Unfortunately, since the client did not like my server cert, it was throwing errors and the MQXR logs rolled. All I saw was:
2/16/24 21:16:32.384 AMQCO1010E: An SSL Exception occurred when a client at '/10.192.4.7' attempted to connect to channel 'MQTTSChannel': javax.net.ssl.SSLException: Received fatal alert: certificate_unknown.
2/16/24 21:16:32.384 AMQXR0021W: Client '' at network address '10.192.4.7' disconnected abnormally with exception 'Received fatal alert: certificate_unknown'.
------------------------------
Earle Ake
------------------------------
Original Message:
Sent: Wed February 28, 2024 04:33 AM
From: SAVITHA JOSHI
Subject: Display SSL server certificate information for MQTT channel
For MQTT channels, key repository has to be specified in the properties file mqxr_win/mqxr_unix properties file . REFRESH SECURITY TYPE(SSL) may not be applicable to MQTT channels. Ideally restart of the MQTT channels should have picked the new certificate. If problem is still there, check if there are any errors logged in mqxr error logs.
------------------------------
SAVITHA JOSHI
Original Message:
Sent: Tue February 27, 2024 09:01 AM
From: Earle Ake
Subject: Display SSL server certificate information for MQTT channel
We recently had an issue where an SSL certificate was updated for the MQTT channel. I did the 'REFRESH SECURITY TYPE(SSL)' then stopped and started the MQTTS channel. We had some servers where the new cert was in the TrustStore but the old one was still being used. Seems like a race condition between the refresh and the stop/start.
What method can I use to hit the MQTTS channel and display the certificate information so I can verify the change took hold? Can openssl be used to query the certificate information?
------------------------------
Earle Ake
------------------------------