can't start server with an SSL certchain - Githubissues

ibm-messaging / mq-container

Container images for IBM® MQ

Apache License 2.0

242 stars 186 forks source link

can't start server with an SSL certchain #568

Open ciklysta opened 4 days ago

ciklysta commented 4 days ago

I have a certification authority. Its cert is in cacert.pem. That CA signed both my server cert and a client cert.

Imagine I store a server key in server.pem and a server cert in server.key.

I want to run IBM MQ server. So I created a structure according to the documentation. I renamed

server.pem to pki/keys/server/tls.crt
server.key to pki/keys/server/tls.key
cacert.pem to pki/trust/0/tls.crt

When I try to start the server (with pki dir mounted -v ./pki:/etc/mqm/pki) I get an error

Failed to add certificates to CMS keystore: error running "/opt/mqm/bin/runmqakm -cert -add": /opt/mqm/bin/runmqakm: exit status 26 CTGSK3046W The key file "/tmp/cmsTrust.pem" could not be imported.

Am I doing something wrong or is this a bug?

After some investigation, I found out that the following runmqakm commands are run from the go code (in that order):

runmqakm -keydb -create  -type cms -db /run/runmqserver/tls/key.kdb -pw cQZFzsfl95yk -stash
runmqakm -keydb -create  -type p12 -db /run/runmqserver/tls/trust.p12 -pw cQZFzsfl95yk -stash
runmqakm -cert -import  -file /run/runmqserver/tls/hotscan.p12 -pw cQZFzsfl95yk -target /run/runmqserver/tls/key.kdb -target_pw cQZFzsfl95yk -target_type cms
runmqakm -cert -list  -type cms -db /run/runmqserver/tls/key.kdb -pw cQZFzsfl95yk
runmqakm -cert -add  -db /run/runmqserver/tls/trust.p12 -type p12 -pw cQZFzsfl95yk -file /tmp/trust.pem
runmqakm -cert -list  -type p12 -db /run/runmqserver/tls/trust.p12 -pw cQZFzsfl95yk
runmqakm -cert -add  -db /run/runmqserver/tls/key.kdb -type cms -pw cQZFzsfl95yk -file /tmp/cmsTrust.pem

The last one fails with the error message.

Further observations:

If I provide an independet CA (not the one that issued the server cert), the server starts correctly.
If I don't provide cacert.pem aka pki/trust/0/tls.crt the server starts, but it doesnt talk TLS.

arthurbarr commented 3 days ago

The runmqserver command creates the cmsTrust.pem file dynamically. I suspect that either:

The PEM file does not contain the full trust chain for the certificate. MQ needs the entire trust chain to be available, in order to validate properly, and won't import a partial chain.
The PEM file is not in a recognized format. It should be able to handle a standard X.509 cert, but it could be there's something unusual about that certificate.

ciklysta commented 2 days ago

Here are my pem files:

pki/trust/0/tls.crt (the CA cert):

