SSL connection error.. {tls_alert,"certificate unknown"}

437 views
Skip to first unread message

Rafiq Ahmed

unread,
Jan 21, 2016, 3:57:29 AM1/21/16
to rabbitmq-discuss
Hi,
 I am facing will SSL connect error.

I have followed all the steps give in https://www.rabbitmq.com/troubleshooting-ssl.html

Check SSL support in Erlang : 


1> ssl:versions().
[{ssl_app,"5.3.3"},
 {supported,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
 {available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]}]


Check keys and certificates with OpenSSL

Working fine i.e. all certificate are valid as per openssl connection.

Check broker is listening

Yes

Attempt SSL connection to broker


CONNECTED(00000003)
depth=1 C = US, ST = California, L = Palo Alto, O = HPE, CN = HPE Certificate Authority
verify return:1
depth=0 C = US, ST = California, O = HPE, CN = devbox.devlab.com
verify return:1
---
Certificate chain
 0 s:/C=US/ST=California/O=HPE/CN=devbox.devlab.com
   i:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
 1 s:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
   i:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIfzCCB2egAwIBAgICASMwDQYJKoZIhvcNAQEFBQAwgY0xCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xGDAWBgNV
BAoTD0hld2xldHQtUGFja2FyZDE7MDkGA1UEAxMySFAgSW5mcmFzdHJ1Y3R1cmUg
TWFuYWdlbWVudCBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTYwMTIwMTAzODI1
tuCL/W5nOkB/zCl+NhVeNQYxp/tqrVZnsr/dlOw6CJ5jwEe50B5nHI8SbbcsmzCr
CVNmxMC0ff7BBPr5tlVr4w9kww==
-----END CERTIFICATE-----
subject=/C=US/ST=California/O=HPE/CN=devbox.devlab.com
issuer=/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
---
Acceptable client certificate CA names
/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 4086 bytes and written 2839 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-SHA256
    Session-ID: 3FF49ED03F65C2C41CB15E3EE7648CF59B80455949CB8C8AEC16CA96312CD242
    Session-ID-ctx:
    Master-Key: DA45A97200097ED97060E52627274CBB5EBA3812F17C6FB8E7BCB67BA9900EDCDC210A113BA1EF9D1AACFB189D1C4F62
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1453365909
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
closed
---
Certificate chain
 0 s:/C=US/ST=California/O=HPE/CN=devbox.devlab.com
   i:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
 1 s:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
   i:/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIIfzCCB2egAwIBAgICASMwDQYJKoZIhvcNAQEFBQAwgY0xCzAJBgNVBAYTAlVT
MRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHEwlQYWxvIEFsdG8xGDAWBgNV
nqX8vbwuu7TSy8DS27rALXAqQDP1GILjfBOEZrD4ehuvwxBMHLCufloAdzzfltoU
CAkQCo0CJWmcO1mDqH7ROX1Ekxt2lbgnOUGbFH1XMBUl+8L5e84zrRecwLrY6x7v
5MLfmx+T6qWPgZOnS3qRWCbRj7AiQ/7f108IGRsJ06gjr6I+7ujTVyB4HRkcAYYp
tuCL/W5nOkB/zCl+NhVeNQYxp/tqrVZnsr/dlOw6CJ5jwEe50B5nHI8SbbcsmzCr
CVNmxMC0ff7BBPr5tlVr4w9kww==
-----END CERTIFICATE-----
subject=/C=US/ST=California/O=HPE/CN=devbox.devlab.com
issuer=/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
---
Acceptable client certificate CA names
/C=US/ST=California/L=Palo Alto/O=HPE/CN=HPE Certificate Authority
Server Temp Key: DH, 1024 bits
---
SSL handshake has read 4155 bytes and written 2908 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : DHE-RSA-AES256-SHA256
    Session-ID: 3FF49ED03F65C2C41CB15E3EE7648CF59B80455949CB8C8AEC16CA96312CD242
    Session-ID-ctx:
    Master-Key: DA45A97200097ED97060E52627274CBB5EBA3812F17C6FB8E7BCB67BA9900EDCDC210A113BA1EF9D1AACFB189D1C4F62
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1453365909
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

