rabbitmq tls error

fei yu

unread,

Jan 24, 2021, 10:26:27 PM1/24/21

to rabbitmq-users

Hello,

RabbitMQ 3.8.9

Erlang 23.2.1

contos8

OpenSSL 1.1.1g FIPS 21 Apr 2020

when I used Rabbitmq to configure tls, I used tls-gen to generate a certificate, and used openssl service and client to test at the same time. It was correct, but when I tested 5671 with openssl, it prompted.

openssl s_client -connect localhost:5671 -cert client_certificate.pem -key client_key.pem -CAfile ca_certificate.pem -state -nbio

Enter pass phrase for client_key.pem:

CONNECTED(00000003)

Turned on non blocking io

SSL_connect:before SSL initialization

SSL_connect:SSLv3/TLS write client hello

SSL_connect:error in SSLv3/TLS write client hello

write R BLOCK

SSL_connect:error in SSLv3/TLS write client hello

read:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 176 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1611305704

Timeout : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

---

Also, nothing is printed in the rabbitmq log

I set the certificate directory and the entire rabbitmq directory to 777 permissions

rabbitmqctl status

Status of node rabbit@localhost ...
Runtime

OS PID: 37436
OS: Linux
Uptime (seconds): 1545
Is under maintenance?: false
RabbitMQ version: 3.8.9
Node name: rabbit@localhost
Erlang configuration: Erlang/OTP 23 [erts-11.1.5] [source] [64-bit] [smp:1:1] [ds:1:1:10] [async-threads:64] [hipe]
Erlang processes: 461 used, 1048576 limit
Scheduler run queue: 1
Cluster heartbeat timeout (net_ticktime): 60

Plugins

Enabled plugin file: /etc/rabbitmq/enabled_plugins
Enabled plugins:

* rabbitmq_management
* amqp_client
* rabbitmq_web_dispatch
* cowboy
* cowlib
* rabbitmq_management_agent

Data directory

Node data directory: /var/lib/rabbitmq/mnesia/rabbit@localhost
Raft data directory: /var/lib/rabbitmq/mnesia/rabbit@localhost/quorum/rabbit@localhost

Config files

* /etc/rabbitmq/rabbitmq.conf

Log file(s)

* /var/log/rabbitmq/rab...@localhost.log
* /var/log/rabbitmq/rabbit@localhost_upgrade.log

Alarms

(none)

Memory

Total memory used: 0.113 gb
Calculation strategy: rss
Memory high watermark setting: 0.4 of available memory, computed to: 1.5558 gb

other_proc: 0.0372 gb (32.88 %)
code: 0.0325 gb (28.77 %)
other_system: 0.0124 gb (10.99 %)
reserved_unallocated: 0.0111 gb (9.85 %)
allocated_unused: 0.0079 gb (6.98 %)
plugins: 0.0063 gb (5.59 %)
other_ets: 0.0032 gb (2.86 %)
atom: 0.0014 gb (1.26 %)
mgmt_db: 0.0005 gb (0.42 %)
binary: 0.0002 gb (0.19 %)
mnesia: 0.0001 gb (0.07 %)
metrics: 0.0001 gb (0.05 %)
connection_other: 0.0 gb (0.04 %)
msg_index: 0.0 gb (0.03 %)
quorum_ets: 0.0 gb (0.01 %)
connection_channels: 0.0 gb (0.0 %)
connection_readers: 0.0 gb (0.0 %)
connection_writers: 0.0 gb (0.0 %)
queue_procs: 0.0 gb (0.0 %)
queue_slave_procs: 0.0 gb (0.0 %)
quorum_queue_procs: 0.0 gb (0.0 %)

File Descriptors

Total: 2, limit: 32671
Sockets: 0, limit: 29401

Free Disk Space

Low free disk space watermark: 0.05 gb
Free disk space: 37.6658 gb

Totals

Connection count: 0
Queue count: 0
Virtual host count: 1

Listeners

Interface: [::], port: 15672, protocol: http, purpose: HTTP API
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS

rabbitmqctl eval 'ssl:versions().'

[{ssl_app,"10.2"},
{supported,['tlsv1.3','tlsv1.2']},
{supported_dtls,['dtlsv1.2']},
{available,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]},
{available_dtls,['dtlsv1.2',dtlsv1]},
{implemented,['tlsv1.3','tlsv1.2','tlsv1.1',tlsv1]},
{implemented_dtls,['dtlsv1.2',dtlsv1]}]

I need your help

rabbit@localhost.log

rabbitmq.conf

Wesley Peng

unread,

Jan 25, 2021, 3:07:48 AM1/25/21

to rabbitm...@googlegroups.com

RMQ 3.8.9 doesn't support SSLv3 yet.

fei yu

unread,

Jan 25, 2021, 5:26:54 AM1/25/21

to rabbitmq-users

Thank you for your answer.