-----BEGIN CERTIFICATE-----
MIIDXDCCAkSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMRYwFAYDVQQDDA1NeSBj
b21wYW55IENBMQ8wDQYDVQQKDAZNeUNvbXAxDzANBgNVBAcMBlByYWd1ZTELMAkG
A1UEBhMCQ1owHhcNMjQwNzA1MTIwODI2WhcNMzQwNzAzMTIwODI2WjBHMRYwFAYD
VQQDDA1NeSBjb21wYW55IENBMQ8wDQYDVQQKDAZNeUNvbXAxDzANBgNVBAcMBlBy
YWd1ZTELMAkGA1UEBhMCQ1owggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC0F0O/rPBxMNRUNF7xcV69GWZa2q+TXFvREhBgEhZpIjPBpeFjrJgvUyBzZIol
KhzYPkpVfdAxB9lgpO9bEVCrxhKBJkw9FSDbXAak0aw4M0gHZP4Qyq5MF7wLERh0
qsU3jgW1CcjfieizT2C50NAx8j3VjPfVsoQ8N+0NHr2+mTDoZCc7xv/3rX0Bcngt
4Krc1sRHHTYntXVBuzY6o765ANTDjE47ocG/7cfRQmDnOLIyuoi8PO/c15OM/waa
rOqJ3hpsW0dgbeAGXbZbCpgMVgsLqtPGNT2MEHvhWjD2YJYFZ8+25Ic7jEF3K0OF
FrHpcahxxPErEpDTmJtPpPCpAgMBAAGjUzBRMB0GA1UdDgQWBBRrV+ARLzgvJ6ZN
uIUkfkmFzEvnqjAfBgNVHSMEGDAWgBRrV+ARLzgvJ6ZNuIUkfkmFzEvnqjAPBgNV
HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBliXAJfdQX1jRlnxwdAyfb
xj3jEK6pjwRjWH3ZXgCkyNrIhC9d60oUIbWB6METTu2UPqV7GaPWbE5OZa9JOvQ4
Z9zcreyxzlM5P7GDP7BHexOttVCqbh5FfnG9+IG9aogcx7RwQgkw1Dc6bjD1eOVb
8F+N76oWk96WRkqvlxJ5fJ1Zln7TPDzKZry1Nm48tL5uulmm0t6TFSFsFwC00QVr
r3p2QhHpVrROum64fiNxTEsCqdkWb5JrZ0qXu/TmDlMoZaEmuIt1irsx5RYw9v7m
IqCjpd+UoKj58e4UC+14Wump8ayId4gua7VY6u/Dw51Vc+wwnFEKhLZO4cfMewzT
-----END CERTIFICATE-----

pki/keys/mycomp/tls.crt (server's cert - only the cert, without the whole chain):

-----BEGIN CERTIFICATE-----
MIIDeDCCAmCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMRYwFAYDVQQDDA1NeSBj
b21wYW55IENBMQ8wDQYDVQQKDAZNeUNvbXAxDzANBgNVBAcMBlByYWd1ZTELMAkG
A1UEBhMCQ1owHhcNMjQwNzA1MTIxMjAyWhcNMjUwNzA1MTIxMjAyWjBHMQswCQYD
VQQGEwJDWjEPMA0GA1UEBwwGUHJhZ3VlMQ8wDQYDVQQKDAZNeUNvbXAxFjAUBgNV
BAMMDUlCTSBNUSBTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCQI8GLPHNrgWbRvElbbXM33PZ8h5FJb3BFfIYG6UlFyvOM11O47w6yCMf7AWVD
ZmSvnwyvMQmKlTTFE9gjJWAgOsMp9CZjbtVT0mbYOeOWgXaNKhxTeJPk9e3eNyt2
S6y+Jb4GWAVvcD49FzU9Z8yy0nxEKbSpBqNSLPkzbCYyuhGuuWAx9b83L5880rzs
Ed7KasATm0Q1QdI4yRdaub9lEgo/pTcJCN7lRgCA07FG6mh6ZQaAI/ApmkCi1zSa
o6UhOQHK4F1ezkw4489VG4ZTIZQLBqFD9Tl+QjS01SOh6wvWZb1IdbcFqeMUm4Gi
0q8zMfAuZsNYHTDC0Yj0qnxNAgMBAAGjbzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBTiOsz2eiC82bVrunoa
L7kEap6z/jAfBgNVHSMEGDAWgBRrV+ARLzgvJ6ZNuIUkfkmFzEvnqjANBgkqhkiG
9w0BAQsFAAOCAQEArBIv610R1o3oCziDG/RYFUQBNaOetPJTAsKGSg+a7/wH/xHY
XVnVMgNszsEFpGOXTEdO9YPxr0s7ZGA4+8q12YP5v1FdYvlng8nCZa6e0Hz/EDyk
VQRSLtfQehEQVpkudwv/Of50Lq/PhCXr4y/KCn24tVykqDfsaysB+KC/W1vYQxGZ
JFq2B5vgchbM8FqVx7fNNBwoWGRgaT8O4caJ3AXTNjcok99EReuShS8XMPuWT12d
b0rlBDEBVp2QoxCKPTbjdXZvRKNPX061PU8KevP/ZWwonCNrTaZgoDRRQHXla9Zn
rfgRK4pa44mP3vRseG28g/OI/fuJHXJUk6zq+g==
-----END CERTIFICATE-----

pki/keys/mycomp/tls.key (this is generated for testing purposes, no problem in publishing):

