mqtts connection not working with kapua/kura [message #1808150] |
Tue, 18 June 2019 08:50 |
Aistis Kaikaris Messages: 33 Registered: March 2018 |
Member |
|
|
I have two kura gateways tied to running instance of kapua, but they cannot connect with TLS or SSL protocols, only unsecured mqtt connection works. When trying the secure connection i get:
ERROR o.a.a.broker.TransportConnector - Could not accept connection from null : {}
java.io.IOException: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:188)
at org.apache.activemq.transport.mqtt.MQTTNIOSSLTransport.initializeStreams(MQTTNIOSSLTransport.java:52)
at org.apache.activemq.transport.tcp.TcpTransport.connect(TcpTransport.java:543)
at org.apache.activemq.transport.nio.NIOTransport.doStart(NIOTransport.java:174)
at org.apache.activemq.transport.nio.NIOSSLTransport.doStart(NIOSSLTransport.java:462)
at org.apache.activemq.util.ServiceSupport.start(ServiceSupport.java:55)
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
at org.apache.activemq.transport.mqtt.MQTTTransportFilter.start(MQTTTransportFilter.java:157)
at org.apache.activemq.transport.mqtt.MQTTInactivityMonitor.start(MQTTInactivityMonitor.java:148)
at org.apache.activemq.transport.TransportFilter.start(TransportFilter.java:64)
at org.apache.activemq.broker.TransportConnection.start(TransportConnection.java:1071)
at org.apache.activemq.broker.TransportConnector$1$1.run(TransportConnector.java:218)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1521)
at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:528)
at sun.security.ssl.SSLEngineImpl.writeAppRecord(SSLEngineImpl.java:1197)
at sun.security.ssl.SSLEngineImpl.wrap(SSLEngineImpl.java:1165)
at javax.net.ssl.SSLEngine.wrap(SSLEngine.java:469)
at org.apache.activemq.transport.nio.NIOOutputStream.write(NIOOutputStream.java:174)
at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:444)
at org.apache.activemq.transport.nio.NIOSSLTransport.initializeStreams(NIOSSLTransport.java:156)
... 14 common frames omitted
Caused by: javax.net.ssl.SSLHandshakeException: no cipher suites in common
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1647)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:318)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:306)
at sun.security.ssl.ServerHandshaker.chooseCipherSuite(ServerHandshaker.java:1127)
at sun.security.ssl.ServerHandshaker.clientHello(ServerHandshaker.java:814)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:221)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1037)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:970)
at sun.security.ssl.Handshaker$1.run(Handshaker.java:967)
at java.security.AccessController.doPrivileged(Native Method)
at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1459)
at org.apache.activemq.transport.nio.NIOSSLTransport.doHandshake(NIOSSLTransport.java:440)
... 15 common frames omitted
1) I deployed kapua as described here:
https://www.eclipse.org/kapua/getting-started.php
2) Did not change any configurations on the kapua/kapua-broker:latest container
3) The container has these ports open:
0.0.0.0:1883->1883/tcp, 0.0.0.0:8883->8883/tcp, 0.0.0.0:61614->61614/tcp, 8778/tcp
4) On the client side (kura gateway) i tried these configs ():
BROKER URL
mqtts://someip:8883/
SSL Default Protocol
TLSv1.2, TLSv1.1, TLSv1.0, empty (i think defaults to SSL)
SSL Default Cipher Suites
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, empty (defaults to jvm provided ones)
5) In the containers "maven/conf/activemq.xml" these lines are commented out for some reason (the file came this way with the docker image):
<sslContext>
<sslContext keyStore="${certificatesHome}/kapua.ks" keyStorePassword="${keystorePassword}"/>
</sslContext>
Any tips how to make this work?
[Updated on: Tue, 18 June 2019 10:52] Report message to a moderator
|
|
|
|
Re: mqtts connection not working with kapua/kura [message #1808915 is a reply to message #1808813] |
Thu, 04 July 2019 13:10 |
Aistis Kaikaris Messages: 33 Registered: March 2018 |
Member |
|
|
Ok, so after a lot of hair pulling i was able to connect one of my kura devices to the secured kapua broker connection on port 8883. There seem to be a few things and issues that are not documented anywhere (at least not to my knowledge):
I deployed the development branch of kapua.
1) In the kapua-broker docker container the script "/var/opt/activemq/run-broker" had "KAPUA_DISABLE_SSL:="true" so the certificate and keystore file generation was disabled by default
2) In the kapua-broker docker container after changing "KAPUA_DISABLE_SSL:="true" to "KAPUA_DISABLE_SSL:="false", the generated "/var/opt/activemq/tls/kapua.jks" keystore file was empty. To solve this i took the commands at the top of the script, gave them proper paths and passwords and executed them.
openssl req -x509 -newkey rsa:4096 -keyout /var/opt/activemq/key.pem -out /var/opt/activemq/cert.pem -days 365 -nodes -subj '/O=Eclipse Kapua/C=XX/CN=mydomainname.com'
openssl pkcs8 -topk8 -in /var/opt/activemq/key.pem -out key.pk8 -nocrypt
openssl pkcs12 -export -in /var/opt/activemq/cert.pem -inkey /var/opt/activemq/key.pk8 -name kapua -password pass:"MyKeyStorepassword" -out /var/opt/activemq/tls/kapua.jks
I only left the variables that are exported futher on and the activemq command.
ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.keyStore="/var/opt/activemq/tls/kapua.jks"
ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.keyStorePassword="MyKeyStorepassword"
ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.trustStore="/var/opt/activemq/tls/kapua.jks"
ACTIVEMQ_SSL_OPTS="${ACTIVEMQ_SSL_OPTS} -Djavax.net.ssl.trustStorePassword="MyKeyStorepassword"
export ACTIVEMQ_SSL_OPTS
# Run broker
/opt/activemq/bin/activemq console
3) In the kapua-broker docker container the script "/opt/activemq/conf/activemq.xml" had ssl context commented out, so i uncommented it and added the proper path and password to the keystore file:
<sslContext>
<sslContext keyStore="/var/opt/activemq/tls/kapua.jks" keyStorePassword="myPassword" trustStore="/var/opt/activemq/tls/kapua.jks" trustStorePassword="myPassword"/>
</sslContext>
Using the same kapua.jks file for both turstStore and keyStore seems to work.
4) Even after copying the "/var/opt/activemq/cert.pem" and then pasting the contents to the kura device UI panel (Settings -> Server SSL Certificate), it still did not connect. Because Kura's hostname verification cannot be disabled at this time, the "/var/opt/activemq/cert.pem" certificate needs to have a valid domain address (cannot be an ip, but can be a hostname like user-dev.local if the kura instance is not a in docker container). So when creating the certificate, i changed the "-subj '/O=Eclipse Kapua/C=XX'" to -subj '/O=Eclipse Kapua/C=XX/CN=mydomainname.com'.
Not 100% sure about the correctness of these steps, but since there is not a lot of activity here, maybe this could help someone else who's stuck.
[Updated on: Fri, 05 July 2019 07:15] Report message to a moderator
|
|
|
|
Powered by
FUDForum. Page generated in 0.03234 seconds