can't start server with an SSL certchain #568
Description
I have a certification authority. Its cert is in cacert.pem. That CA signed both my server cert and a client cert.
Imagine I store a server key in server.pem and a server cert in server.key.
I want to run IBM MQ server. So I created a structure according to the documentation. I renamed
server.pemtopki/keys/server/tls.crtserver.keytopki/keys/server/tls.keycacert.pemtopki/trust/0/tls.crt
When I try to start the server (with pki dir mounted -v ./pki:/etc/mqm/pki) I get an error
Failed to add certificates to CMS keystore: error running "/opt/mqm/bin/runmqakm -cert -add": /opt/mqm/bin/runmqakm: exit status 26 CTGSK3046W The key file "/tmp/cmsTrust.pem" could not be imported.
Am I doing something wrong or is this a bug?
After some investigation, I found out that the following runmqakm commands are run from the go code (in that order):
runmqakm -keydb -create -type cms -db /run/runmqserver/tls/key.kdb -pw cQZFzsfl95yk -stash
runmqakm -keydb -create -type p12 -db /run/runmqserver/tls/trust.p12 -pw cQZFzsfl95yk -stash
runmqakm -cert -import -file /run/runmqserver/tls/hotscan.p12 -pw cQZFzsfl95yk -target /run/runmqserver/tls/key.kdb -target_pw cQZFzsfl95yk -target_type cms
runmqakm -cert -list -type cms -db /run/runmqserver/tls/key.kdb -pw cQZFzsfl95yk
runmqakm -cert -add -db /run/runmqserver/tls/trust.p12 -type p12 -pw cQZFzsfl95yk -file /tmp/trust.pem
runmqakm -cert -list -type p12 -db /run/runmqserver/tls/trust.p12 -pw cQZFzsfl95yk
runmqakm -cert -add -db /run/runmqserver/tls/key.kdb -type cms -pw cQZFzsfl95yk -file /tmp/cmsTrust.pemThe last one fails with the error message.
Further observations:
- If I provide an independet CA (not the one that issued the server cert), the server starts correctly.
- If I don't provide
cacert.pemakapki/trust/0/tls.crtthe server starts, but it doesnt talk TLS.