SSL.Keyfile invalid

[Chirico Costal]

Hi,
I'm new to this community and to Rabbitmq. Trying to establish a TLS SSL connection between client and server I always fall into the same error, I leave you a photo attached together with the DockerFile and the rabbitmq.conf, I state that without using ssl but only tcp everything works.

DOCKERFILE

FROM ubuntu as builder

# install git

RUN apt-get update -y && apt-get upgrade -y && apt-get install git -y && apt-get install openssl -y && apt-get install make -y

RUN apt-get install python3 -y && apt-get install python3-pip -y

RUN git clone https://github.com/michaelklishin/tls-gen.git

RUN rm -rf /path/.git

RUN cd tls-gen/basic && make && make verify && make info

FROM rabbitmq:3.8.15-rc.2-management

LABEL description="RabbitMQ image" version="0.0.1"

COPY --from=builder tls-gen tls-gen

RUN cd /etc/rabbitmq && mkdir httpLog

RUN mv tls-gen/basic/testca /etc/rabbitmq/

# RUN openssl rsa -in /etc/rabbitmq/ca/ca_key.pem -out /etc/rabbitmq/ca/key.pem && rm /etc/rabbitmq/ca/ca_key.pem

RUN mv tls-gen/basic/server /etc/rabbitmq/

# RUN openssl rsa -in /etc/rabbitmq/server/server_key.pem -out /etc/rabbitmq/server/key.pem && rm /etc/rabbitmq/server/server_key.pem

RUN mv tls-gen/basic/client /etc/rabbitmq/

# RUN openssl rsa -in /etc/rabbitmq/client/client_key.pem -out /etc/rabbitmq/client/key.pem && rm /etc/rabbitmq/client/client_key.pem

