SSL connection error.. {tls_alert,"certificate unknown"}

437 views

Skip to first unread message

Rafiq Ahmed

unread,

Jan 21, 2016, 3:57:29 AM1/21/16

to rabbitmq-discuss

Hi,

I am facing will SSL connect error.

I have followed all the steps give in https://www.rabbitmq.com/troubleshooting-ssl.html

Check SSL support in Erlang :

1> ssl:versions().

[{ssl_app,"5.3.3"},

{supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},

{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]

Check keys and certificates with OpenSSL

Working fine i.e. all certificate are valid as per openssl connection.

Check broker is listening

Yes

Attempt SSL connection to broker

CONNECTED(00000003)

depth=1 C = US, ST = California, L = Palo Alto, O = HPE, CN = HPE Certificate Authority

verify return:1

depth=0 C = US, ST = California, O = HPE, CN = devbox.devlab.com

verify return:1

---

Certificate chain

0 s:/C=US/ST=California/O=HPE/CN=devbox.devlab.com

i:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

1 s:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

i:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIIfzCCB2egAwIBAgICASMwDQYJKoZIhvcNAQEFBQAwgY0xCzAJBgNVBAYTAlVT

MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xGDAWBgNV

BAoTD0hld2xldHQtUGFja2FyZDE7MDkGA1UEAxMySFAgSW5mcmFzdHJ1Y3R1cmUg

TWFuYWdlbWVudCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwMTIwMTAzODI1

tuCL/W5nOkB/zCl+NhVeNQYxp/tqrVZnsr/dlOw6CJ5jwEe50B5nHI8SbbcsmzCr

CVNmxMC0ff7BBPr5tlVr4w9kww==

-----END CERTIFICATE-----

subject=/C=US/ST=California/O=HPE/CN=devbox.devlab.com

issuer=/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

---

Acceptable client certificate CA names

/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

Server Temp Key: DH, 1024 bits

---

SSL handshake has read 4086 bytes and written 2839 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : DHE-RSA-AES256-SHA256

Session-ID: 3FF49ED03F65C2C41CB15E3EE7648CF59B80455949CB8C8AEC16CA96312CD242

Session-ID-ctx:

Master-Key: DA45A97200097ED97060E52627274CBB5EBA3812F17C6FB8E7BCB67BA9900EDCDC210A113BA1EF9D1AACFB189D1C4F62

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

Start Time: 1453365909

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

closed

---

Certificate chain

0 s:/C=US/ST=California/O=HPE/CN=devbox.devlab.com

i:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

1 s:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

i:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIIfzCCB2egAwIBAgICASMwDQYJKoZIhvcNAQEFBQAwgY0xCzAJBgNVBAYTAlVT

MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xGDAWBgNV

nqX8vbwuu7TSy8DS27rALXAqQDP1GILjfBOEZrD4ehuvwxBMHLCufloAdzzfltoU

CAkQCo0CJWmcO1mDqH7ROX1Ekxt2lbgnOUGbFH1XMBUl+8L5e84zrRecwLrY6x7v

5MLfmx+T6qWPgZOnS3qRWCbRj7AiQ/7f108IGRsJ06gjr6I+7ujTVyB4HRkcAYYp

tuCL/W5nOkB/zCl+NhVeNQYxp/tqrVZnsr/dlOw6CJ5jwEe50B5nHI8SbbcsmzCr

CVNmxMC0ff7BBPr5tlVr4w9kww==

-----END CERTIFICATE-----

subject=/C=US/ST=California/O=HPE/CN=devbox.devlab.com

issuer=/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

---

Acceptable client certificate CA names

/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority

Server Temp Key: DH, 1024 bits

---

SSL handshake has read 4155 bytes and written 2908 bytes

---

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

SSL-Session:

Protocol : TLSv1.2

Cipher : DHE-RSA-AES256-SHA256

Session-ID: 3FF49ED03F65C2C41CB15E3EE7648CF59B80455949CB8C8AEC16CA96312CD242

Session-ID-ctx:

Master-Key: DA45A97200097ED97060E52627274CBB5EBA3812F17C6FB8E7BCB67BA9900EDCDC210A113BA1EF9D1AACFB189D1C4F62

Key-Arg : None

Krb5 Principal: None

PSK identity: None

PSK identity hint: None

Start Time: 1453365909

Timeout : 300 (sec)

Verify return code: 0 (ok)

---

I get the error log ...

