Skip to main content


Eclipse Community Forums
Forum Search:

Search      Help    Register    Login    Home
Home » Eclipse Projects » Eclipse Kapua » mqtts connection not working with kapua/kura
mqtts connection not working with kapua/kura [message #1808150] Tue, 18 June 2019 08:50 Go to next message
Aistis K is currently offline Aistis KFriend
Messages: 32
Registered: March 2018
Member
I have two kura gateways tied to running instance of kapua, but they cannot connect with TLS or SSL protocols, only unsecured mqtt connection works. When trying the secure connection i get:

ERROR o.a.a.broker.TransportConnector - Could not accept connection from null : {}
java.io.IOException: javax.net.ssl.SSLHandshakeException: no cipher suites in common
	at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:188)
	at org.apache.activemq.transport.mqtt.MQTTNIOSSLTransport.initializeStreams(MQTTNIOSSLTransport.java:52)
	at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
	at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
	at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:462)
	at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)
	at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
	at org.apache.activemq.transport.mqtt.MQTTTransportFilter.start(MQTTTransportFilter.java:157)
	at org.apache.activemq.transport.mqtt.MQTTInactivityMonitor.start(MQTTInactivityMonitor.java:148)
	at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
	at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1071)
	at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
	at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
	at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
	at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
	at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
	at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
	at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
	at org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174)
	at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:444)
	at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:156)
	... 14 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
	at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
	at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
	at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306)
	at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1127)
	at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:814)
	at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
	at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
	at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
	at java.security.AccessController.doPrivileged(Native Method)
	at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
	at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:440)
	... 15 common frames omitted


1) I deployed kapua as described here:
https://www.eclipse.org/kapua/getting-started.php
2) Did not change any configurations on the kapua/kapua-broker:latest container
3) The container has these ports open:
0.0.0.0:1883->1883/tcp, 0.0.0.0:8883->8883/tcp, 0.0.0.0:61614->61614/tcp, 8778/tcp
4) On the client side (kura gateway) i tried these configs ():
BROKER URL
mqtts://someip:8883/
SSL Default Protocol
TLSv1.2, TLSv1.1, TLSv1.0, empty (i think defaults to SSL)
SSL Default Cipher Suites
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, empty (defaults to jvm provided ones)
5) In the containers "maven/conf/activemq.xml" these lines are commented out for some reason (the file came this way with the docker image):
        <sslContext>
            <sslContext keyStore="${certificatesHome}/kapua.ks" keyStorePassword="${keystorePassword}"/>
        </sslContext>


Any tips how to make this work?

[Updated on: Tue, 18 June 2019 10:52]

Report message to a moderator

Re: mqtts connection not working with kapua/kura [message #1808813 is a reply to message #1808150] Tue, 02 July 2019 08:49 Go to previous messageGo to next message
Aistis K is currently offline Aistis KFriend
Messages: 32
Registered: March 2018
Member
Well, i guess forget the questions above, did anyone here try out connecting to kapua broker through the 8883 port? Has anyone done that successfully?
Re: mqtts connection not working with kapua/kura [message #1808915 is a reply to message #1808813] Thu, 04 July 2019 13:10 Go to previous message
Aistis K is currently offline Aistis KFriend
Messages: 32
Registered: March 2018
Member
Ok, so after a lot of hair pulling i was able to connect one of my kura devices to the secured kapua broker connection on port 8883. There seem to be a few things and issues that are not documented anywhere (at least not to my knowledge):

I deployed the development branch of kapua.

1) In the kapua-broker docker container the script "/var/opt/activemq/run-broker" had "KAPUA_DISABLE_SSL:="true" so the certificate and keystore file generation was disabled by default
2) In the kapua-broker docker container after changing "KAPUA_DISABLE_SSL:="true" to "KAPUA_DISABLE_SSL:="false", the generated "/var/opt/activemq/tls/kapua.jks" keystore file was empty. To solve this i took the commands at the top of the script, gave them proper paths and passwords and executed them.

openssl req -x509 -newkey rsa:4096 -keyout /var/opt/activemq/key.pem -out /var/opt/activemq/cert.pem -days 365 -nodes -subj '/O=Eclipse Kapua/C=XX/CN=mydomainname.com'
openssl pkcs8 -topk8 -in /var/opt/activemq/key.pem -out key.pk8 -nocrypt
openssl pkcs12 -export -in /var/opt/activemq/cert.pem  -inkey /var/opt/activemq/key.pk8 -name kapua -password pass:"MyKeyStorepassword" -out /var/opt/activemq/tls/kapua.jks


I only left the variables that are exported futher on and the activemq command.

ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.keyStore="/var/opt/activemq/tls/kapua.jks"
ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.keyStorePassword="MyKeyStorepassword"
ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.trustStore="/var/opt/activemq/tls/kapua.jks"
ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.trustStorePassword="MyKeyStorepassword"

export ACTIVEMQ_SSL_OPTS

# Run broker
/opt/activemq/bin/activemq console



3) In the kapua-broker docker container the script "/opt/activemq/conf/activemq.xml" had ssl context commented out, so i uncommented it and added the proper path and password to the keystore file:
	<sslContext>
		<sslContext keyStore="/var/opt/activemq/tls/kapua.jks" keyStorePassword="myPassword" trustStore="/var/opt/activemq/tls/kapua.jks" trustStorePassword="myPassword"/>
	</sslContext>

Using the same kapua.jks file for both turstStore and keyStore seems to work.

4) Even after copying the "/var/opt/activemq/cert.pem" and then pasting the contents to the kura device UI panel (Settings -> Server SSL Certificate), it still did not connect. Because Kura's hostname verification cannot be disabled at this time, the "/var/opt/activemq/cert.pem" certificate needs to have a valid domain address (cannot be an ip, but can be a hostname like user-dev.local if the kura instance is not a in docker container). So when creating the certificate, i changed the "-subj '/O=Eclipse Kapua/C=XX'" to -subj '/O=Eclipse Kapua/C=XX/CN=mydomainname.com'.

Not 100% sure about the correctness of these steps, but since there is not a lot of activity here, maybe this could help someone else who's stuck.


[Updated on: Fri, 05 July 2019 07:15]

Report message to a moderator

Previous Topic:Route to Kafka
Next Topic:Unable to login Eclipse Kapua web console
Goto Forum:
  


Current Time: Tue Feb 25 11:51:20 GMT 2020

Powered by FUDForum. Page generated in 0.02778 seconds
.:: Contact :: Home ::.

Powered by: FUDforum 3.0.2.
Copyright ©2001-2010 FUDforum Bulletin Board Software

Back to the top