RUN rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl

ADD rabbitmq.conf /etc/rabbitmq

ADD definitions.json /etc/rabbitmq

EXPOSE 15672 15671 5672 5671


Rabbitmq.conf

log.console = true

log.console.level = info

loopback_users.guest = false

default_pass = guest

default_user = guest

default_vhost = guestVHost

hipe_compile = false

listeners.tcp.default = 5672

listeners.ssl.default = 5671

management.tcp.compress = true

management.http_log_dir = /etc/rabbitmq/httpLog

management.tcp.port = 15672

management.ssl.port = 15671

management.listener.port = 15672

management.listener.ssl = true

management.listener.ssl_opts.cacertfile = /etc/rabbitmq/testca/cacert.pem

management.listener.ssl_opts.certfile = /etc/rabbitmq/server/cert.pem

management.listener.ssl_opts.keyfile = /etc/rabbitmq/server/key.pem

# management.listener.ssl_opts.password = PASSWORD

management.ssl.versions.1 = tlsv1.3

management.ssl.versions.2 = tlsv1.2

management.ssl.versions.3 = tlsv1.1

ssl_options.cacertfile = /etc/rabbitmq/testca/cacert.pem

ssl_options.certfile = /etc/rabbitmq/server/cert.pem

ssl_options.keyfile = /etc/rabbitmq/server/key.pem

# ssl_options.password = PASSWORD

ssl_options.depth = 2

# Usually RabbitMQ nodes do not perform peer verification of HTTP API clients

# but it can be enabled if needed. Clients then will have to be configured with

# a certificate and private key pair.

#

# See https://www.rabbitmq.com/ssl.html#peer-verification for details.

management.ssl.verify = verify_peer

management.ssl.fail_if_no_peer_cert = false

auth_mechanisms.1 = EXTERNAL

auth_mechanisms.1 = AMQPLAIN

auth_mechanisms.1 = PLAIN

ssl_cert_login_from = common_name

management.ssl.honor_cipher_order   = true

management.ssl.honor_ecc_order      = true

management.ssl.client_renegotiation = false

management.ssl.secure_renegotiate   = true

ssl_options.ciphers.1 = TLS_AES_256_GCM_SHA384

ssl_options.ciphers.2 = TLS_CHACHA20_POLY1305_SHA256

ssl_options.ciphers.3 = TLS_AES_128_GCM_SHA256

ssl_options.ciphers.4 = ECDHE-ECDSA-AES256-GCM-SHA384

ssl_options.ciphers.5 = ECDHE-RSA-AES256-GCM-SHA384

ssl_options.ciphers.6 = DHE-RSA-AES256-GCM-SHA384

ssl_options.ciphers.7 = ECDHE-ECDSA-CHACHA20-POLY1305

ssl_options.ciphers.8 = ECDHE-RSA-CHACHA20-POLY1305

ssl_options.ciphers.9 = DHE-RSA-CHACHA20-POLY1305

ssl_options.ciphers.10 = ECDHE-ECDSA-AES128-GCM-SHA256

ssl_options.ciphers.11 = ECDHE-RSA-AES128-GCM-SHA256

ssl_options.ciphers.12 = DHE-RSA-AES128-GCM-SHA256

ssl_options.ciphers.13 = ECDHE-ECDSA-AES256-SHA384

ssl_options.ciphers.14 = ECDHE-RSA-AES256-SHA384

ssl_options.ciphers.15 = DHE-RSA-AES256-SHA256

ssl_options.ciphers.16 = ECDHE-ECDSA-AES128-SHA256

ssl_options.ciphers.17 = ECDHE-RSA-AES128-SHA256

ssl_options.ciphers.18 = DHE-RSA-AES128-SHA256

ssl_options.ciphers.19 = ECDHE-ECDSA-AES256-SHA

ssl_options.ciphers.20 = ECDHE-RSA-AES256-SHA

ssl_options.ciphers.21 = DHE-RSA-AES256-SHA

ssl_options.ciphers.22 = ECDHE-ECDSA-AES128-SHA

ssl_options.ciphers.23 = ECDHE-RSA-AES128-SHA

ssl_options.ciphers.24 = DHE-RSA-AES128-SHA 

ssl_options.ciphers.25 = RSA-PSK-AES256-GCM-SHA384 

ssl_options.ciphers.26 = DHE-PSK-AES256-GCM-SHA384       

ssl_options.ciphers.27 = RSA-PSK-CHACHA20-POLY1305

ssl_options.ciphers.28 = DHE-PSK-CHACHA20-POLY1305       

ssl_options.ciphers.29 = ECDHE-PSK-CHACHA20-POLY1305 

ssl_options.ciphers.30 = AES256-GCM-SHA384               

ssl_options.ciphers.31 = PSK-AES256-GCM-SHA384            

ssl_options.ciphers.32 = PSK-CHACHA20-POLY1305            

ssl_options.ciphers.33 = RSA-PSK-AES128-GCM-SHA256 

ssl_options.ciphers.34 = DHE-PSK-AES128-GCM-SHA256        

ssl_options.ciphers.35 = AES128-GCM-SHA256                

ssl_options.ciphers.36 = PSK-AES128-GCM-SHA256             

ssl_options.ciphers.37 = AES256-SHA256                     

ssl_options.ciphers.38 = AES128-SHA256                   

ssl_options.ciphers.39 = ECDHE-PSK-AES256-CBC-SHA384     

ssl_options.ciphers.40 = ECDHE-PSK-AES256-CBC-SHA

ssl_options.ciphers.41 = SRP-RSA-AES-256-CBC-SHA            

ssl_options.ciphers.42 = SRP-AES-256-CBC-SHA   

ssl_options.ciphers.43 = RSA-PSK-AES256-CBC-SHA384

ssl_options.ciphers.44 = DHE-PSK-AES256-CBC-SHA384         

ssl_options.ciphers.45 = RSA-PSK-AES256-CBC-SHA   

ssl_options.ciphers.46 = DHE-PSK-AES256-CBC-SHA          

ssl_options.ciphers.47 = AES256-SHA                        

ssl_options.ciphers.48 = PSK-AES256-CBC-SHA384              

ssl_options.ciphers.49 = PSK-AES256-CBC-SHA                 

ssl_options.ciphers.50 = ECDHE-PSK-AES128-CBC-SHA256

ssl_options.ciphers.51 = ECDHE-PSK-AES128-CBC-SHA 

ssl_options.ciphers.52 = SRP-RSA-AES-128-CBC-SHA         

ssl_options.ciphers.53 = SRP-AES-128-CBC-SHA 

ssl_options.ciphers.54 = RSA-PSK-AES128-CBC-SHA256 

ssl_options.ciphers.55 = DHE-PSK-AES128-CBC-SHA256       

ssl_options.ciphers.56 = RSA-PSK-AES128-CBC-SHA    

ssl_options.ciphers.57 = DHE-PSK-AES128-CBC-SHA        

ssl_options.ciphers.58 = AES128-SHA                      

ssl_options.ciphers.59 = PSK-AES128-CBC-SHA256            

ssl_options.ciphers.60 = PSK-AES128-CBC-SHA

management.load_definitions = /etc/rabbitmq/definitions.json

[Michal Kuratczyk]

Hi,

Putting secrets inside docker images is not a good idea for security reasons, so first and foremost, I'd advise against it - just mount the secrets as volumes.