My question, is there no upgrade to rabbitmq? Which version should I upgrade to?

Michal Kuratczyk

unread,

Jan 25, 2021, 5:53:52 AM1/25/21

to rabbitm...@googlegroups.com

You'll see TLS 1.3 added in 3.8.10: https://github.com/rabbitmq/rabbitmq-server/releases/tag/v3.8.10

but please use 3.8.11 (latest).

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/11680abc-acff-4cbf-acb7-cf889beb3406n%40googlegroups.com.

--

Michał

RabbitMQ team

fei yu

unread,

Jan 25, 2021, 6:05:46 AM1/25/21

to rabbitmq-users

Okay, let me try. Is my error a TLS 1.3 problem? This error has tormented me for a long time. I started preparing to install 3.8.10, but I saw someone on the forum reported that 3.8.10 was not able to use tls, and I returned 3.8.9, so I installed this version.

fei yu

unread,

Jan 25, 2021, 11:14:02 AM1/25/21

to rabbitmq-users

Hello, I upgraded to 3.8.11, then Erlang 23.2.1, it still doesn't work, and there is no line of information recorded in the log, as if rabbitmq is not accessed at all

[root@localhost ~]# openssl s_client -connect localhost:5671 -cert /root/tls-gen/basic/result/client_certificate.pem -key /root/tls-gen/basic/result/client_key.pem -CAfile /root/tls-gen/basic/result/ca_certificate.pem -state -nbio

Enter pass phrase for /root/tls-gen/basic/result/client_key.pem:

CONNECTED(00000003)

Turned on non blocking io

SSL_connect:before SSL initialization

SSL_connect:SSLv3/TLS write client hello

SSL_connect:error in SSLv3/TLS write client hello

write R BLOCK

SSL_connect:error in SSLv3/TLS write client hello

read:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 289 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

Early data was not sent

Verify return code: 0 (ok)

---

Luke Bakken

unread,

Jan 25, 2021, 11:17:22 AM1/25/21

to rabbitmq-users

Hello,

It's clearly shown in the output that openssl is trying to use SSLv3, which is disabled by default. Please consult the output of openssl s_client -help to see options for specifying other TLS versions.

Thanks,

Luke

fei yu

unread,

Jan 25, 2021, 11:26:18 AM1/25/21

to rabbitmq-users

I specified tls1_2, but it doesn’t seem to work. Did I set it wrong?

openssl s_client -connect localhost:5671 -cert /root/tls-gen/basic/result/client_certificate.pem -key /root/tls-gen/basic/result/client_key.pem -CAfile /root/tls-gen/basic/result/ca_certificate.pem -state -nbio -tls1_2

Enter pass phrase for /root/tls-gen/basic/result/client_key.pem:

CONNECTED(00000003)

Turned on non blocking io

SSL_connect:before SSL initialization

SSL_connect:SSLv3/TLS write client hello

SSL_connect:error in SSLv3/TLS write client hello

write R BLOCK

SSL_connect:error in SSLv3/TLS write client hello

read:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 192 bytes

Verification: OK

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

Protocol : TLSv1.2

Cipher : 0000

Session-ID:

Session-ID-ctx:

Master-Key:

PSK identity: None

PSK identity hint: None

SRP username: None

Start Time: 1611591773

Timeout : 7200 (sec)

Verify return code: 0 (ok)

Extended master secret: no

---

Luke Bakken

unread,

Jan 25, 2021, 11:30:06 AM1/25/21

to rabbitmq-users

Hello,

At this point you need to confirm that the rabbitmq user can actually read all certificate files as well as all intermediate directories.

Please run these commands as the root user. Capture the command as well as its output:

ls -la /etc/rabbitmq/ssl

ls -la /etc/rabbitmq

ls -la /etc

ls -la /

Thank you,

Luke

fei yu

unread,

Jan 25, 2021, 11:35:05 AM1/25/21

to rabbitmq-users

[root@localhost ~]# ls -la /etc/rabbitmq/ssl

total 12

drwxrwxrwx 2 root rabbitmq 84 Jan 24 12:06 .

drwxr-sr-x 3 root rabbitmq 61 Jan 21 15:45 ..

