Re: SEC_ERROR_REUSED_ISSUER_AND_SERIAL in Firefox with server certificate created using tls-gen
231 views
Skip to first unread message
Message has been deleted
Luke Bakken
Jun 5, 2019, 1:10:47 PM6/5/19
to rabbitmq-users
Hi Basanth,
On Wednesday, June 5, 2019 at 9:46:57 AM UTC-7, Basanth ... wrote:
Is there a chance you have connected to localhost:15673 using Firefox when RabbitMQ was using a different certificate with the same serial number?
I just ran make in tls-gen/basic and used the "openssl x509 -text -in ....pem" command on both the server_certificate.pem and ca_certificate.pem files to ensure the serial numbers are unique. As expected, the server certificate used serial number 01.
If you can investigate Firefox's certificate cache to see what else is in there, that would be great. Be sure to delete any old certificates related to RabbitMQ.
Thanks,
Thanks,
Luke
On Wednesday, June 5, 2019 at 9:46:57 AM UTC-7, Basanth ... wrote:
Hi,I wanted to connect to RabbitMQ server from an Angular application running in my iPad.What I did?- Modified RabbitMQ server to add TLS support by adding web stomp configurations in rabbitmq.config file.- Created the server side certificates using tls-gen and added the same in the rabbitmq.config file.- Client side certificates created by providing the hostname and used the same while hosting the Angular application.`ng serve --ssl true--ssl-cert "C:\go-work\bin\md1ujpzc\cert.pem" --ssl-key "C:\go-work\bin\md1ujpzc\key.pem" --port 4201 --host md1ujpzc`- Changed the client side broker URL to Secure WebSocket wss://127.0.0.1:15673/ws- I am able to connect to RabbitMQ server with TLS enabled ( in the same machine) and able to send messages.What is not working?I changed the- RabbitMQ broker URL to _wss://<hostname>:15673/ws_ so that we are not referring to loop back ip.But with this I am not able to connect to RabbitMQ server. I am connecting from the same machine.How can connect to RabbitMQ server by providing the server IP address/hostname?I am getting an error in the client SEC_ERROR_REUSED_ISSUER_AND_SERIAL with Firefox (as attached).When I checked the server certificate that I created using tls-gen I could see serial number as '01', it looks like gets conflicted with some other certificate with the same serial number.How can I generate a certificate with unique serial number using tls-gen?ThanksBasanth
Message has been deleted
Luke Bakken
Jun 5, 2019, 1:36:02 PM6/5/19
to rabbitmq-users
Hi Basanth,
I doubt that using a different port number will make a difference. Somehow Firefox has the other certificate around.
I would try creating a completely new user profile to test with, or as a last resort, deleting your Firefox user preferences directory.
This issue isn't related to RabbitMQ, but is a side-effect of re-using certificates with the same issuer and serial number.
Thanks,
Luke
On Wednesday, June 5, 2019 at 10:20:29 AM UTC-7, Basanth ... wrote:
On Wednesday, June 5, 2019 at 10:20:29 AM UTC-7, Basanth ... wrote:
Yes,I had another certificate generated from another machine which I sued for connecting to localhost:15673. With that certificate I could connect using loop back ip.Then I wanted to connect using hostname or IP address when I tried with the same certificate (which is created in another machine) I started getting another error saying the certificate is created for some other hostnames.Then I created another certificate from my machine with which I am getting another error "SEC_ERROR_REUSED_ISSUER_AND_SERIAL".I cleared the Firefox cache and restarted Firefox as explained in https://security.stackexchange.com/questions/141618/openssl-serial-number-error-sec-error-reused-issuer-and-serialI deleted the old certificate from the certificate store and I tried going toabout:preferences#advancedand selecting 'Clear Now' next to 'Cached Web Content' and then restarting firefox.Still I am seeing this error.If I start using another port number (other than 15673) will this get solved?RegardsBasanth
Message has been deleted
Luke Bakken
Jun 5, 2019, 5:01:08 PM6/5/19
to rabbitmq-users
Hello,
Replace RABBITMQ_HOST with the hostname to which you are connecting.
On Wednesday, June 5, 2019 at 11:47:54 AM UTC-7, Basanth ... wrote:
I really don't know why Firefox is giving you all of this trouble. We have a guide to try to figure out TLS issues:
I would be interested to know what this command outputs:
openssl s_client -connect RABBITMQ_HOST:15673 \ -cert client_certificate.pem -key client_key.pem -CAfile ca_certificate.pem \ -verify 8 -verify_hostname RABBITMQ_HOST
Be sure that ca_certificate.pem is the same file that RabbitMQ is using.
On Wednesday, June 5, 2019 at 11:47:54 AM UTC-7, Basanth ... wrote:
You are correct port didn't make any change.I deleted the Firefox profiles and uninstalled and reinstalled Firefox.Now when I tried connecting using TLS I am getting SEC_ERROR_UNKNOWN_ISSUER even though I have the certificate with issuer added to trusted root certificate authorities.This client certificate was working fine previously. Any hint?ThanksBasanth
Reply all
Reply to author
Forward
0 new messages