If your deployment target is Kubernetes, we have an Operator that you can use, which does not require building a custom image for what you want here. Here's an example for setting up TLS: https://github.com/rabbitmq/cluster-operator/tree/main/docs/examples/tls

Now, if you insist on the current approach - the problem is exactly as the error message says - the file cannot be read. That's because it's only readable by root (root:root, permissions 600). It passed this step after I added this to the Dockerfile:

RUN chmod 644 /etc/rabbitmq/server/*

Best,

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/61b1cde3-72c0-446c-9967-4a03b5e6fa08n%40googlegroups.com.

--

Michał

RabbitMQ team

[Chirico Costal]

Thanks for the advice to implement the volumes, but for now I would like to make everything work and then make these adjustments, giving the folder chmod permissions the key.pem reading error is gone but the plugin management crashes I think for a few my mistake in the .conf file.

#DOCKERFILE

FROM ubuntu as builder

# install git

RUN apt-get update -y && apt-get upgrade -y && apt-get install git -y && apt-get install openssl -y && apt-get install make -y

RUN apt-get install python3 -y && apt-get install python3-pip -y

RUN git clone https://github.com/michaelklishin/tls-gen.git

RUN rm -rf /path/.git

RUN cd tls-gen/basic && make && make verify && make info

FROM rabbitmq:3.8.15-rc.2-management

LABEL description="RabbitMQ image" version="0.0.1"

COPY --from=builder tls-gen tls-gen

RUN cd /etc/rabbitmq && mkdir httpLog

RUN mv tls-gen/basic/testca /etc/rabbitmq/

# RUN openssl rsa -in /etc/rabbitmq/ca/ca_key.pem -out /etc/rabbitmq/ca/key.pem && rm /etc/rabbitmq/ca/ca_key.pem

RUN mv tls-gen/basic/server /etc/rabbitmq/

# RUN openssl rsa -in /etc/rabbitmq/server/server_key.pem -out /etc/rabbitmq/server/key.pem && rm /etc/rabbitmq/server/server_key.pem

RUN mv tls-gen/basic/client /etc/rabbitmq/

# RUN openssl rsa -in /etc/rabbitmq/client/client_key.pem -out /etc/rabbitmq/client/key.pem && rm /etc/rabbitmq/client/client_key.pem

RUN rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl

ADD rabbitmq.conf /etc/rabbitmq

ADD definitions.json /etc/rabbitmq

RUN chmod 644 /etc/rabbitmq/server/*

EXPOSE 15672 15671 5672 5671

#CONF FILE

# # ssl_options.password = PASSWORD

ssl_options.depth = 2

# # Usually RabbitMQ nodes do not perform peer verification of HTTP API clients

# # but it can be enabled if needed. Clients then will have to be configured with

# # a certificate and private key pair.

# #

# # See https://www.rabbitmq.com/ssl.html#peer-verification for details.

management.ssl.verify = verify_peer

management.ssl.fail_if_no_peer_cert = true

[Chirico Costal]

I don't understand why give me that there are no certificates while I have confirmed and they are in the folder

2021-05-03 06:37:27.504 [error] <0.956.0> Failed to start Ranch listener {acceptor,{0,0,0,0,0,0,0,0},15671} in ranch_ssl:listen([{cacerts,'...'},{key,'...'},{cert,'...'},{port,15671},{versions,['tlsv1.1','tlsv1.2','tlsv1.3']},{client_renegotiation,false},{secure_renegotiate,true},{honor_ecc_order,true},{honor_cipher_order,true},{fail_if_no_peer_cert,true},{verify,verify_peer},{port,15671}]) for reason no_cert (no certificate provided; see cert, certfile, sni_fun or sni_hosts options)

 2021-05-03 06:37:27.504 [info] <0.954.0> supervisor: {<0.954.0>,ranch_listener_sup}, errorContext: start_error, reason: {listen_error,{acceptor,{0,0,0,0,0,0,0,0},15671},no_cert}, offender: [{pid,undefined},{id,ranch_acceptors_sup},{mfargs,{ranch_acceptors_sup,start_link,[{acceptor,{0,0,0,0,0,0,0,0},15671},ranch_ssl]}},{restart_type,permanent},{shutdown,infinity},{child_type,supervisor}]

 2021-05-03 06:37:27.505 [error] <0.954.0> Supervisor {<0.954.0>,ranch_listener_sup} had child ranch_acceptors_sup started with ranch_acceptors_sup:start_link({acceptor,{0,0,0,0,0,0,0,0},15671}, ranch_ssl) at undefined exit with reason {listen_error,{acceptor,{0,0,0,0,0,0,0,0},15671},no_cert} in context start_error

[Michal Kuratczyk]

Your config keys don't seem correct. Check https://www.rabbitmq.com/management.html#single-listener-https

the example is:

management.ssl.cacertfile = /path/to/ca_certificate.pem
management.ssl.certfile   = /path/to/server_certificate.pem
management.ssl.keyfile    = /path/to/server_key.pem

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7b04a9fc-d8a9-4932-9085-4932ed29539bn%40googlegroups.com.