-rwxrwxrwx 1 root rabbitmq 1212 Jan 25 16:48 ca_certificate.pem

-rwxrwxrwx 1 root rabbitmq 1302 Jan 25 16:48 server_certificate.pem

-rwxrwxrwx 1 root rabbitmq 1874 Jan 25 16:48 server_key.pem

[root@localhost ~]# ls -la /etc/rabbitmq

total 20

drwxr-sr-x 3 root rabbitmq 61 Jan 21 15:45 .

drwxr-xr-x. 85 root root 8192 Jan 25 17:15 ..

-rwxrwxrwx 1 root rabbitmq 23 Jan 24 11:33 enabled_plugins

-rwxrwxrwx 1 root rabbitmq 432 Jan 25 09:18 rabbitmq.conf

drwxrwxrwx 2 root rabbitmq 84 Jan 24 12:06 ssl

[root@localhost ~]# ls -la /etc

total 1168

drwxr-xr-x. 85 root root 8192 Jan 25 17:15 .

dr-xr-xr-x. 17 root root 244 Jan 20 22:39 ..

-rw-r--r--. 1 root root 44 Sep 27 2019 adjtime

-rw-r--r-- 1 root root 1529 May 15 2020 aliases

drwxr-xr-x. 2 root root 255 Jan 24 11:49 alternatives

-rw-r--r--. 1 root root 541 Nov 8 2019 anacrontab

drwxr-x---. 4 root root 100 Apr 24 2020 audit

drwxr-xr-x. 3 root root 228 Jan 20 22:42 authselect

drwxr-xr-x. 2 root root 73 Jan 20 22:43 bash_completion.d

-rw-r--r-- 1 root root 3019 May 15 2020 bashrc

-rw-r--r--. 1 root root 429 Nov 8 2019 bindresvport.blacklist

drwxr-xr-x. 2 root root 6 Dec 18 00:30 binfmt.d

-rw-r--r-- 1 root root 30 Nov 10 16:49 centos-release

-rw-r--r-- 1 root root 42 Nov 10 16:49 centos-release-upstream

drwxr-xr-x. 2 root root 6 Apr 27 2020 chkconfig.d

-rw-r--r--. 1 root root 1085 May 10 2019 chrony.conf

-rw-r----- 1 root chrony 540 May 10 2019 chrony.keys

drwxr-xr-x. 2 root root 26 Sep 17 19:31 cifs-utils

drwxr-xr-x 4 root root 59 Jan 20 22:43 cloud

drwxr-xr-x. 2 root root 21 Nov 8 2019 cron.d

drwxr-xr-x. 2 root root 23 May 16 2020 cron.daily

-rw-r--r--. 1 root root 0 Nov 8 2019 cron.deny

drwxr-xr-x. 2 root root 22 Jan 20 22:40 cron.hourly

drwxr-xr-x. 2 root root 6 May 11 2019 cron.monthly

-rw-r--r--. 1 root root 451 May 11 2019 crontab

drwxr-xr-x. 2 root root 6 May 11 2019 cron.weekly

drwxr-xr-x. 6 root root 81 Jan 20 22:40 crypto-policies

-rw-------. 1 root root 0 Sep 27 2019 crypttab

-rw-r--r-- 1 root root 1629 May 15 2020 csh.cshrc

-rw-r--r-- 1 root root 1078 May 15 2020 csh.login

drwxr-xr-x. 4 root root 78 Aug 4 21:54 dbus-1

drwxr-xr-x. 3 root root 16 Sep 27 2019 dconf

drwxr-xr-x. 2 root root 33 Jan 20 22:40 default

drwxr-xr-x. 2 root root 23 Jan 20 22:40 depmod.d

drwxr-x---. 3 root root 45 Jun 2 2020 dhcp

-rw-r--r--. 1 root root 4536 Apr 27 2020 DIR_COLORS

-rw-r--r--. 1 root root 5214 Apr 27 2020 DIR_COLORS.256color

-rw-r--r--. 1 root root 4618 Apr 27 2020 DIR_COLORS.lightbgcolor

drwxr-xr-x. 8 root root 128 Jan 20 22:39 dnf

-rw-r--r--. 1 root root 117 Aug 11 23:13 dracut.conf

drwxr-xr-x. 2 root root 36 Jan 20 22:40 dracut.conf.d

-rw-r--r--. 1 root root 0 May 15 2020 environment

-rw-r--r--. 1 root root 1362 Sep 10 2018 ethertypes

-rw-r--r--. 1 root root 0 Sep 10 2018 exports

-rw-r--r--. 1 root root 66 Sep 10 2018 filesystems

drwxr-x---. 7 root root 133 Jan 20 22:40 firewalld

-rw-r--r--. 1 root root 579 Sep 27 2019 fstab

