Configuring the server certificate on PubSub Broker- Invalid certificate

CloudGod Member Posts: 24 ✭✭

Hi everyone,
I'm having difficulties in configuring the broker's certificate correctly. I want to enable secure web messaging on a Oracle Linux VM that has a public IP.
I installed a fresh Oracel Linux VM, installed Solace and everything is working correctly. As I also have a PubSub+ Cloud account, I tested it by sending some messages withing my VM broker and from my VM Broker to the PubSub+ instance (using the Try Me functionality). All of this worked 100%.
Now, when I wanted to send messages from my PubSub+ Cloud instance, difficulties started to appear.
I can't send non-secure (ws://) web messages from PubSub+ Cloud instance through the Try Me functionality on the Management console, so I need to enable secure web messaging (wss://) on my recently installed VM broker. Good, a bit of a challenge then!
As I had so many issues with browsers not working correctly with self-signed certificates, I went for a DuckDNS subdomain and a Let's Encrypt certificate. After battling it out with the Certbot (Oracle Linux has issues with it), I finally got my certificates (cert.pem, chain.pem, fullchain.pem and privkey.pem).
But I can't, for the love of god, install the certificates on the solace server.
I placed the certificates in the jail/certs directory, went to the cli, and went
enable->configure->SSL>server certificate privkey.pem
and I get an error:
ERROR: The certificate in privkey.pem is invalid.
Command Failed
The certificate is a x509 v3, as per openssl, so I don't understand exactly what is wrong with it.

openssl x509 -in cert.pem -text -noout
Version: 3 (0x2)
Serial Number:
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
Not Before: Oct 4 15:41:01 2020 GMT
Not After : Jan 2 15:41:01 2021 GMT
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
I also tried:
server-certificate cert.pem
ERROR: Private key not found. Note only RSA certificates and private
keys are supported.
Command Failed
In the cli, this is the result of a dir in the certs directory
solace-event-broker# dir
-rw-r--r-- root root 1927 Oct 04 18:30 cert.pem
-rw-r--r-- root root 1647 Oct 04 18:30 chain.pem
-rw-r--r-- root root 3574 Oct 04 18:30 fullchain.pem
-rw-r--r-- root root 1708 Oct 04 18:30 privkey.pem

Any hints on what may be the problem?




  • swenhelge
    swenhelge Member, Employee Posts: 77 Solace Employee

    I think you need to combine the server cert and private key file (each in PEM format) into one file. That is the file you need to configure for use with the broker ... see here:

  • CloudGod
    CloudGod Member Posts: 24 ✭✭

    @swenhelge said:
    I think you need to combine the server cert and private key file (each in PEM format) into one file. That is the file you need to configure for use with the broker ... see here:

    Thanks. I combined the cert and the private key, and it worked (but not before I converted the private key to a previous version of RSA).
    Anyway, the server certificate is installed, but I can't seem to connect through the secure web message protocol (wss://), in the Try Me functionality, even inside the Linux VM broker.
    Is there any log where I can see what's going on? I'm going to try and look at typical linux networking debugging tools, but if anyone can point me out somewhere to see what's going on, it would be great.

    P.S: although the server certificate is installed properly, the UI Web manager interface doesn't show up as secure.

  • CloudGod
    CloudGod Member Posts: 24 ✭✭

    An update on my side:
    Everything finally works!
    I didn't change much. It started to work once I changed the TLS Port on the web message from the pre-configured 1443 to 443 and then back to 1443. With that, I could establish a connection. I would be nice to understand what happened under the hood.
    I'm going to try and do a clean run, picking up what I've learned in the process, so see if I can do it without any hiccups this time.
    I'll let you know how it turns out.
    Major thanks to @swenhelge

  • marc
    marc Member, Administrator, Moderator, Employee Posts: 878 admin

    After you do a clean run can you let us know if the web manager (PubSub+ Manager) shows up as secure? Note that you'll need to use port 1943 by default in the software broker.

  • CloudGod
    CloudGod Member Posts: 24 ✭✭

    Hi @marc,
    Yes, sure. I'll try and this on Thursday and share the findings