--

Michał

RabbitMQ team

[Chirico Costal]

I just updated the conf file to this:

log.console = true

log.console.level = info

loopback_users.guest = false

default_pass = guest

default_user = guest

default_vhost = guestVHost

hipe_compile = false

listeners.tcp.default = 5672

listeners.ssl.default = 5671

management.tcp.compress = true

management.http_log_dir = etc/rabbitmq/httpLog

management.ssl.port = 15672

management.listener.ssl = true

management.ssl.cacertfile = /etc/rabbitmq/cacert.pem

management.ssl.certfile = /etc/rabbitmq/cert.pem

management.ssl.keyfile = /etc/rabbitmq/key.pem

management.ssl.password = bunnies

management.ssl.versions.1 = tlsv1.3

management.ssl.versions.2 = tlsv1.2

management.ssl.versions.3 = tlsv1.1

management.ssl.depth = 2

# # Usually RabbitMQ nodes do not perform peer verification of HTTP API clients

# # but it can be enabled if needed. Clients then will have to be configured with

# # a certificate and private key pair.

# #

# # See https://www.rabbitmq.com/ssl.html#peer-verification for details.

management.ssl.verify = verify_peer

management.ssl.fail_if_no_peer_cert = true

auth_mechanisms.1 = EXTERNAL

auth_mechanisms.1 = AMQPLAIN

auth_mechanisms.1 = PLAIN

ssl_cert_login_from = common_name

management.ssl.honor_cipher_order   = true

management.ssl.honor_ecc_order      = true

management.ssl.client_renegotiation = false

management.ssl.secure_renegotiate   = true

management.ssl.ciphers.1 = TLS_AES_256_GCM_SHA384

management.ssl.ciphers.2 = TLS_CHACHA20_POLY1305_SHA256

management.ssl.ciphers.3 = TLS_AES_128_GCM_SHA256

management.ssl.ciphers.4 = ECDHE-ECDSA-AES256-GCM-SHA384

management.ssl.ciphers.5 = ECDHE-RSA-AES256-GCM-SHA384

management.ssl.ciphers.6 = DHE-RSA-AES256-GCM-SHA384

management.ssl.ciphers.7 = ECDHE-ECDSA-CHACHA20-POLY1305

management.ssl.ciphers.8 = ECDHE-RSA-CHACHA20-POLY1305

management.ssl.ciphers.9 = DHE-RSA-CHACHA20-POLY1305

management.ssl.ciphers.10 = ECDHE-ECDSA-AES128-GCM-SHA256

management.ssl.ciphers.11 = ECDHE-RSA-AES128-GCM-SHA256

management.ssl.ciphers.12 = DHE-RSA-AES128-GCM-SHA256

management.ssl.ciphers.13 = ECDHE-ECDSA-AES256-SHA384

management.ssl.ciphers.14 = ECDHE-RSA-AES256-SHA384

management.ssl.ciphers.15 = DHE-RSA-AES256-SHA256

management.ssl.ciphers.16 = ECDHE-ECDSA-AES128-SHA256

management.ssl.ciphers.17 = ECDHE-RSA-AES128-SHA256

management.ssl.ciphers.18 = DHE-RSA-AES128-SHA256

management.ssl.ciphers.19 = ECDHE-ECDSA-AES256-SHA

management.ssl.ciphers.20 = ECDHE-RSA-AES256-SHA

management.ssl.ciphers.21 = DHE-RSA-AES256-SHA

management.ssl.ciphers.22 = ECDHE-ECDSA-AES128-SHA

management.ssl.ciphers.23 = ECDHE-RSA-AES128-SHA

management.ssl.ciphers.24 = DHE-RSA-AES128-SHA 

management.ssl.ciphers.25 = RSA-PSK-AES256-GCM-SHA384 

management.ssl.ciphers.26 = DHE-PSK-AES256-GCM-SHA384       

management.ssl.ciphers.27 = RSA-PSK-CHACHA20-POLY1305

management.ssl.ciphers.28 = DHE-PSK-CHACHA20-POLY1305       

management.ssl.ciphers.29 = ECDHE-PSK-CHACHA20-POLY1305 

management.ssl.ciphers.30 = AES256-GCM-SHA384               

management.ssl.ciphers.31 = PSK-AES256-GCM-SHA384            