-rw-r--r--. 1 root root 38 May 11 2019 fuse.conf

-rw-r--r-- 1 root root 29 Jan 20 22:43 gai.conf

drwxr-xr-x. 2 root root 25 Jul 20 2020 gcrypt

drwxr-xr-x. 2 root root 6 May 15 2020 gnupg

-rw-r--r--. 1 root root 94 May 11 2019 GREP_COLORS

drwxr-xr-x. 4 root root 40 Sep 27 2019 groff

-rw-r--r-- 1 root root 542 Jan 24 12:26 group

-rw-r--r--. 1 root root 529 Jan 24 11:26 group-

lrwxrwxrwx. 1 root root 22 Sep 8 21:00 grub2.cfg -> ../boot/grub2/grub.cfg

drwx------. 2 root root 288 Jan 20 22:41 grub.d

---------- 1 root root 425 Jan 24 12:26 gshadow

----------. 1 root root 415 Jan 24 11:26 gshadow-

drwxr-xr-x. 3 root root 20 Aug 11 21:57 gss

-rw-r--r--. 1 root root 9 Sep 10 2018 host.conf

-rw-r--r-- 1 root root 10 Jan 24 11:01 hostname

-rw-r--r--. 1 root root 158 Sep 10 2018 hosts

-rw-r--r--. 1 root root 4849 Jul 20 2020 idmapd.conf

lrwxrwxrwx 1 root root 11 Apr 27 2020 init.d -> rc.d/init.d

-rw-r--r-- 1 root root 490 Dec 18 00:30 inittab

-rw-r--r--. 1 root root 942 Sep 10 2018 inputrc

drwxr-xr-x. 2 root root 159 Jul 21 2020 iproute2

-rw-r--r--. 1 root root 23 Nov 10 16:49 issue

-rw-r--r--. 1 root root 22 Nov 10 16:49 issue.net

drwxr-xr-x 4 root root 33 Jan 20 22:40 kdump

-rw-r--r-- 1 root root 8484 Jan 20 22:40 kdump.conf

drwxr-xr-x. 4 root root 41 Dec 18 00:30 kernel

-rw-r--r-- 1 root root 812 Aug 11 21:52 krb5.conf

drwxr-xr-x. 2 root root 55 Aug 11 21:57 krb5.conf.d

-rw-r--r-- 1 root root 22527 Jan 25 16:42 ld.so.cache

-rw-r--r--. 1 root root 28 Jul 20 2020 ld.so.conf

drwxr-xr-x. 2 root root 171 Jan 20 22:40 ld.so.conf.d

-rw-r-----. 1 root root 191 Nov 4 2019 libaudit.conf

drwxr-xr-x. 2 root root 35 Apr 7 2020 libnl

drwxr-xr-x. 6 root root 70 Aug 24 19:47 libreport

drwxr-xr-x 2 root root 62 Jan 20 22:39 libssh

-rw-r--r--. 1 root root 2391 Jul 23 2015 libuser.conf

-rw-r--r--. 1 root root 17 Jan 24 11:01 locale.conf

lrwxrwxrwx 1 root root 35 Jan 24 12:06 localtime -> ../usr/share/zoneinfo/Europe/Berlin

-rw-r--r-- 1 root root 2512 Aug 12 23:09 login.defs

-rw-r--r--. 1 root root 438 Feb 19 2018 logrotate.conf

drwxr-xr-x. 2 root root 164 Jan 24 12:26 logrotate.d

drwxr-xr-x. 6 root root 100 Jan 20 22:40 lvm

-r--r--r-- 1 root root 33 Jan 20 22:43 machine-id

-rw-r--r--. 1 root root 111 Jul 21 2020 magic

-rw-r--r-- 1 root root 5122 Jan 4 17:25 makedumpfile.conf.sample

-rw-r--r--. 1 root root 5165 May 11 2019 man_db.conf

drwxr-xr-x. 3 root root 32 Jan 4 17:24 microcode_ctl

-rw-r--r-- 1 root root 1108 Jul 17 2020 mke2fs.conf

drwxr-xr-x. 2 root root 54 Jan 20 22:40 modprobe.d

drwxr-xr-x. 2 root root 6 Dec 18 00:30 modules-load.d

-rw-r--r--. 1 root root 0 Sep 10 2018 motd

lrwxrwxrwx. 1 root root 19 Sep 27 2019 mtab -> ../proc/self/mounts

-rw-r--r--. 1 root root 767 Nov 8 2019 netconfig

drwxr-xr-x. 7 root root 134 Jan 20 22:40 NetworkManager

-rw-r--r--. 1 root root 58 Sep 10 2018 networks

drwx------. 3 root root 66 Jan 20 22:41 nftables

lrwxrwxrwx 1 root root 29 Jan 20 22:42 nsswitch.conf -> /etc/authselect/nsswitch.conf

