Open ciklysta opened 4 days ago
The runmqserver
command creates the cmsTrust.pem
file dynamically. I suspect that either:
Here are my pem files:
pki/trust/0/tls.crt
(the CA cert):
-----BEGIN CERTIFICATE-----
MIIDXDCCAkSgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMRYwFAYDVQQDDA1NeSBj
b21wYW55IENBMQ8wDQYDVQQKDAZNeUNvbXAxDzANBgNVBAcMBlByYWd1ZTELMAkG
A1UEBhMCQ1owHhcNMjQwNzA1MTIwODI2WhcNMzQwNzAzMTIwODI2WjBHMRYwFAYD
VQQDDA1NeSBjb21wYW55IENBMQ8wDQYDVQQKDAZNeUNvbXAxDzANBgNVBAcMBlBy
YWd1ZTELMAkGA1UEBhMCQ1owggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQC0F0O/rPBxMNRUNF7xcV69GWZa2q+TXFvREhBgEhZpIjPBpeFjrJgvUyBzZIol
KhzYPkpVfdAxB9lgpO9bEVCrxhKBJkw9FSDbXAak0aw4M0gHZP4Qyq5MF7wLERh0
qsU3jgW1CcjfieizT2C50NAx8j3VjPfVsoQ8N+0NHr2+mTDoZCc7xv/3rX0Bcngt
4Krc1sRHHTYntXVBuzY6o765ANTDjE47ocG/7cfRQmDnOLIyuoi8PO/c15OM/waa
rOqJ3hpsW0dgbeAGXbZbCpgMVgsLqtPGNT2MEHvhWjD2YJYFZ8+25Ic7jEF3K0OF
FrHpcahxxPErEpDTmJtPpPCpAgMBAAGjUzBRMB0GA1UdDgQWBBRrV+ARLzgvJ6ZN
uIUkfkmFzEvnqjAfBgNVHSMEGDAWgBRrV+ARLzgvJ6ZNuIUkfkmFzEvnqjAPBgNV
HRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBliXAJfdQX1jRlnxwdAyfb
xj3jEK6pjwRjWH3ZXgCkyNrIhC9d60oUIbWB6METTu2UPqV7GaPWbE5OZa9JOvQ4
Z9zcreyxzlM5P7GDP7BHexOttVCqbh5FfnG9+IG9aogcx7RwQgkw1Dc6bjD1eOVb
8F+N76oWk96WRkqvlxJ5fJ1Zln7TPDzKZry1Nm48tL5uulmm0t6TFSFsFwC00QVr
r3p2QhHpVrROum64fiNxTEsCqdkWb5JrZ0qXu/TmDlMoZaEmuIt1irsx5RYw9v7m
IqCjpd+UoKj58e4UC+14Wump8ayId4gua7VY6u/Dw51Vc+wwnFEKhLZO4cfMewzT
-----END CERTIFICATE-----
pki/keys/mycomp/tls.crt
(server's cert - only the cert, without the whole chain):
-----BEGIN CERTIFICATE-----
MIIDeDCCAmCgAwIBAgIBATANBgkqhkiG9w0BAQsFADBHMRYwFAYDVQQDDA1NeSBj
b21wYW55IENBMQ8wDQYDVQQKDAZNeUNvbXAxDzANBgNVBAcMBlByYWd1ZTELMAkG
A1UEBhMCQ1owHhcNMjQwNzA1MTIxMjAyWhcNMjUwNzA1MTIxMjAyWjBHMQswCQYD
VQQGEwJDWjEPMA0GA1UEBwwGUHJhZ3VlMQ8wDQYDVQQKDAZNeUNvbXAxFjAUBgNV
BAMMDUlCTSBNUSBTZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCQI8GLPHNrgWbRvElbbXM33PZ8h5FJb3BFfIYG6UlFyvOM11O47w6yCMf7AWVD
ZmSvnwyvMQmKlTTFE9gjJWAgOsMp9CZjbtVT0mbYOeOWgXaNKhxTeJPk9e3eNyt2
S6y+Jb4GWAVvcD49FzU9Z8yy0nxEKbSpBqNSLPkzbCYyuhGuuWAx9b83L5880rzs
Ed7KasATm0Q1QdI4yRdaub9lEgo/pTcJCN7lRgCA07FG6mh6ZQaAI/ApmkCi1zSa
o6UhOQHK4F1ezkw4489VG4ZTIZQLBqFD9Tl+QjS01SOh6wvWZb1IdbcFqeMUm4Gi
0q8zMfAuZsNYHTDC0Yj0qnxNAgMBAAGjbzBtMAkGA1UdEwQCMAAwCwYDVR0PBAQD
AgXgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMB0GA1UdDgQWBBTiOsz2eiC82bVrunoa
L7kEap6z/jAfBgNVHSMEGDAWgBRrV+ARLzgvJ6ZNuIUkfkmFzEvnqjANBgkqhkiG
9w0BAQsFAAOCAQEArBIv610R1o3oCziDG/RYFUQBNaOetPJTAsKGSg+a7/wH/xHY
XVnVMgNszsEFpGOXTEdO9YPxr0s7ZGA4+8q12YP5v1FdYvlng8nCZa6e0Hz/EDyk
VQRSLtfQehEQVpkudwv/Of50Lq/PhCXr4y/KCn24tVykqDfsaysB+KC/W1vYQxGZ
JFq2B5vgchbM8FqVx7fNNBwoWGRgaT8O4caJ3AXTNjcok99EReuShS8XMPuWT12d
b0rlBDEBVp2QoxCKPTbjdXZvRKNPX061PU8KevP/ZWwonCNrTaZgoDRRQHXla9Zn
rfgRK4pa44mP3vRseG28g/OI/fuJHXJUk6zq+g==