management.ssl.ciphers.32 = PSK-CHACHA20-POLY1305            

management.ssl.ciphers.33 = RSA-PSK-AES128-GCM-SHA256 

management.ssl.ciphers.34 = DHE-PSK-AES128-GCM-SHA256        

management.ssl.ciphers.35 = AES128-GCM-SHA256                

management.ssl.ciphers.36 = PSK-AES128-GCM-SHA256             

management.ssl.ciphers.37 = AES256-SHA256                     

management.ssl.ciphers.38 = AES128-SHA256                   

management.ssl.ciphers.39 = ECDHE-PSK-AES256-CBC-SHA384     

management.ssl.ciphers.40 = ECDHE-PSK-AES256-CBC-SHA

management.ssl.ciphers.41 = SRP-RSA-AES-256-CBC-SHA            

management.ssl.ciphers.42 = SRP-AES-256-CBC-SHA   

management.ssl.ciphers.43 = RSA-PSK-AES256-CBC-SHA384

management.ssl.ciphers.44 = DHE-PSK-AES256-CBC-SHA384         

management.ssl.ciphers.45 = RSA-PSK-AES256-CBC-SHA   

management.ssl.ciphers.46 = DHE-PSK-AES256-CBC-SHA          

management.ssl.ciphers.47 = AES256-SHA                        

management.ssl.ciphers.48 = PSK-AES256-CBC-SHA384              

management.ssl.ciphers.49 = PSK-AES256-CBC-SHA                 

management.ssl.ciphers.50 = ECDHE-PSK-AES128-CBC-SHA256

management.ssl.ciphers.51 = ECDHE-PSK-AES128-CBC-SHA 

management.ssl.ciphers.52 = SRP-RSA-AES-128-CBC-SHA         

management.ssl.ciphers.53 = SRP-AES-128-CBC-SHA 

management.ssl.ciphers.54 = RSA-PSK-AES128-CBC-SHA256 

management.ssl.ciphers.55 = DHE-PSK-AES128-CBC-SHA256       

management.ssl.ciphers.56 = RSA-PSK-AES128-CBC-SHA    

management.ssl.ciphers.57 = DHE-PSK-AES128-CBC-SHA        

management.ssl.ciphers.58 = AES128-SHA                      

management.ssl.ciphers.59 = PSK-AES128-CBC-SHA256            

management.ssl.ciphers.60 = PSK-AES128-CBC-SHA

management.load_definitions = /etc/rabbitmq/definitions.json

And the result is this, I don't understand that warning, in what sense "Only two listeners at a time are supported. Ignoring the legacy listener", in the legacy listeners tcp and ssl are not declared, because it ignores them, in fact the error is " incompatible_listeners "

2021-05-03 15:57:10.299 [warning] <0.849.0> Management plugin: TCP, TLS and a legacy (management.listener.*) listener are all configured. Only two listeners at a time are supported. Ignoring the legacy listener

2021-05-03 15:57:10.328 [info] <0.849.0> Management plugin: HTTP (non-TLS) listener started on port 15672

Logger - error: {removed_failing_handler,rabbit_log}

2021-05-03 15:57:10.356 [error] <0.841.0> ** Generic server rabbit_web_dispatch_registry terminating

** Last message in was {add,rabbitmq_management_tls,[{cowboy_opts,[{sendfile,false}]},{port,15672},{ssl,true},{ssl_opts,[{depth,2},{client_renegotiation,false},{secure_renegotiate,true},{honor_ecc_order,true},{honor_cipher_order,true},{fail_if_no_peer_cert,true},{verify,verify_peer},{password,"bunnies"},{cacertfile,"/etc/rabbitmq/cacert.pem"},{keyfile,"/etc/rabbitmq/key.pem"},{certfile,"/etc/rabbitmq/cert.pem"},{port,15672},{versions,['tlsv1.1','tlsv1.2','tlsv1.3']},{ciphers,["TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES128-GCM-SHA256","EC...",...]}]}],...}

