I am working on a project requires a connection from a .NET core backend application to ActiveMQ Classic. In order to test the project in local environment I decide to run my .NET core project and ActiveMQ Classic in two linked docker container.
For ActiveMQ Classic I generated a self-signed certificate with the following commands:
keytool -genkey -v -alias broker -keyalg RSA -keystore broker.keystore -dname "CN=dev.com, OU=Development, O=My Org, L=City, ST=State, C=Country" -storepass xxxxx -keypass xxxxx -ext SAN=dns:localhost,ip:127.0.0.1 -validity 365
keytool -export -alias broker -keystore broker.keystore -file broker.cer
keytool -import -alias broker -keystore client-truststore.ks -file broker.cer -storepass xxxxx
Then I use the certificate in activemq.xml as
<sslContext>
<sslContext keyStore="file:${activemq.base}/certs/ActiveMq/broker.keystore"
keyStorePassword="xxxxx"/>
</sslContext>
In the docker compose I have:
activemq:
image: activemq:5.15.9-alpine
build:
context: ../ActiveMq
dockerfile: ActiveMqDockerfile
container_name: activemq
volumes:
- ../ActiveMq/conf:/opt/activemq/conf
- ../ActiveMq/data:/opt/activemq/data
- ../ActiveMq/certs:/opt/activemq/certs
environment:
- ACTIVEMQ_SSL_OPTS="-Djavax.net.ssl.keyStore=/opt/activemq/certs/broker.keystore -Djavax.net.ssl.keyStorePassword=xxxxx"
ports:
- "61616:61616"
- "61617:61617"
- "8161:8161"
- "5672:5672"
- "61613:61613"
- "1883:1883"
- "61614:61614"
- "61619:61619"
networks:
- my_network
In my dotnet core project, I use the follow connection string
activemq:failover:(ssl://activemq:61617)?nms.AsyncSend=true&transport.startupMaxReconnectAttempts=2&transport.timeout=2000
where activemq is the ActiveMQ Classic service name in the Docker compose file (I tried host.docker.internal as well). In the .NET core backend service in Docker compose file I have
depends_on:
- activemq
However, when I start running the .NET core backend I have the following error:
2024/03/18 11:17:06.199 +00:00 [Error] Unable to create connection to ActiveMq
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.
at Apache.NMS.ActiveMQ.Transport.Failover.FailoverTransport.Oneway(Command command)
at Apache.NMS.ActiveMQ.Transport.TransportFilter.Oneway(Command command)
at Apache.NMS.ActiveMQ.Transport.MutexTransport.Oneway(Command command)
at Apache.NMS.ActiveMQ.Transport.ResponseCorrelator.AsyncRequest(Command command)
at Apache.NMS.ActiveMQ.Transport.ResponseCorrelator.Request(Command command, TimeSpan timeout)
at Apache.NMS.ActiveMQ.Connection.CheckConnected()
at Apache.NMS.ActiveMQ.Connection.Start()
Can anyone please take a look what could be wrong?
I did some research.
Someone said the domain name does not match that in the certificate. So I tried to regenerate the certificate with
CN=host.docker.internalandCN=activemq. Neither works.Someone said this could be because the self-signed certificate is not trusted, but I don't know how to trust it in Docker. This one sounds more reasonable to me.
I tried to convert broker.cer to broker.crt and copy it to /usr/local/share/ca-certificates. Then I run update-ca-certificates and confirmed the content in broker.crt has been merged to /etc/ssl/certs/ca-certificates.crt. The error is not fixed.
It's confirmed that if I run my .NET project in local outside of Docker it can connect the ActiveMQ Classic running in Docker with localhost as the domain name.
You may try to completely disable host validation on the client with
?verifyHostName=falseparameter in the URL.