-rw-r--r--. 1 root root 1498 May 13 2019 nsswitch.conf.bak

-rw-r--r-- 1 root root 2197 Jul 20 2020 nsswitch.conf.rpmnew

drwxr-xr-x 2 root root 6 Nov 3 17:34 oddjob

-rw-r--r-- 1 root root 4922 Nov 3 17:34 oddjobd.conf

drwxr-xr-x 2 root root 70 Jan 20 22:40 oddjobd.conf.d

drwxr-xr-x. 3 root root 36 Jul 20 2020 openldap

drwxr-xr-x. 2 root root 6 Nov 3 16:22 opt

lrwxrwxrwx 1 root root 21 Nov 10 16:49 os-release -> ../usr/lib/os-release

drwxr-xr-x. 2 root root 4096 Jan 20 22:42 pam.d

-rw-r--r-- 1 root root 1298 Jan 24 12:26 passwd

-rw-r--r--. 1 root root 1231 Jan 24 11:26 passwd-

drwxr-xr-x. 3 root root 21 Jul 1 2019 pkcs11

drwxr-xr-x. 7 root root 75 Nov 3 16:22 pki

drwxr-xr-x. 2 root root 28 Oct 6 16:53 plymouth

drwxr-xr-x. 5 root root 52 Nov 3 16:22 pm

drwxr-xr-x. 5 root root 72 Apr 9 2020 polkit-1

drwxr-xr-x. 2 root root 6 May 11 2019 popt.d

drwxr-xr-x. 2 root root 24 Jan 20 22:40 prelink.conf.d

-rw-r--r--. 1 root root 233 Sep 10 2018 printcap

-rw-r--r-- 1 root root 2123 May 15 2020 profile

drwxr-xr-x. 2 root root 4096 Jan 25 16:42 profile.d

-rw-r--r--. 1 root root 6568 Sep 10 2018 protocols

-rw-------. 1 root root 0 Sep 27 2019 .pwd.lock

drwxr-sr-x 3 root rabbitmq 61 Jan 21 15:45 rabbitmq

lrwxrwxrwx 1 root root 10 Apr 27 2020 rc0.d -> rc.d/rc0.d

lrwxrwxrwx 1 root root 10 Apr 27 2020 rc1.d -> rc.d/rc1.d

lrwxrwxrwx 1 root root 10 Apr 27 2020 rc2.d -> rc.d/rc2.d

lrwxrwxrwx 1 root root 10 Apr 27 2020 rc3.d -> rc.d/rc3.d

lrwxrwxrwx 1 root root 10 Apr 27 2020 rc4.d -> rc.d/rc4.d

lrwxrwxrwx 1 root root 10 Apr 27 2020 rc5.d -> rc.d/rc5.d

lrwxrwxrwx 1 root root 10 Apr 27 2020 rc6.d -> rc.d/rc6.d

drwxr-xr-x. 10 root root 127 Aug 4 23:42 rc.d

lrwxrwxrwx 1 root root 13 Dec 18 00:30 rc.local -> rc.d/rc.local

lrwxrwxrwx 1 root root 14 Nov 10 16:49 redhat-release -> centos-release

-rw-r----- 1 redis root 62184 Jan 24 12:28 redis.conf

-rw-r----- 1 redis root 9746 May 7 2020 redis-sentinel.conf

-rw-r--r-- 1 root root 82 Jan 25 17:15 resolv.conf

drwxr-xr-x. 3 root root 24 Sep 27 2019 rhsm

-rw-r--r--. 1 root root 1634 Aug 1 2018 rpc

drwxr-xr-x. 2 root root 25 Jul 21 2020 rpm

-rw-r--r-- 1 root root 3186 Jul 21 2020 rsyslog.conf

drwxr-xr-x. 2 root root 31 Jan 20 22:43 rsyslog.d

drwxr-xr-x. 2 root root 35 Sep 17 19:31 rwtab.d

drwxr-xr-x. 2 root root 6 May 16 2020 sasl2

drwxr-xr-x. 7 root root 4096 Jan 20 22:40 security

drwxr-xr-x. 3 root root 57 Jul 21 2020 selinux

-rw-r--r-- 1 root root 692252 May 15 2020 services

-rw-r--r--. 1 root root 216 Apr 24 2020 sestatus.conf

---------- 1 root root 726 Jan 24 12:26 shadow

----------. 1 root root 705 Jan 24 11:26 shadow-

-rw-r--r--. 1 root root 44 Sep 10 2018 shells

drwxr-xr-x. 2 root root 62 Jan 20 22:39 skel

drwxr-xr-x. 3 root root 4096 Jan 20 22:43 ssh

drwxr-xr-x. 2 root root 19 Jan 20 22:40 ssl

drwx------. 4 sssd sssd 31 Sep 17 19:31 sssd

-rw-r--r--. 1 root root 0 Sep 10 2018 subgid

-rw-r--r--. 1 root root 0 Sep 10 2018 subuid

-rw-r-----. 1 root root 1786 May 18 2020 sudo.conf

-r--r-----. 1 root root 4328 May 18 2020 sudoers

drwxr-x---. 2 root root 6 May 18 2020 sudoers.d

-rw-r-----. 1 root root 3181 May 18 2020 sudo-ldap.conf

drwxr-xr-x. 6 root root 4096 Jan 20 22:40 sysconfig

-rw-r--r--. 1 root root 449 Dec 18 00:30 sysctl.conf

drwxr-xr-x. 2 root root 28 Dec 18 00:30 sysctl.d

drwxr-xr-x. 4 root root 150 Jan 20 22:40 systemd

lrwxrwxrwx 1 root root 14 Nov 10 16:49 system-release -> centos-release

-rw-r--r--. 1 root root 23 Nov 10 16:49 system-release-cpe

-rw-------. 1 tss tss 7046 Dec 13 2019 tcsd.conf

drwxr-xr-x. 2 root root 6 May 11 2019 terminfo

drwxr-xr-x. 2 root root 6 Dec 18 00:30 tmpfiles.d

drwxr-xr-x. 3 root root 136 Jan 20 22:40 tuned

drwxr-xr-x. 4 root root 68 Jan 24 11:01 udev

drwxr-xr-x. 2 root root 45 Jan 20 22:40 unbound

-rw-r--r-- 1 root root 208 Jan 20 22:39 .updated

-rw-r--r--. 1 root root 28 Sep 27 2019 vconsole.conf

-rw-r--r--. 1 root root 1204 Jun 18 2020 virc

drwxr-xr-x. 4 root root 208 Jan 20 22:41 vmware-tools

-rw-r--r--. 1 root root 4925 Apr 27 2020 wgetrc

drwxr-xr-x. 6 root root 70 Nov 3 16:22 X11

-rw-r--r--. 1 root root 642 Dec 9 2016 xattr.conf

drwxr-xr-x. 4 root root 38 Nov 3 16:22 xdg

drwxr-xr-x. 2 root root 6 Nov 3 16:22 xinetd.d

drwxr-xr-x. 2 root root 57 Jan 20 22:40 yum

lrwxrwxrwx 1 root root 12 Aug 4 20:51 yum.conf -> dnf/dnf.conf

drwxr-xr-x. 2 root root 4096 Jan 24 11:14 yum.repos.d

[root@localhost ~]# ls -la /

total 20

dr-xr-xr-x. 17 root root 244 Jan 20 22:39 .

dr-xr-xr-x. 17 root root 244 Jan 20 22:39 ..

