##.###.#.106:61617 (Connection or inbound has closed) |
   org.apache.activemq.network.DemandForwardingBridgeSupport | ActiveMQ Transport: ssl://###.mq.ca-
   central-1.amazonaws.com/##.###.#.106:61617

2021-01-29 20:07:03,687 | WARN  | Could not start network bridge between: vm://localhost and: 
   ssl://###.mq.ca-central-1.amazonaws.com:61617 due to: sun.security.validator.ValidatorException: 
   PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
   valid certification path to requested target | org.apache.activemq.network.DiscoveryNetworkConnector | 
   Simple Discovery Agent-3

And this is where I'm stumped.

Does anyone know what I'm doing wrong? I don't see anything SSL related in the AWS broker's config, and I'm assuming that's because AWS has intentionally hid that from me to prevent me from changing any of the SSL settings for that broker.

Do I need to somehow get a hold of the SSL cert used by the AWS broker and add that to my localhost broker? I have no clue what to do next.

Update: I used Portecle download the SSL certs from the AWS broker and added them to client.ts.

Khanna111 · Accepted Answer

It seems that on the validation side (the localhost), the TLS certificate of the remote AWS broker needs to be validated. For that to happen, the validation side, needs to be setup with a trusted keystore(aka truststore) that holds that certificate hierarchy (or the root CA depending on certificate chain returned from the remote AWS broker) from the root CA down to the server certificate.

Please upload to a trusted store the StarField CA certificate and that resolves the issue as per your comment.

This link has details on achieving that.

Can't connect to broker over SSL

Answers (1)

Related Questions

Can&#39;t connect to broker over SSL

Answers (1)

Related Questions

Can't connect to broker over SSL