-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCQI8GLPHNrgWbR
vElbbXM33PZ8h5FJb3BFfIYG6UlFyvOM11O47w6yCMf7AWVDZmSvnwyvMQmKlTTF
E9gjJWAgOsMp9CZjbtVT0mbYOeOWgXaNKhxTeJPk9e3eNyt2S6y+Jb4GWAVvcD49
FzU9Z8yy0nxEKbSpBqNSLPkzbCYyuhGuuWAx9b83L5880rzsEd7KasATm0Q1QdI4
yRdaub9lEgo/pTcJCN7lRgCA07FG6mh6ZQaAI/ApmkCi1zSao6UhOQHK4F1ezkw4
489VG4ZTIZQLBqFD9Tl+QjS01SOh6wvWZb1IdbcFqeMUm4Gi0q8zMfAuZsNYHTDC
0Yj0qnxNAgMBAAECggEAAvrqRoGydTeQs6dr8Nr7dd04r2xyIY2PSbCAaOYr4KiI
jpHpJjqzGBU8ZUErIdCdJlBoh7rA0r+w/p4hauCb8y6j2Fs26/lfqcMA41mXDgaR
N+v19/fXPvWivGRxnpmD8c5/9kudmSc98i9np2RdBBl7/kDKfnAnskxBvsFurL/K
KjnjYOyZknVPyhhTJ7mTOIMrw0igXzvBPH+VgtTL0DG46wDVHZQaXzUIP/XqA+ll
lQ6xdIO10VRVTM1SoLzZO+PsALyx2WvPuThyqSot55GbWFxOEY5qgWO760V9Ec+c
+OY0VvnGmtzaQwvOlkFCsDx2aXbGgbI6rCtDVkBCdQKBgQDB7RVkER88FfCuUlHE
e3OEZse/OoDH18DVy+I7+xAzrSFr7W3YSqZweewAFGYScSI4xJVjXeeyt6tBheXU
YrZPBrDiTkdoUeoa0K6kbmwAATCIGqlklJZ3Sfq/TSc4OR13oDyW1sS3of0biWzv
vbDDhaRlfjaGxlpOYxxkNOZkAwKBgQC+RwPY1XV/VxzjDByZ9zAHPlfyNu2V5bLG
V/bqCCE0n6fb9tJFKRauB7WL2uvUhiolzM75Pxw/hArW2G6+e6m0bdIDx0gsYops
iTzvpnrM1qmlu+hltYNmO2nJGZMG78JIu1Kraq3dc0UIjgC6sTSiqDv9kk1WXRmI
jpMKZAW1bwKBgAcp7/FbZJD+qn52Egk1GkZY2aYpzhoT0U7Ukk3u72FJUwO+qKEl
2NIs3tf96OtjfIUmVfJuxKFogY4RGTVoVB3FPIGPrLmg1QoajWkLnze804MjoQBT
MN/FPtsUSY+dJIaHx9U2p9u0wzniMMEGe+ItLK6HJBKEf0+H/8N/5MbrAoGAHJtW
o7nr8VoqeKQwhKFaMiyYUk0ZySiAiTteXu8b9upt9S8Vi9pSk5WLINyoCgqluYsi
LuzjFVWHv6dIdxDmgb7lDTZfznR+NTUo2SrhWXyIgudOWERC3hLeo6JZrXhMcFzh
X+4o95tF7LRUvby4mh/K7SOaxvo2RYaR6sUA6rcCgYAhaeXtgnr8GY7Vi3PZKj2M
Sj21CFVGYB5tBYvh6pCG+DzKI9VbGx4O+FHUHfRpGAY7JIKZ9BFc/jgoNCjao/39
5sY56oI0VGGjg8/Uu2a/1iTQD3HwrTmyEKULT/ZaXO12DMOrIP80EQF0poUktCxX
mLSc7lYEB4+E/2eahOzYhQ==
-----END PRIVATE KEY-----

and both tempfiles (/tmp/trust.pem and /tmp/cmsTrust.pem) contain only what's in pki/trust/0/tls.crt. From what you write, I understand that the go script should join both certs to a certchain. That is not the case.