can't start server with an SSL certchain #568

ciklysta · 2024-07-03T16:35:43Z

I have a certification authority. Its cert is in cacert.pem. That CA signed both my server cert and a client cert.

Imagine I store a server key in server.pem and a server cert in server.key.

I want to run IBM MQ server. So I created a structure according to the documentation. I renamed

server.pem to pki/keys/server/tls.crt
server.key to pki/keys/server/tls.key
cacert.pem to pki/trust/0/tls.crt

When I try to start the server (with pki dir mounted -v ./pki:/etc/mqm/pki) I get an error

Failed to add certificates to CMS keystore: error running "/opt/mqm/bin/runmqakm -cert -add": /opt/mqm/bin/runmqakm: exit status 26 CTGSK3046W The key file "/tmp/cmsTrust.pem" could not be imported.

Am I doing something wrong or is this a bug?

After some investigation, I found out that the following runmqakm commands are run from the go code (in that order):

runmqakm -keydb -create  -type cms -db /run/runmqserver/tls/key.kdb -pw cQZFzsfl95yk -stash
runmqakm -keydb -create  -type p12 -db /run/runmqserver/tls/trust.p12 -pw cQZFzsfl95yk -stash
runmqakm -cert -import  -file /run/runmqserver/tls/hotscan.p12 -pw cQZFzsfl95yk -target /run/runmqserver/tls/key.kdb -target_pw cQZFzsfl95yk -target_type cms
runmqakm -cert -list  -type cms -db /run/runmqserver/tls/key.kdb -pw cQZFzsfl95yk
runmqakm -cert -add  -db /run/runmqserver/tls/trust.p12 -type p12 -pw cQZFzsfl95yk -file /tmp/trust.pem
runmqakm -cert -list  -type p12 -db /run/runmqserver/tls/trust.p12 -pw cQZFzsfl95yk
runmqakm -cert -add  -db /run/runmqserver/tls/key.kdb -type cms -pw cQZFzsfl95yk -file /tmp/cmsTrust.pem

The last one fails with the error message.

Further observations:

If I provide an independet CA (not the one that issued the server cert), the server starts correctly.
If I don't provide cacert.pem aka pki/trust/0/tls.crt the server starts, but it doesnt talk TLS.

The text was updated successfully, but these errors were encountered:

arthurbarr · 2024-07-04T13:16:21Z

The runmqserver command creates the cmsTrust.pem file dynamically. I suspect that either:

The PEM file does not contain the full trust chain for the certificate. MQ needs the entire trust chain to be available, in order to validate properly, and won't import a partial chain.
The PEM file is not in a recognized format. It should be able to handle a standard X.509 cert, but it could be there's something unusual about that certificate.

ciklysta · 2024-07-05T13:34:38Z

Here are my pem files:

pki/trust/0/tls.crt (the CA cert):

pki/keys/mycomp/tls.crt (server's cert - only the cert, without the whole chain):

pki/keys/mycomp/tls.key (this is generated for testing purposes, no problem in publishing):

and both tempfiles (/tmp/trust.pem and /tmp/cmsTrust.pem) contain only what's in pki/trust/0/tls.crt. From what you write, I understand that the go script should join both certs to a certchain. That is not the case.

arthurbarr · 2024-07-11T14:45:30Z

You need to have the full trust chain in each place. i.e. the CA cert needs to be in the pki/keys/mycomp/ directory. When that gets imported, the CA will become trusted. The trust directories are for trusted CAs which you don't have a private key for.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

can't start server with an SSL certchain #568

can't start server with an SSL certchain #568

ciklysta commented Jul 3, 2024

arthurbarr commented Jul 4, 2024

ciklysta commented Jul 5, 2024

arthurbarr commented Jul 11, 2024

can't start server with an SSL certchain #568

can't start server with an SSL certchain #568

Comments

ciklysta commented Jul 3, 2024

arthurbarr commented Jul 4, 2024

ciklysta commented Jul 5, 2024

arthurbarr commented Jul 11, 2024