“无法找到到所请求目标的有效认证路径”将新的密钥库添加到 ActiveMQ 后
我们使用 ActiveMQ 对来自远程客户端的消息进行排队。
客户端使用以下 URL 连接到我们服务器上的 ActiveMQ;
ssl://www.mydomain.com:61616
这在过去运作良好,是由一位与该公司了解较长的开发人员建立的。
最近我们不得不更新我们的 SSL 证书,因为旧的证书已经用完了。我们成功地为我们的 http 服务器完成了此操作,但现在才意识到原始密钥库的副本仍然驻留在 ActiveMQ 配置文件夹中。
我们尝试将新密钥库放入 ActiveMQ 配置文件夹中,覆盖旧密钥库。然而,这似乎不起作用,所有连接都被拒绝,并显示以下堆栈跟踪;
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
我们在这里做错了什么? 我们使用 keytool -list 命令列出了旧密钥库和新密钥库的内容,它们看起来非常相似(当然除了日期)。 我们是否需要对调用上述 URL 的客户端进行其他更新以接受我们的新密钥库?
We use ActiveMQ to queue up messages from remote clients.
The clients use the following URL to connect to ActiveMQ on our server;
ssl://www.mydomain.com:61616
This worked fine in the past and was set up by a developer know longer with the company.
Recently we had to update our SSL Cert as the old one had ran out. We did this successfully for our http server but have only now realised that a copy of the original keystore still resided in the ActiveMQ config folders.
We have tried to place the new keystore into the ActiveMQ config folders, overwriting the old keystore. However this does not appear to work and all connections are rejected with the following stack trace;
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(Unknown Source)
at java.security.cert.CertPathBuilder.build(Unknown Source)
What are we doing wrong here?
We've listed the contents of both the old and new keystore using the keytool -list command and they appear to be very similar (apart from the dates of course).
Is there additional updates we need to make to the clients calling the above url to accept our new keystore?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
您的信任库可能与您的密钥库不同步。这是从头开始设置的一般方法;您的配置会有所不同,因此请根据需要进行调整:
为每个客户端生成证书,并向代理信任库注册客户端证书。
导出两个证书
将证书导入生产者信任库(新文件)
将代理信任库复制到旧证书所在的位置,通常是 {ACTIVEMQ_HOME}/conf。您通常可以在代理配置中看到这一点:
It may be that your truststore is out of synch with your keystore. Here is the general way to set it up from scratch; your config will differ, so adapt as needed:
Generate certs for each of the clients, and register the client certs with the broker truststore.
Export both certs
Import the certs into the producer truststore (new file)
Copy the broker truststore to whichever location you had the old one in, usually {ACTIVEMQ_HOME}/conf. You can generally see this in your broker config: