AWS NLB TLS termination -- connection timeout

[Liwen Zhao]

Hi,

I have RabbitMQ cluster running AWS EKS cluster, and exposed by a Network load balancer.

It works with TCP 5672 port, all connections are fine.

After I enabled TLS on NLB:

1. Attach a certificate from ACM to NLB

2. The listener of NLB changed from TCP 5672 to TLS 5672

3. The TLS should be terminated on NLB, the RabbitMQ didn't change and nothing changed to NLB to RabbitMQ traffic.

4. The certificate is issued by ACM, so I can't export it.

5. the traffic should be like:

client   ---TLS 5672--->   NLB   ---TCP 5672--->   RabbitMQ

Here's the trouble shooting:

1. all traffic got terminated at NLB, RabbitMQ can't get any traffic from outside or NLB

2. checked NLB access log, there are no TLS related info, such as cert_info, tls_cypher_info, seems TLS negotiation is failed

3. Here's the pika code used to connection to NLB, get timeout for the TLS case

import pika

credentials = pika.PlainCredentials('xxxx-user', 'xxxxxxx')

parameters = pika.ConnectionParameters('rabbitmq.xxxxxxxx',5672,'xxxx-vhost',credentials)

connection = pika.BlockingConnection(parameters)

QQ: How can I connect to the RabbitMQ in this TLS case.

Regards,

Liwen Zhao

[Liwen Zhao]

Hi,

Seems I find a way to make it:

import pika, ssl

context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

context.check_hostname = False

context.verify_mode=False

parameters = pika.ConnectionParameters(

host="rabbitmq.xxxxxxxxx",

port=5672,

heartbeat=150,

ssl_options=pika.SSLOptions(context),

virtual_host="xxxxxx-vhost",

channel_max=10,

credentials=pika.PlainCredentials('xxxx-user', 'xxxxxxxx'),

client_properties={'connection_name':'Pika connection with TLS, channel_max'})

connection = pika.BlockingConnection(parameters)