** When Server state == undefined

** Reason for termination ==

** {{incompatible_listeners,{"RabbitMQ Management",[{cowboy_opts,[{sendfile,false}]},{port,15672},{ssl,true},{ssl_opts,[{depth,2},{client_renegotiation,false},{secure_renegotiate,true},{honor_ecc_order,true},{honor_cipher_order,true},{fail_if_no_peer_cert,true},{verify,verify_peer},{password,"bunnies"},{cacertfile,"/etc/rabbitmq/cacert.pem"},{keyfile,"/etc/rabbitmq/key.pem"},{certfile,"/etc/rabbitmq/cert.pem"},{port,15672},{versions,['tlsv1.1','tlsv1.2','tlsv1.3']},{ciphers,["TLS_AES_256_GCM_SHA384","TLS_CHACHA20_POLY1305_SHA256","TLS_AES_128_GCM_SHA256","ECDHE-ECDSA-AES256-GCM-SHA384","ECDHE-RSA-AES256-GCM-SHA384","DHE-RSA-AES256-GCM-SHA384","ECDHE-ECDSA-CHACHA20-POLY1305","ECDHE-RSA-CHACHA20-POLY1305","DHE-RSA-CHACHA20-POLY1305","ECDHE-ECDSA-AES128-GCM-SHA256","ECDHE-RSA-AES128-GCM-SHA256","DHE-RSA-AES128-GCM-SHA256","ECDHE-ECDSA-AES256-SHA384","ECDHE-RSA-AES256-SHA384","DHE-RSA-AES256-SHA256","ECDHE-ECDSA-AES128-SHA256","ECDHE-RSA-AES128-SHA256","DHE-RSA-AES128-SHA256","ECDHE-ECDSA-A...",...]}]}]},...},...}

[Chirico Costal]

Sorry there was an error in the line management.ssl.port = 15672 (15672)

By solving and commenting out all the ciphers part, the server starts up but this is what it prints

2021-05-03 16:27:38.703 [info] <0.1196.0> started TCP listener on [::]:5672

2021-05-03 16:27:38.706 [error] <0.1200.0> Failed to start Ranch listener {acceptor,{0,0,0,0,0,0,0,0},5671} in ranch_ssl:listen([{cacerts,'...'},{key,'...'},{cert,'...'},{ip,{0,0,0,0,0,0,0,0}},{port,5671},inet6,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]}]) for reason no_cert (no certificate provided; see cert, certfile, sni_fun or sni_hosts options)

2021-05-03 16:27:38.707 [info] <0.1198.0> supervisor: {<0.1198.0>,ranch_listener_sup}, errorContext: start_error, reason: {listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},no_cert}, offender: [{pid,undefined},{id,ranch_acceptors_sup},{mfargs,{ranch_acceptors_sup,start_link,[{acceptor,{0,0,0,0,0,0,0,0},5671},ranch_ssl]}},{restart_type,permanent},{shutdown,infinity},{child_type,supervisor}]

2021-05-03 16:27:38.707 [error] <0.1198.0> Supervisor {<0.1198.0>,ranch_listener_sup} had child ranch_acceptors_sup started with ranch_acceptors_sup:start_link({acceptor,{0,0,0,0,0,0,0,0},5671}, ranch_ssl) at undefined exit with reason {listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},no_cert} in context start_error

2021-05-03 16:27:38.707 [info] <0.1197.0> supervisor: {<0.1197.0>,tcp_listener_sup}, errorContext: start_error, reason: {shutdown,{failed_to_start_child,ranch_acceptors_sup,{listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},no_cert}}}, offender: [{pid,undefined},{id,{ranch_listener_sup,{acceptor,{0,0,0,0,0,0,0,0},5671}}},{mfargs,{ranch_listener_sup,start_link,[{acceptor,{0,0,0,0,0,0,0,0},5671},ranch_ssl,#{connection_type => supervisor,handshake_timeout => 5000,max_connections => infinity,num_acceptors => 10,socket_opts => [{ip,{0,0,0,0,0,0,0,0}},{port,5671},inet6,{backlog,128},{nodelay,true},{linger,{true,0}},{exit_on_close,false},{versions,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]}]},rabbit_connection_sup,[]]}},{restart_type,permanent},{shutdown,infinity},{child_type,supervisor}]

2021-05-03 16:27:38.707 [error] <0.1197.0> Supervisor {<0.1197.0>,tcp_listener_sup} had child {ranch_listener_sup,{acceptor,{0,0,0,0,0,0,0,0},5671}} started with ranch_listener_sup:start_link({acceptor,{0,0,0,0,0,0,0,0},5671}, ranch_ssl, #{connection_type => supervisor,handshake_timeout => 5000,max_connections => infinity,num_acceptors => ...,...}, rabbit_connection_sup, []) at undefined exit with reason {shutdown,{failed_to_start_child,ranch_acceptors_sup,{listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},no_cert}}} in context start_error

