Exception when trying to have a TLS connection with .NET Client

Tuan Nam Truong

unread,

Jun 2, 2020, 11:41:01 AM6/2/20

to rabbitmq-users

Hi,

I am trying to make a simple TLS/SSL connection with .NET client. The code is identical to the example here: https://www.rabbitmq.com/ssl.html#dotnet-example. The path to client key and password is of course adjusted. (full code in Program.cs)

The code triggered an exception: (full text in exception.txt)

AggregateException: One or more errors occurred. (System cannot find the specified file.)

Inner Exception 2: WindowsCryptographicException: System cannot find the specified file

The troubleshooting process is followed by this guide: https://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools

It is possible to use OpenSSL to confirm there is a TLS connection between server and client by using:

openssl s_server -accept 8443 -cert server_certificate.pem -key server_key.pem -CAfile ca_certificate.pem

openssl s_client -connect localhost:8443 -cert client_certificate.pem -key client_key.pem -CAfile ca_certificate.pem -verify 8 -verify_hostname DE-WS691906

RabbitMQ awares of TLS connection.

openssl s_client -connect localhost:5671 -cert client_certificate.pem -key client_key.pem -CAfile ca_certificate.pem

The output from log file:

2020-06-02 17:27:43.927 [info] <0.1242.0> accepting AMQP connection <0.1242.0> ([::1]:54483 -> [::1]:5671)

2020-06-02 17:27:43.927 [error] <0.1242.0> closing AMQP connection <0.1242.0> ([::1]:54483 -> [::1]:5671):{handshake_timeout,handshake}

I could not find the root of problem. I really can't.

Other infos:

erlang version 22.
rabbitmq version 3.8.3.
environments info is in file environment.txt
rabbit config is in file advanced.config
log file from rabbit in rab...@DE-WS691906.log
Windows 10 version 1909, Build 18363.752.
Hostname/CN=DE-WS691906.
.Net Core 3.0
certificates (created with tls-gen, pass=bunnies ): https://drive.google.com/drive/folders/14yLUu5fidlDyGnZr_Ke5GyRndAgR-NpO?usp=sharing

Result from: rabbitmq-diagnostics.bat --silent tls_versions

tlsv1.3
tlsv1.2
tlsv1.1
tlsv1
sslv3

Thanks a lot

Nam

Exception.txt

Program.cs

advanced.config

environment.txt

rabbit@DE-WS691906.log

Luke Bakken

unread,

Jun 2, 2020, 11:57:01 AM6/2/20

to rabbitmq-users

Hello,

The certificate that your .NET program uses should be in P12 or PFX format. This format combines the public and private keys into one file.

tls-gen apparently does not generate PFX or P12 files in the format you need. Please use this command to convert the two client pem files into a single pfx file - https://support.servertastic.com/knowledgebase/article/convert-pem-to-pfx

Then, use that file as the argument to cf.Ssl.CertPath

Thanks,

Luke

Michael Klishin

unread,

Jun 2, 2020, 12:22:41 PM6/2/20

to rabbitm...@googlegroups.com

AggregateException: One or more errors occurred. (System cannot find the specified file.)
Inner Exception 2: WindowsCryptographicException: System cannot find the specified file

Strongly suggest that the issue is in the .NET application:

cf.Ssl.CertPath = @"C:\Users\ttruong\AppData\Roaming\RabbitMQ\certificate\client_key.12";

either the above path does not exist or it does not contain a certificate and private key in the PKCS#12 format.

Server logs further confirm this: the client did connect but then closed TCP connection abruptly, likely because the process

ran into the exception and had to terminate.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/16711523-6014-4887-b2aa-b5b1a4c926ed%40googlegroups.com.

Tuan Nam Truong

unread,

Jun 2, 2020, 12:52:20 PM6/2/20

to rabbitmq-users

Thanks for the reply,

I have followed your instruction and made a certificate.pfx file with this cmd: (the pwd is also bunnies)

openssl pkcs12 -export -in .\client_certificate.pem -inkey .\client_key.pem -out certificate.pfx -certfile .\ca_certificate.pem

But I received another exception.

