AWS NLB TLS termination -- connection timeout

[Liwen Zhao]

Hi,

I have RabbitMQ cluster running AWS EKS cluster, and exposed by a Network load balancer.

It works with TCP 5672 port, all connections are fine.

After I enabled TLS on NLB:

1. Attach a certificate from ACM to NLB

2. The listener of NLB changed from TCP 5672 to TLS 5672

3. The TLS should be terminated on NLB, the RabbitMQ didn't change and nothing changed to NLB to RabbitMQ traffic.

4. The certificate is issued by ACM, so I can't export it.

5. the traffic should be like:

client   ---TLS 5672--->   NLB   ---TCP 5672--->   RabbitMQ

Here's the trouble shooting:

1. all traffic got terminated at NLB, RabbitMQ can't get any traffic from outside or NLB

2. checked NLB access log, there are no TLS related info, such as cert_info, tls_cypher_info, seems TLS negotiation is failed

3. Here's the pika code used to connection to NLB, get timeout for the TLS case

import pika

credentials = pika.PlainCredentials('xxxx-user', 'xxxxxxx')

parameters = pika.ConnectionParameters('rabbitmq.xxxxxxxx',5672,'xxxx-vhost',credentials)

connection = pika.BlockingConnection(parameters)

QQ: How can I connect to the RabbitMQ in this TLS case.

Regards,

Liwen Zhao

[Liwen Zhao]

Hi,

Seems I find a way to make it:

import pika, ssl

context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)

context.check_hostname = False

context.verify_mode=False

parameters = pika.ConnectionParameters(

host="rabbitmq.xxxxxxxxx",

port=5672,

heartbeat=150,

ssl_options=pika.SSLOptions(context),

virtual_host="xxxxxx-vhost",

channel_max=10,

credentials=pika.PlainCredentials('xxxx-user', 'xxxxxxxx'),

client_properties={'connection_name':'Pika connection with TLS, channel_max'})

connection = pika.BlockingConnection(parameters)

[Manoj]

Hi Liwen and Pika - 

I'm in the same scenario as you are. 

Our Rabbitmq is hosted on EKS on AWS. The recently enabled SSL on the Rabbit connection at the NLB level on port 5671

our team apps reside in a different AWS account on a different EKS. How can I connect to this new SSL enabled rabbit host

from my apps. 

The flow is as below

Clientt --TLS 5671 ---- NLB (SSL Enabled 5671) ------TCP5672---- RabbitMQ

How can I get this working. I'm getting the below error

_do_ssl_handshake self._sock.do_handshake() File \"/usr/local/lib/python3.9/ssl.py\", line 1343, in do_handshake self._sslobj.do_handshake() ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1147)