I get the error log ...
=INFO REPORT==== 21-Jan-2016::06:49:42 ===
accepting AMQP connection <0.7691.0> (16.60.188.227:36323 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=INFO REPORT==== 21-Jan-2016::06:49:42 ===
accepting AMQP connection <0.7696.0> (16.60.188.227:36324 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=INFO REPORT==== 21-Jan-2016::06:49:42 ===
accepting AMQP connection <0.7701.0> (16.60.188.131:37237 -> 16.60.188.151:5671)

=INFO REPORT==== 21-Jan-2016::06:49:42 ===
accepting AMQP connection <0.7706.0> (16.60.188.131:37236 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:42 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=INFO REPORT==== 21-Jan-2016::06:49:43 ===
accepting AMQP connection <0.7711.0> (16.78.62.125:49885 -> 16.60.188.151:5671)

=INFO REPORT==== 21-Jan-2016::06:49:43 ===
accepting AMQP connection <0.7716.0> (16.78.62.125:49886 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:43 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:43 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:45 ===
error on AMQP connection <0.7671.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:46 ===
error on AMQP connection <0.7676.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===
error on AMQP connection <0.7681.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===
error on AMQP connection <0.7686.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===
error on AMQP connection <0.7691.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===
error on AMQP connection <0.7696.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=INFO REPORT==== 21-Jan-2016::06:49:47 ===
accepting AMQP connection <0.7725.0> (16.71.81.18:36288 -> 16.60.188.151:5671)

=INFO REPORT==== 21-Jan-2016::06:49:47 ===
accepting AMQP connection <0.7730.0> (16.71.81.18:36289 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===
error on AMQP connection <0.7701.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:47 ===
error on AMQP connection <0.7706.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===
SSL: certify: tls_connection.erl:375:Fatal error: certificate unknown

=INFO REPORT==== 21-Jan-2016::06:49:48 ===
accepting AMQP connection <0.7735.0> (16.71.81.16:60019 -> 16.60.188.151:5671)

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===
error on AMQP connection <0.7711.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:48 ===
error on AMQP connection <0.7716.0>: {ssl_upgrade_error,
                                      {tls_alert,"certificate unknown"}} (unknown POSIX error)

=ERROR REPORT==== 21-Jan-2016::06:49:48 === 

Other details

[{pid,23835},
 {running_applications,
     [{rabbitmq_management,"RabbitMQ Management Console","3.1.5"},
      {rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.1.5"},
      {webmachine,"webmachine","1.10.3-rmq3.1.5-gite9359c7"},
      {mochiweb,"MochiMedia Web Server","2.7.0-rmq3.1.5-git680dba8"},
      {rabbitmq_management_agent,"RabbitMQ Management Agent","3.1.5"},
      {rabbit,"RabbitMQ","3.1.5"},
      {ssl,"Erlang/OTP SSL application","5.3.3"},
      {public_key,"Public key infrastructure","0.21"},
      {crypto,"CRYPTO version 2","3.2"},
      {asn1,"The Erlang ASN1 compiler version 2.0.4","2.0.4"},
      {os_mon,"CPO  CXC 138 46","2.2.14"},
      {inets,"INETS  CXC 138 49","5.9.8"},
      {mnesia,"MNESIA  CXC 138 12","4.11"},
      {amqp_client,"RabbitMQ AMQP Client","3.1.5"},
      {rabbitmq_auth_mechanism_ssl,
          "RabbitMQ SSL authentication (SASL EXTERNAL)","3.1.5"},
      {xmerl,"XML parser","1.3.6"},
      {sasl,"SASL  CXC 138 11","2.3.4"},
      {stdlib,"ERTS  CXC 138 10","1.19.4"},
      {kernel,"ERTS  CXC 138 10","2.16.4"}]},
 {os,{unix,linux}},
 {erlang_version,
     "Erlang R16B03-1 (erts-5.10.4) [source] [64-bit] [smp:2:2] [async-threads:30] [hipe] [kernel-poll:true]\n"},


Do any one face this issue?
How to troubleshoot this issue further ?


FYI.. rabbit is running in centos 6.5 with very restricted access in data center. 

Thanks,
Rafiq


Reply all
Reply to author
Forward
0 new messages