-----END CERTIFICATE-----
pki/keys/mycomp/tls.key
(this is generated for testing purposes, no problem in publishing):
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCQI8GLPHNrgWbR
vElbbXM33PZ8h5FJb3BFfIYG6UlFyvOM11O47w6yCMf7AWVDZmSvnwyvMQmKlTTF
E9gjJWAgOsMp9CZjbtVT0mbYOeOWgXaNKhxTeJPk9e3eNyt2S6y+Jb4GWAVvcD49
FzU9Z8yy0nxEKbSpBqNSLPkzbCYyuhGuuWAx9b83L5880rzsEd7KasATm0Q1QdI4
yRdaub9lEgo/pTcJCN7lRgCA07FG6mh6ZQaAI/ApmkCi1zSao6UhOQHK4F1ezkw4
489VG4ZTIZQLBqFD9Tl+QjS01SOh6wvWZb1IdbcFqeMUm4Gi0q8zMfAuZsNYHTDC
0Yj0qnxNAgMBAAECggEAAvrqRoGydTeQs6dr8Nr7dd04r2xyIY2PSbCAaOYr4KiI
jpHpJjqzGBU8ZUErIdCdJlBoh7rA0r+w/p4hauCb8y6j2Fs26/lfqcMA41mXDgaR
N+v19/fXPvWivGRxnpmD8c5/9kudmSc98i9np2RdBBl7/kDKfnAnskxBvsFurL/K
KjnjYOyZknVPyhhTJ7mTOIMrw0igXzvBPH+VgtTL0DG46wDVHZQaXzUIP/XqA+ll
lQ6xdIO10VRVTM1SoLzZO+PsALyx2WvPuThyqSot55GbWFxOEY5qgWO760V9Ec+c
+OY0VvnGmtzaQwvOlkFCsDx2aXbGgbI6rCtDVkBCdQKBgQDB7RVkER88FfCuUlHE
e3OEZse/OoDH18DVy+I7+xAzrSFr7W3YSqZweewAFGYScSI4xJVjXeeyt6tBheXU
YrZPBrDiTkdoUeoa0K6kbmwAATCIGqlklJZ3Sfq/TSc4OR13oDyW1sS3of0biWzv
vbDDhaRlfjaGxlpOYxxkNOZkAwKBgQC+RwPY1XV/VxzjDByZ9zAHPlfyNu2V5bLG
V/bqCCE0n6fb9tJFKRauB7WL2uvUhiolzM75Pxw/hArW2G6+e6m0bdIDx0gsYops
iTzvpnrM1qmlu+hltYNmO2nJGZMG78JIu1Kraq3dc0UIjgC6sTSiqDv9kk1WXRmI
jpMKZAW1bwKBgAcp7/FbZJD+qn52Egk1GkZY2aYpzhoT0U7Ukk3u72FJUwO+qKEl
2NIs3tf96OtjfIUmVfJuxKFogY4RGTVoVB3FPIGPrLmg1QoajWkLnze804MjoQBT
MN/FPtsUSY+dJIaHx9U2p9u0wzniMMEGe+ItLK6HJBKEf0+H/8N/5MbrAoGAHJtW
o7nr8VoqeKQwhKFaMiyYUk0ZySiAiTteXu8b9upt9S8Vi9pSk5WLINyoCgqluYsi
LuzjFVWHv6dIdxDmgb7lDTZfznR+NTUo2SrhWXyIgudOWERC3hLeo6JZrXhMcFzh
X+4o95tF7LRUvby4mh/K7SOaxvo2RYaR6sUA6rcCgYAhaeXtgnr8GY7Vi3PZKj2M
Sj21CFVGYB5tBYvh6pCG+DzKI9VbGx4O+FHUHfRpGAY7JIKZ9BFc/jgoNCjao/39
5sY56oI0VGGjg8/Uu2a/1iTQD3HwrTmyEKULT/ZaXO12DMOrIP80EQF0poUktCxX
mLSc7lYEB4+E/2eahOzYhQ==
-----END PRIVATE KEY-----
and both tempfiles (/tmp/trust.pem
and /tmp/cmsTrust.pem
) contain only what's in pki/trust/0/tls.crt
. From what you write, I understand that the go script should join both certs to a certchain. That is not the case.
I have a certification authority. Its cert is in
cacert.pem
. That CA signed both my server cert and a client cert.Imagine I store a server key in
server.pem
and a server cert inserver.key
.I want to run IBM MQ server. So I created a structure according to the documentation. I renamed
server.pem
topki/keys/server/tls.crt
server.key
topki/keys/server/tls.key
cacert.pem
topki/trust/0/tls.crt
When I try to start the server (with pki dir mounted
-v ./pki:/etc/mqm/pki
) I get an errorAm I doing something wrong or is this a bug?
After some investigation, I found out that the following
runmqakm
commands are run from the go code (in that order):The last one fails with the error message.
Further observations:
cacert.pem
akapki/trust/0/tls.crt
the server starts, but it doesnt talk TLS.