In log file it shows:

2020-06-02 18:46:34.809 [info] <0.5600.0> accepting AMQP connection <0.5600.0> ([::1]:55625 -> [::1]:5671)

2020-06-02 18:46:34.809 [error] <0.5600.0> closing AMQP connection <0.5600.0> ([::1]:55625 -> [::1]:5671): {inet_error,{tls_alert,{unknown_ca,"TLS server: In state connection received CLIENT ALERT: Fatal - Unknown CA\n "}}}

And In Visual Studio it shows:

RabbitMQ.Client.Exceptions.BrokerUnreachableException

HResult=0x80131620

Message=None of the specified endpoints were reachable

Source=RabbitMQ.Client

StackTrace:

at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)

at RabbitMQ.Client.ConnectionFactory.CreateConnection(String clientProvidedName)

at RabbitMQ.Client.ConnectionFactory.CreateConnection()

at RabbitMQ_NetCore_Receiver.Program.Main(String[] args) in C:\Users\ttruong\Desktop\Project\RabbitMQ\RabbitMQ_NetCore_Receiver\RabbitMQ_NetCore_Receiver\Program.cs:line 17

This exception was originally thrown at this call stack:

[External Code]

Inner Exception 1:

AggregateException: One or more errors occurred. (The remote certificate is invalid according to the validation procedure.)

Inner Exception 2:

AuthenticationException: The remote certificate is invalid according to the validation procedure.

Vào 17:57:01 UTC+2 Thứ Ba, ngày 02 tháng 6 năm 2020, Luke Bakken đã viết:

certificate.pfx

Michael Klishin

unread,

Jun 2, 2020, 12:55:07 PM6/2/20

to rabbitm...@googlegroups.com

Searching [1] for “unknown CA” yields [2]. I highly recommend investing some time and learning about how TLS really works

instead of trying to copy-and-paste some examples. The best part is that once you understand how it works, you will be able

to use it confidently with other tools, not just RabbitMQ.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/8e07581b-f506-490f-aaf7-785f52763b6b%40googlegroups.com.

Tuan Nam Truong

unread,

Jun 2, 2020, 12:57:36 PM6/2/20

to rabbitmq-users

Thank you for the reply,

I believe you found a good trace. In the path I missed the 'p' from '.p12'. After correct the path and try the 'certificate.pfx' (suggested by Luke Bakken). They both creat a same exception.

In log file it shows:

2020-06-02 18:46:34.809 [info] <0.5600.0> accepting AMQP connection <0.5600.0> ([::1]:55625 -> [::1]:5671)

2020-06-02 18:46:34.809 [error] <0.5600.0> closing AMQP connection <0.5600.0> ([::1]:55625 -> [::1]:5671): {inet_error,{tls_alert,{unknown_ca,"TLS server: In state connection received CLIENT ALERT: Fatal - Unknown CA\n "}}}

And In Visual Studio it shows:

RabbitMQ.Client.Exceptions.BrokerUnreachableException

HResult=0x80131620

Message=None of the specified endpoints were reachable

Source=RabbitMQ.Client

StackTrace:

at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)

at RabbitMQ.Client.ConnectionFactory.CreateConnection(String clientProvidedName)

at RabbitMQ.Client.ConnectionFactory.CreateConnection()

at RabbitMQ_NetCore_Receiver.Program.Main(String[] args) in C:\Users\ttruong\Desktop\Project\RabbitMQ\RabbitMQ_NetCore_Receiver\RabbitMQ_NetCore_Receiver\Program.cs:line 17

This exception was originally thrown at this call stack:

[External Code]

Inner Exception 1:

AggregateException: One or more errors occurred. (The remote certificate is invalid according to the validation procedure.)

Inner Exception 2:

AuthenticationException: The remote certificate is invalid according to the validation procedure.

Vào 18:22:41 UTC+2 Thứ Ba, ngày 02 tháng 6 năm 2020, Michael Klishin đã viết:

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitm...@googlegroups.com.

Luke Bakken

unread,

Jun 2, 2020, 1:30:52 PM6/2/20

to rabbitmq-users

Hello,

You have RabbitMQ configured for TLS connections on port 5671, yet your Program.cs does not use that port. Based on the log I'm assuming you changed that.

AuthenticationException: The remote certificate is invalid according to the validation procedure

This means that your client application thinks that the server certificate is invalid. This is not specific to the RabbitMQ .NET client or RabbitMQ. When you create a TLS connection in .NET, your code must be able to validate the server certificate. It can only do that if it has access to the Root certificate that signed the server's cert. Since you are using certificates from tls-gen my guess is that the ca_certificate is not installed locally.

You can do one of the following:

Disable server certificate validation - https://github.com/rabbitmq/rabbitmq-dotnet-client/blob/master/projects/Unit/TestSsl.cs#L149-L151
Install the Root CA cert in the appropriate Windows certificate store
Read the Root CA from a file and validate the server cert yourself via the ServerCertificateValidationCallback member on SslOptions. See the following example code I wrote a while back to do validation: https://github.com/basho/riak-dotnet-client/blob/develop/src/RiakClient/Auth/RiakSecurityManager.cs