-rw-r--r-- 1 root root 0 Jan 20 22:38 .autorelabel

lrwxrwxrwx 1 root root 7 Nov 3 16:22 bin -> usr/bin

dr-xr-xr-x. 5 root root 4096 Jan 20 22:42 boot

drwxr-xr-x 19 root root 3000 Jan 25 17:15 dev

drwxr-xr-x. 85 root root 8192 Jan 25 17:15 etc

drwxr-xr-x. 2 root root 6 Nov 3 16:22 home

lrwxrwxrwx 1 root root 7 Nov 3 16:22 lib -> usr/lib

lrwxrwxrwx 1 root root 9 Nov 3 16:22 lib64 -> usr/lib64

drwxr-xr-x. 2 root root 6 Nov 3 16:22 media

drwxr-xr-x. 2 root root 6 Nov 3 16:22 mnt

drwxr-xr-x. 2 root root 6 Nov 3 16:22 opt

dr-xr-xr-x 211 root root 0 Jan 25 17:15 proc

dr-xr-x---. 4 root root 232 Jan 25 16:39 root

drwxr-xr-x 26 root root 740 Jan 25 17:16 run

lrwxrwxrwx 1 root root 8 Nov 3 16:22 sbin -> usr/sbin

drwxr-xr-x. 2 root root 6 Nov 3 16:22 srv

dr-xr-xr-x 13 root root 0 Jan 25 17:15 sys

drwxrwxrwt. 13 root root 4096 Jan 25 17:16 tmp

drwxr-xr-x. 12 root root 144 Jan 20 22:39 usr

drwxr-xr-x. 20 root root 278 Jan 24 11:01 var

fei yu

unread,

Jan 25, 2021, 11:40:52 AM1/25/21

to rabbitmq-users

After I installed it. I set the permissions of the entire directory and subfile 777 of etc/rabbitmq, and then my version is through yum install rabbitmq-server-3.8.9-1.el8.noarch.rpm, and then I use yum update rabbitmq-server-3.8.11 -1.el8.noarch.rpm updated

Luke Bakken

unread,

Jan 25, 2021, 11:45:06 AM1/25/21

to rabbitmq-users

Hi,

Thanks. The permissions look correct.

I assume that you're using CentOS 8. Is that correct? How did you acquire or install this version? I would like to test using the same operating system and assume I can use this - https://app.vagrantup.com/generic/boxes/centos8

Did you generate the certificates on this CentOS server or a different machine?

Could you please restart the RabbitMQ service one more time and re-run the test. At this point I don't know what is going on.

Thanks,

Luke

fei yu

unread,

Jan 25, 2021, 12:08:34 PM1/25/21

to rabbitmq-users

Yes, my system is contos8, which is the initial system I chose to purchase the server.

Through git clone https://github.com/michaelklishin/tls-gen tls-gen, the certificate was generated by me on this server.

I use openssl service 8443 in the example. The test is no problem, you can send and receive messages. However, rabbitmq 5671 cannot be used.

I hope you can help me solve this problem because it has been processed for 3 weeks, but it still cannot be solved.

thank you very much

I just restarted the server, there seems to be an error in the log

2021-01-25 18:00:44.559 [info] <0.273.0> Running boot step recovery defined by app rabbit

2021-01-25 18:00:44.560 [error] <0.273.0> Discarding message {'$gen_cast',{force_event_refresh,#Ref<0.3555549143.3609198593.144859>}} from <0.273.0> to <0.1872.0> in an old incarnation (1611591359) of this node (1611594038)

2021-01-25 18:00:44.561 [info] <0.490.0> Making sure data directory'/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost'/' exists

2021-01-25 18:00:44.563 [error] emulator Discarding message {'$gen_cast',{force_event_refresh,#Ref<0.3555549143.3609198593.144859>}} from <0.273.0> to <0.1872.0> in an old incarnation (1611591359) of this node (1611594038)

2021-01-25 18:00:44.568 [info] <0.490.0> Starting message stores for vhost'/'

Luke Bakken

unread,

Jan 25, 2021, 12:14:17 PM1/25/21

to rabbitmq-users

Hello,

Please share the exact commands you used to install Erlang and RabbitMQ. The reason I ask is that it will assist me in setting up a similar environment.

You can disregard those log messages.

Thanks,

Luke

fei yu

unread,

Jan 25, 2021, 12:26:45 PM1/25/21

to rabbitmq-users

1. Add rabbitmq_erlang.repo content in /etc/yum.repos.d

[rabbitmq_erlang]

name=rabbitmq_erlang

baseurl=https://packagecloud.io/rabbitmq/erlang/el/8/$basearch

repo_gpgcheck=1

gpgcheck=1

enabled=1

# PackageCloud's repository key and RabbitMQ package signing key

gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey

https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc

sslverify=1

sslcacert=/etc/pki/tls/certs/ca-bundle.crt

metadata_expire=300

[rabbitmq_erlang-source]