2021-05-03 16:27:38.708 [info] <0.1200.0> [{initial_call,{supervisor,ranch_acceptors_sup,['Argument__1']}},{pid,<0.1200.0>},{registered_name,[]},{error_info,{exit,{listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},no_cert},[{ranch_acceptors_sup,listen_error,5,[{file,"src/ranch_acceptors_sup.erl"},{line,66}]},{supervisor,init,1,[{file,"supervisor.erl"},{line,301}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,417}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,385}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,226}]}]}},{ancestors,[<0.1198.0>,<0.1197.0>,rabbit_sup,<0.273.0>]},{message_queue_len,1},{messages,[{'EXIT',<0.1198.0>,{shutdown,{failed_to_start_child,ranch_acceptors_sup,{listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},no_cert}}}}]},{links,[]},{dictionary,[{logger,error_logger}]},{trap_exit,true},{status,running},{heap_size,610},{stack_size,28},{reductions,460}], []

2021-05-03 16:27:38.708 [error] <0.1200.0> CRASH REPORT Process <0.1200.0> with 0 neighbours exited with reason: {listen_error,{acceptor,{0,0,0,0,0,0,0,0},5671},no_cert} in ranch_acceptors_sup:listen_error/5 line 66

CONFIG FILE

log.console = true

log.console.level = info

loopback_users.guest = false

default_pass = guest

default_user = guest

default_vhost = guestVHost

listeners.tcp.default = 5672

listeners.ssl.default = 5671

management.tcp.compress = true

management.http_log_dir = etc/rabbitmq/httpLog

management.ssl.port = 15671

management.listener.ssl = true

management.ssl.cacertfile = /etc/rabbitmq/cacert.pem

management.ssl.certfile = /etc/rabbitmq/cert.pem

management.ssl.keyfile = /etc/rabbitmq/key.pem

management.ssl.password = bunnies

management.ssl.versions.1 = tlsv1.3

management.ssl.versions.2 = tlsv1.2

management.ssl.versions.3 = tlsv1.1

management.ssl.depth = 2

# # Usually RabbitMQ nodes do not perform peer verification of HTTP API clients

# # but it can be enabled if needed. Clients then will have to be configured with

# # a certificate and private key pair.

# #

# # See https://www.rabbitmq.com/ssl.html#peer-verification for details.

management.ssl.verify = verify_peer

management.ssl.fail_if_no_peer_cert = true

auth_mechanisms.1 = EXTERNAL

auth_mechanisms.1 = AMQPLAIN

auth_mechanisms.1 = PLAIN

ssl_cert_login_from = common_name

# management.ssl.honor_cipher_order   = true

# management.ssl.honor_ecc_order      = true

management.ssl.client_renegotiation = false

management.ssl.secure_renegotiate   = true

# management.ssl.ciphers.1 = TLS_AES_256_GCM_SHA384

# management.ssl.ciphers.2 = TLS_CHACHA20_POLY1305_SHA256

# management.ssl.ciphers.3 = TLS_AES_128_GCM_SHA256

# management.ssl.ciphers.4 = ECDHE-ECDSA-AES256-GCM-SHA384

# management.ssl.ciphers.5 = ECDHE-RSA-AES256-GCM-SHA384

# management.ssl.ciphers.6 = DHE-RSA-AES256-GCM-SHA384

# management.ssl.ciphers.7 = ECDHE-ECDSA-CHACHA20-POLY1305

# management.ssl.ciphers.8 = ECDHE-RSA-CHACHA20-POLY1305

# management.ssl.ciphers.9 = DHE-RSA-CHACHA20-POLY1305

# management.ssl.ciphers.10 = ECDHE-ECDSA-AES128-GCM-SHA256

# management.ssl.ciphers.11 = ECDHE-RSA-AES128-GCM-SHA256

# management.ssl.ciphers.12 = DHE-RSA-AES128-GCM-SHA256

# management.ssl.ciphers.13 = ECDHE-ECDSA-AES256-SHA384

# management.ssl.ciphers.14 = ECDHE-RSA-AES256-SHA384

# management.ssl.ciphers.15 = DHE-RSA-AES256-SHA256

# management.ssl.ciphers.16 = ECDHE-ECDSA-AES128-SHA256

# management.ssl.ciphers.17 = ECDHE-RSA-AES128-SHA256

# management.ssl.ciphers.18 = DHE-RSA-AES128-SHA256

# management.ssl.ciphers.19 = ECDHE-ECDSA-AES256-SHA

# management.ssl.ciphers.20 = ECDHE-RSA-AES256-SHA

# management.ssl.ciphers.21 = DHE-RSA-AES256-SHA

# management.ssl.ciphers.22 = ECDHE-ECDSA-AES128-SHA

# management.ssl.ciphers.23 = ECDHE-RSA-AES128-SHA

# management.ssl.ciphers.24 = DHE-RSA-AES128-SHA 

# management.ssl.ciphers.25 = RSA-PSK-AES256-GCM-SHA384 

# management.ssl.ciphers.26 = DHE-PSK-AES256-GCM-SHA384       

# management.ssl.ciphers.27 = RSA-PSK-CHACHA20-POLY1305

# management.ssl.ciphers.28 = DHE-PSK-CHACHA20-POLY1305       

# management.ssl.ciphers.29 = ECDHE-PSK-CHACHA20-POLY1305 

# management.ssl.ciphers.30 = AES256-GCM-SHA384               

# management.ssl.ciphers.31 = PSK-AES256-GCM-SHA384            

# management.ssl.ciphers.32 = PSK-CHACHA20-POLY1305            

# management.ssl.ciphers.33 = RSA-PSK-AES128-GCM-SHA256 

# management.ssl.ciphers.34 = DHE-PSK-AES128-GCM-SHA256        

# management.ssl.ciphers.35 = AES128-GCM-SHA256                

# management.ssl.ciphers.36 = PSK-AES128-GCM-SHA256             

# management.ssl.ciphers.37 = AES256-SHA256                     

# management.ssl.ciphers.38 = AES128-SHA256                   

# management.ssl.ciphers.39 = ECDHE-PSK-AES256-CBC-SHA384     

# management.ssl.ciphers.40 = ECDHE-PSK-AES256-CBC-SHA

# management.ssl.ciphers.41 = SRP-RSA-AES-256-CBC-SHA            

# management.ssl.ciphers.42 = SRP-AES-256-CBC-SHA   

# management.ssl.ciphers.43 = RSA-PSK-AES256-CBC-SHA384

# management.ssl.ciphers.44 = DHE-PSK-AES256-CBC-SHA384         

# management.ssl.ciphers.45 = RSA-PSK-AES256-CBC-SHA   

# management.ssl.ciphers.46 = DHE-PSK-AES256-CBC-SHA          

# management.ssl.ciphers.47 = AES256-SHA                        

# management.ssl.ciphers.48 = PSK-AES256-CBC-SHA384              

# management.ssl.ciphers.49 = PSK-AES256-CBC-SHA                 

# management.ssl.ciphers.50 = ECDHE-PSK-AES128-CBC-SHA256

# management.ssl.ciphers.51 = ECDHE-PSK-AES128-CBC-SHA 

# management.ssl.ciphers.52 = SRP-RSA-AES-128-CBC-SHA         

# management.ssl.ciphers.53 = SRP-AES-128-CBC-SHA 

# management.ssl.ciphers.54 = RSA-PSK-AES128-CBC-SHA256 

# management.ssl.ciphers.55 = DHE-PSK-AES128-CBC-SHA256       

# management.ssl.ciphers.56 = RSA-PSK-AES128-CBC-SHA    

# management.ssl.ciphers.57 = DHE-PSK-AES128-CBC-SHA        

# management.ssl.ciphers.58 = AES128-SHA                      

# management.ssl.ciphers.59 = PSK-AES128-CBC-SHA256            

# management.ssl.ciphers.60 = PSK-AES128-CBC-SHA

management.load_definitions = /etc/rabbitmq/definitions.json

[Michal Kuratczyk]

You have successfully configured TLS for the Management API/UI (HTTP endpoint). However, by setting listeners.ssl.default=5671 you told RabbitMQ that it should enable AMQP over TLS, but you haven't provided any configuration for this listener. 

Please read https://www.rabbitmq.com/ssl.html#enabling-tls

On a more general note - the way to approach a situation like that is to start with a simple working configuration and then see what more you need (if anything) and what breaks your setup.

You can deploy RabbitMQ with TLS using the Operator in a matter of minutes. You can use other options as well (eg. a helm chart). Either way, you can easily see how RabbitMQ with TLS is configured correctly.

Instead, you keep trying to do it in a less secure and more complex way for no apparent reason.

Best,

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/2e584eb8-3f7c-44f5-af31-8a18de636684n%40googlegroups.com.

--

Michał

RabbitMQ team