=INFO REPORT==== 21-Jan-2016::06:49:42 ===

accepting AMQP connection <0.7691.0> (16.60.188.227:36323 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=INFO REPORT==== 21-Jan-2016::06:49:42 ===

accepting AMQP connection <0.7696.0> (16.60.188.227:36324 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=INFO REPORT==== 21-Jan-2016::06:49:42 ===

accepting AMQP connection <0.7701.0> (16.60.188.131:37237 -> 16.60.188.151:5671)

=INFO REPORT==== 21-Jan-2016::06:49:42 ===

accepting AMQP connection <0.7706.0> (16.60.188.131:37236 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=INFO REPORT==== 21-Jan-2016::06:49:43 ===

accepting AMQP connection <0.7711.0> (16.78.62.125:49885 -> 16.60.188.151:5671)

=INFO REPORT==== 21-Jan-2016::06:49:43 ===

accepting AMQP connection <0.7716.0> (16.78.62.125:49886 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:43 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:43 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:45 ===

error on AMQP connection <0.7671.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:46 ===

error on AMQP connection <0.7676.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===

error on AMQP connection <0.7681.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===

error on AMQP connection <0.7686.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===

error on AMQP connection <0.7691.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===

error on AMQP connection <0.7696.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=INFO REPORT==== 21-Jan-2016::06:49:47 ===

accepting AMQP connection <0.7725.0> (16.71.81.18:36288 -> 16.60.188.151:5671)

=INFO REPORT==== 21-Jan-2016::06:49:47 ===

accepting AMQP connection <0.7730.0> (16.71.81.18:36289 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===

error on AMQP connection <0.7701.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===

error on AMQP connection <0.7706.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===

SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=INFO REPORT==== 21-Jan-2016::06:49:48 ===

accepting AMQP connection <0.7735.0> (16.71.81.16:60019 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===

error on AMQP connection <0.7711.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===

error on AMQP connection <0.7716.0>: {ssl_upgrade_error,

{tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===

Other details

[{pid,23835},

{running_applications,

[{rabbitmq_management,"RabbitMQ Management Console","3.1.5"},

{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.1.5"},

{webmachine,"webmachine","1.10.3-rmq3.1.5-gite9359c7"},

{mochiweb,"MochiMedia Web Server","2.7.0-rmq3.1.5-git680dba8"},

{rabbitmq_management_agent,"RabbitMQ Management Agent","3.1.5"},

{rabbit,"RabbitMQ","3.1.5"},

{ssl,"Erlang/OTP SSL application","5.3.3"},

{public_key,"Public key infrastructure","0.21"},

{crypto,"CRYPTO version 2","3.2"},

{asn1,"The Erlang ASN1 compiler version 2.0.4","2.0.4"},

{os_mon,"CPO CXC 138 46","2.2.14"},

{inets,"INETS CXC 138 49","5.9.8"},

{mnesia,"MNESIA CXC 138 12","4.11"},

{amqp_client,"RabbitMQ AMQP Client","3.1.5"},

{rabbitmq_auth_mechanism_ssl,

"RabbitMQ SSL authentication (SASL EXTERNAL)","3.1.5"},

{xmerl,"XML parser","1.3.6"},

{sasl,"SASL CXC 138 11","2.3.4"},

{stdlib,"ERTS CXC 138 10","1.19.4"},

{kernel,"ERTS CXC 138 10","2.16.4"}]},

{os,{unix,linux}},

{erlang_version,

"Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},

Do any one face this issue?

How to troubleshoot this issue further ?

FYI.. rabbit is running in centos 6.5 with very restricted access in data center.

Thanks,

Rafiq

Reply all

Reply to author

Forward

0 new messages