sslactivemq-classicalfresco

ActiveMQ SSL error outbound has closed, ignore outbound alert message: close_notify


Trying to configure ActiveMQ with SSL in AWS. Receiving this error in the logs. What configuration could be wrong? Docker Image: alfresco/alfresco-activemq:5.17.0-jre11-centos7. The connector is changed to nio+ssl from tcp. There is a network load balancer with TLS protocol behind amq container. Any ideas what could be wrong?

WARN | Could not accept connection from tcp://somehost: javax.net.ssl.SSLException: closing inbound before receiving peer's close_notify (closing inbound before receiving peer's close_notify)
 javax.net.ssl|DEBUG|FC|ActiveMQ Transport: ssl://somehost|2022-05-23 14:59:57.283 UTC|Alert.java:232|Received alert message (
"Alert": {
  "level"      : "warning",
  "description": "close_notify"
}
)
javax.net.ssl|DEBUG|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:473|duplex close of SSLSocket
javax.net.ssl|WARNING|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketOutputRecord.java:58|outbound has closed, ignore outbound alert message: close_notify
javax.net.ssl|DEBUG|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:1361|close the underlying socket
javax.net.ssl|DEBUG|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:1380|close the SSL connection (passive)
javax.net.ssl|DEBUG|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:636|close inbound of SSLSocket
javax.net.ssl|WARNING|01 00|ActiveMQ Task-1|2022-05-23 14:59:57.285 UTC|SSLSocketImpl.java:494|SSLSocket duplex close failed (
"throwable" : {
  java.net.SocketException: Socket is closed
        at java.base/java.net.Socket.shutdownInput(Socket.java:1521)
        at java.base/sun.security.ssl.BaseSSLSocketImpl.shutdownInput(BaseSSLSocketImpl.java:216)
        at java.base/sun.security.ssl.SSLSocketImpl.shutdownInput(SSLSocketImpl.java:651)
        at java.base/sun.security.ssl.SSLSocketImpl.bruteForceCloseInput(SSLSocketImpl.java:606)
        at java.base/sun.security.ssl.SSLSocketImpl.duplexCloseOutput(SSLSocketImpl.java:566)
        at java.base/sun.security.ssl.SSLSocketImpl.close(SSLSocketImpl.java:479)
        at org.apache.activemq.transport.tcp.TcpTransport$1.run(TcpTransport.java:567)
        at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
        at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
        at java.base/java.lang.Thread.run(Thread.java:834)}

javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:148|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|ServerHello.java:962|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:167|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:167|Consumed extension: server_name
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:148|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:148|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:167|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:148|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:138|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:138|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:167|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:138|Ignore unsupported extension: pre_shared_key
javax.net.ssl|WARNING|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:190|Ignore impact of unsupported extension: server_name
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:190|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: extended_master_secret
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:190|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.290 UTC|SSLExtensions.java:182|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|FD|DefaultMessageListenerContainer-32|2022-05-23 14:59:52.292 UTC|CertificateMessage.java:358|Consuming server Certificate handshake message (

Solution

  • After some time I've found a working configuration.

    error outbound has closed, ignore outbound alert message: close_notify
    

    This error was from the target health check.

    The NLB must have a listener with protocol TLS on port 61616. The target group protocol is TLS and the port is 61616. The target group must have a registered target to the instance IP on port 61616. The important thing is that the routing port must not be used as the health check port. It won't work on 61616. The health check protocol must be TCP and the port is 8161.

    The targets for the NLB must be registered by IP address, not by instance ID.