name=rabbitmq_erlang-source

baseurl=https://packagecloud.io/rabbitmq/erlang/el/8/SRPMS

repo_gpgcheck=1

gpgcheck=0

enabled=1

# PackageCloud's repository key and RabbitMQ package signing key

gpgkey=https://packagecloud.io/rabbitmq/erlang/gpgkey

https://dl.bintray.com/rabbitmq/Keys/rabbitmq-release-signing-key.asc

sslverify=1

sslcacert=/etc/pki/tls/certs/ca-bundle.crt

metadata_expire=300

yum install erlang

2. rpm --import https://www.rabbitmq.com/rabbitmq-release-signing-key.asc

3. Manually download rabbitmq-server-3.8.9-1.el8.noarch.rpm

4.yum install rabbitmq-server-3.8.9-1.el8.noarch.rpm

5.git clone https://github.com/michaelklishin/tls-gen tls-gen

6. yum install -y python36

7.cd tls-gen/basic

make PASSWORD=bunnies

make verify

make info

8. Manually download rabbitmq-server-3.8.11-1.el8.noarch.rpm

9.yum update rabbitmq-server-3.8.11-1.el8.noarch.rpm

10 .rabbitmq.conf

listeners.tcp.listeners = 5772

listeners.ssl.default = 5671

ssl_options.cacertfile = /etc/rabbitmq/ssl/ca_certificate.pem

ssl_options.certfile = /etc/rabbitmq/ssl/server_certificate.pem

ssl_options.keyfile = /etc/rabbitmq/ssl/server_key.pem

management.tcp.port = 15672

ssl_options.verify = verify_peer

ssl_options.fail_if_no_peer_cert = false

# Logging

log.connection.level = info

log.channel.level = error

fei yu

unread,

Jan 25, 2021, 12:33:28 PM1/25/21

to rabbitmq-users

[root@localhost ~]# openssl version -a

OpenSSL 1.1.1g FIPS 21 Apr 2020

built on: Thu Dec 17 22:42:55 2020 UTC

platform: linux-x86_64

options: bn(64,64) md2(char) rc4(16x,int) des(int) idea(int) blowfish(ptr)

compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DDEVRANDOM="\"/dev/urandom\"" -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"

OPENSSLDIR: "/etc/pki/tls"

ENGINESDIR: "/usr/lib64/engines-1.1"

Seeding source: os-specific

engines: rdrand dynamic

Luke Bakken

unread,

Jan 25, 2021, 12:51:26 PM1/25/21

to rabbitm...@googlegroups.com

Hello,

Thank you for the complete set of information. I have set up RabbitMQ
3.8.11 and can't reproduce your issue. TLS works correctly.

The attached file shows a complete transcript of how I installed
Erlang and RabbitMQ on CentOS 8. Compare it with your procedure.

Thanks,
Luke

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

> To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/65fb9339-6349-47d2-8c5d-ecaf97c05d30n%40googlegroups.com.

transcript.txt

Vagrantfile

fei yu

unread,

Jan 25, 2021, 1:04:53 PM1/25/21

to rabbitmq-users

Okay, I will configure it in your way right away, hoping for good results.

How to use Vagrant? Do I need to configure it too? Or just use the default contos8?

Luke Bakken

unread,

Jan 25, 2021, 1:06:50 PM1/25/21

to rabbitmq-users

Hello,

You should be able to start with your existing CentOS 8 installation method. I don't know how you're starting.

One step that did not get captured in the output is that I ran "yum upgrade" after bringing the VM up the first time. I then rebooted, and started with the commands in the transcript.txt file.

Thanks,

Luke

fei yu

unread,

Jan 25, 2021, 1:10:56 PM1/25/21

to rabbitmq-users

Okay, then I will reset the contos8 system. Let's start

fei yu

unread,

Jan 25, 2021, 2:19:38 PM1/25/21

to rabbitmq-users

Hello there.

I set up in your way and can be accessed through openssl, but I found a problem. No password is set during "make", and access is correct. But after setting the password. E.g:

"Make PASSWORD=Tijj21024102! DAYS_OF_VALIDITY = 36500 CN = 127.0.0.1", the error I started to prompt will appear. I also tried it. Just cancel the password, such as "make DAYS_OF_VALIDITY = 36500 CN = 127.0.0.1", this is also normal, what is the problem?

fei yu

unread,

Jan 25, 2021, 3:13:25 PM1/25/21

to rabbitmq-users

I saw that, I need to configure a password "ssl_options.password", but I now encounter a new problem. I copied the java client example

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");

kmf.init(ks, passphrase);

The variable "passphrase" is undefined.

Then I also prompted

"No subject alternative names matching IP address 212.227.215.222 found"

This, what parameters should I specify when "make"?

Luke Bakken

unread,

Jan 25, 2021, 3:15:37 PM1/25/21

to rabbitmq-users

Hello,

Because this is a new problem, please start a new discussion. Also, please keep in mind this isn't a Java support channel.

You should share all of the code you are trying to use in your new discussion. Two lines are insufficient.

Thanks,

Luke

fei yu

unread,

Jan 25, 2021, 4:18:56 PM1/25/21

to rabbitmq-users

Okay, for the java client, I copied the example and commented factory.enableHostnameVerification() so it won’t prompt this error.

Everything looks fine now,

Thank you very much for solving this long-term trouble that has bothered me

thank you very much

Reply all

Reply to author

Forward