尝试在AWS中使用SSL配置ActiveMQ。在日志中接收到这个错误。什么配置可能是错误的?Docker镜像:alfresco/alfresco-activemq:5.17.0-jre11-centos7。连接器从tcp更改为nio+ssl。amq容器后面有一个带有TLS协议的网络负载均衡器。你知道有什么问题吗?
WARN | Could not accept connection from tcp://somehost: javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify (closing inbound before receiving peer's close_notify)
javax.net.ssl|DEBUG|FC|ActiveMQ Transport: ssl://somehost|2022-05-23 14:59:57.283 UTC|Alert.java:232|Received alert message (
"Alert": {
"level" : "warning",
"description": "close_notify"
}
)
javax.net.ssl|DEBUG|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:473|duplex close of SSLSocket
javax.net.ssl|WARNING|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketOutputRecord.java:58|outbound has closed, ignore outbound alert message: close_notify
javax.net.ssl|DEBUG|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:1361|close the underlying socket
javax.net.ssl|DEBUG|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:1380|close the SSL connection (passive)
javax.net.ssl|DEBUG|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:636|close inbound of SSLSocket
javax.net.ssl|WARNING|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:494|SSLSocket duplex close failed (
"throwable" : {
java.net.SocketException: Socket is closed
at java.base/java.net.Socket.shutdownInput(Socket.java:1521)
at java.base/sun.security.ssl.BaseSSLSocketImpl.shutdownInput(BaseSSLSocketImpl.java:216)
at java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:651)
at java.base/sun.security.ssl.SSLSocketImpl.bruteForceCloseInput(SSLSocketImpl.java:606)
at java.base/sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:566)
at java.base/sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
at org.apache.activemq.transport.tcp.TcpTransport$1.run(TcpTransport.java:567)
at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
at java.base/java.lang.Thread.run(Thread.java:834)}
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:148|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|ServerHello.java:962|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:167|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:167|Consumed extension: server_name
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:148|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:167|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:148|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:138|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:138|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:167|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:138|Ignore unsupported extension: pre_shared_key
javax.net.ssl|WARNING|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:190|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:190|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:190|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.292 UTC|CertificateMessage.java:358|Consuming server Certificate handshake message (
经过一段时间后,我找到了一个工作配置。
error outbound has closed, ignore outbound alert message: close_notify
此错误来自目标运行状况检查。
NLB必须在端口61616上具有协议TLS的侦听器。目标组协议为TLS,端口为61616。目标器组必须在端口为61616的实例IP上有一个注册的目标器。重要的是路由端口不能被用作健康检查端口。它在61616上不起作用。
健康检查协议必须为TCP,端口必须为8161。NLB的目标器必须按IP地址注册,不能按实例ID注册。
我们能够通过在AWS中启用跨区域负载平衡来解决这个问题。在AWS ActiveMQ上下环境中,为网络负载均衡器启用跨区域负载平衡可能有助于解决与SSL连接或其他网络相关的问题,因为它确保流量在所有可用实例之间均匀分布,而不管它们的位置如何。但是,需要注意的是,可能还有其他因素可能导致这个问题,启用跨区域负载平衡可能并不总是解决方案。在对基础结构进行任何更改之前,最好对问题进行彻底的调查和分析。