Tag Archives: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

ActiveMQ Apollo Warning: javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

 

Apache Apollo has been abandoned. If it is unnecessary, Apache ActiveMQ 5 is recommended

1. Download Apollo 1.7.1 and create a broker according to the official example. The following warning appears:

Creating apollo instance at: testBroker
Generating ssl keystore...

Warning:
JKS keystore uses a proprietary format. It is recommended to use "keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12" to migrate to the industry standard format PKCS12.

You can now start the broker by executing:

   "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker" run

Or you can setup the broker as Windows service and run it in the background:

   "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker-service" install
   "E:\environment\apache\apollo\apache-apollo-1.7.1\testBroker\bin\apollo-broker-service" start

The following warning appears after running

WARN  | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

According to the content of the warning, we can probably guess that we need to upgrade the format of JKS keystore

Find the keystore generated when creating the broker, which is usually in the folder named etc in the broker directory

Windows opens the command prompt, enters the etc directory, and enters the following command

keytool -importkeystore -srckeystore keystore -destkeystore keystore -deststoretype pkcs12

Prompt for source keystore password

Check the Apache Apollo source code to find the password, and find the place to generate the keystore in the brokercreate.scala file under the directory Apollo broker, SRC, main, Scala, org, Apache, ActiveMQ, Apollo, broker, as follows:

// Generate a keystore with a new key
      val ssl = with_ssl && {
        out.println("Generating ssl keystore...")
        val rc = system(etc, Array(
          "keytool", "-genkey",
          "-storetype", "JKS",
          "-storepass", "password",
          "-keystore", "keystore",
          "-keypass", "password",
          "-alias", host,
          "-keyalg", "RSA",
          "-keysize", "4096",
          "-dname", "cn=%s".format(host),
          "-validity", "3650"))==0
        if(!rc) {
          out.println("WARNING: Could not generate the keystore, make sure the keytool command is in your PATH")
        }
        rc
      }

The password is password. Enter the password to display the following information:

Entries with the alias mybroker were successfully imported.
Completed import command: 1 entry successfully imported, 0 entries failed or cancelled

Warning:
Migrated "keystore" to Non JKS/JCEKS. made a backup of JKS keystore as "keystore.old".

When running broker, the following warning information still exists in the output content, but it does not affect the basic use

WARN  | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN  | javax.net.ssl.SSLException: Received fatal alert: certificate_unknown
WARN  | javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?
WARN  | javax.net.ssl.SSLException: Inbound closed before receiving peer's close_notify: possible truncation attack?