Securing Cluster (Inter-node) Fails at Handshake
268 views
Skip to first unread message
manuru mohan
Oct 11, 2019, 5:04:01 PM10/11/19
to rabbitm...@googlegroups.com
Hi Team,
I am trying to secure the cluster (I already have SSL enabled using 5671 and its working) and I am getting below error. Can you please help me out what I am missing here?
TLS server: In state certify received CLIENT ALERT: Fatal - Handshake Failure
I followed the steps in below link:
Below is my ssl_dist.config file:
[
{server, [
{cacertfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-cacert.pem"},
{certfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-pubkey.pem"},
{keyfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-prikey.pem"},
{secure_renegotiate, true},
{verify, verify_peer},
{fail_if_no_peer_cert, false}
]},
{client, [
{cacertfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-cacert.pem"},
{certfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-pubkey.pem"},
{keyfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-prikey.pem"},
{secure_renegotiate, true},
{verify, verify_peer},
{fail_if_no_peer_cert, false},
{server_name_indication, "ise-core-dev"}
]}
].
{server, [
{cacertfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-cacert.pem"},
{certfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-pubkey.pem"},
{keyfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-prikey.pem"},
{secure_renegotiate, true},
{verify, verify_peer},
{fail_if_no_peer_cert, false}
]},
{client, [
{cacertfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-cacert.pem"},
{certfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-pubkey.pem"},
{keyfile, "C:/Users/momanu/rabbitmq_certs/ise-core-dev-prikey.pem"},
{secure_renegotiate, true},
{verify, verify_peer},
{fail_if_no_peer_cert, false},
{server_name_indication, "ise-core-dev"}
]}
].
Below is the rabbitmq-env-conf.bat:
echo off
rem NOTE: If spaces are present in any of these paths,
rem double quotes must be used.
rem NOTE: the following path is **system dependent**.
setx SSL_PATH "C:\Program Files\erl9.3\lib\ssl-8.2.4\ebin" /m
rem NOTE: pre-RabbitMQ 3.7.8 variable names:
setx RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS "-pa %%SSL_PATH%% -proto_dist inet_tls -ssl_dist_optfile C:\Users\momanu\AppData\Roaming\RabbitMQ\ssl_dist.config" /m
setx RABBITMQ_CTL_ERL_ARGS "-pa %%SSL_PATH%% -proto_dist inet_tls -ssl_dist_optfile C:\Users\momanu\AppData\Roaming\RabbitMQ\ssl_dist.config" /m
rem NOTE: post-RabbitMQ 3.7.8 variable names:
rem set SERVER_ADDITIONAL_ERL_ARGS=...
rem set CTL_ERL_ARGS=...
rem See this PR for details
rem https://github.com/rabbitmq/rabbitmq-server/pull/1666
rem NOTE: If spaces are present in any of these paths,
rem double quotes must be used.
rem NOTE: the following path is **system dependent**.
setx SSL_PATH "C:\Program Files\erl9.3\lib\ssl-8.2.4\ebin" /m
rem NOTE: pre-RabbitMQ 3.7.8 variable names:
setx RABBITMQ_SERVER_ADDITIONAL_ERL_ARGS "-pa %%SSL_PATH%% -proto_dist inet_tls -ssl_dist_optfile C:\Users\momanu\AppData\Roaming\RabbitMQ\ssl_dist.config" /m
setx RABBITMQ_CTL_ERL_ARGS "-pa %%SSL_PATH%% -proto_dist inet_tls -ssl_dist_optfile C:\Users\momanu\AppData\Roaming\RabbitMQ\ssl_dist.config" /m
rem NOTE: post-RabbitMQ 3.7.8 variable names:
rem set SERVER_ADDITIONAL_ERL_ARGS=...
rem set CTL_ERL_ARGS=...
rem See this PR for details
rem https://github.com/rabbitmq/rabbitmq-server/pull/1666
Thanks,
Mohan. Manuru
Luke Bakken
Oct 11, 2019, 6:45:29 PM10/11/19
to rabbitmq-users
Hello,
What version of Erlang and RabbitMQ are you using? erl9.3 suggests it may be 20.3 or so?
Could you please attach your configuration files rather than pasting them so I can be certain I'm checking the same content as what you're using?
Thanks -
Luke
manuru mohan
Oct 11, 2019, 7:25:08 PM10/11/19
to rabbitm...@googlegroups.com
Hi Luke,
I am using 3.7.12 RabbitMQ and Erlang 20.3 versions.
Attached the config files(ssl_dist.config and rabbitmq.conf) and renamed file type from .bat to .txt for rabbitmq-env-conf to txt file. Please let me know if you need anything else.
Thanks,
Mohan. Manuru
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/504ee333-fd16-416b-bc9e-61bbdf2e3dcb%40googlegroups.com.
Wesley Peng
Oct 11, 2019, 9:01:37 PM10/11/19
to rabbitm...@googlegroups.com
manuru mohan wrote:
> I am trying to secure the cluster (I already have SSL enabled using 5671
> and its working) and I am getting below error. Can you please help me
> out what I am missing here?
>
> TLS server: In state certify received CLIENT ALERT:
> Fatal - Handshake Failure
>
> I followed the steps in below link:
> https://www.rabbitmq.com/clustering-ssl.html#how-to-windows
Hi
> I am trying to secure the cluster (I already have SSL enabled using 5671
> and its working) and I am getting below error. Can you please help me
> out what I am missing here?
>
> TLS server: In state certify received CLIENT ALERT:
> Fatal - Handshake Failure
>
> I followed the steps in below link:
> https://www.rabbitmq.com/clustering-ssl.html#how-to-windows
You also want to refer this:
https://www.rabbitmq.com/troubleshooting-ssl.html
for example:
RabbitMQ nodes and clients can be limited in what cipher suites they are
allowed to use during TLS handshake. It is important to make sure that
the two sides have some cipher suites in common or otherwise the
handshake will fail.
regards.
manuru mohan
Oct 11, 2019, 10:04:51 PM10/11/19
to rabbitm...@googlegroups.com
I don't see an option of specifying cipher options in ssl_dist.config file for securing cluster (inter node).
For Cluster SSL I specified Ciphers but I don't see an option for inter-node SSL.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/9835f558-d640-68c1-a260-3f27b08359af%40outrelay.com.
manuru mohan
Oct 12, 2019, 5:30:01 AM10/12/19
to rabbitm...@googlegroups.com
BTW, I am getting the handshake error from rabbitmqctl.bat commands running from the the same server using the same account that installed and also I am trying one node first by enabling inter-node ssl.
Will greatly appreciate your help on this.
Luke Bakken
Oct 13, 2019, 12:45:28 PM10/13/19
to rabbitmq-users
Hi Manru,
Start by changing verify_peer to verify_none. If that works, there is an issue with your certificates and how inter-node hostnames are working.
Consider using RabbitMQ 3.7.19 and Erlang 22.1 for your tests.
Thanks,
Luke
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
manuru mohan
Oct 13, 2019, 10:50:16 PM10/13/19
to rabbitm...@googlegroups.com
Hi Luke,
Do I need to change in ssl_dist config or rabbitmq config?
Will change the versions to test it via rabbitmqctl commands.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/504ee333-fd16-416b-bc9e-61bbdf2e3dcb%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7c6ffb63-cc53-464c-a1cc-282a831422df%40googlegroups.com.
Luke Bakken
Oct 14, 2019, 11:03:43 AM10/14/19
to rabbitmq-users
Hi Manru,
Change it in your ssl_dist.config file.
Thanks -
Luke
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/504ee333-fd16-416b-bc9e-61bbdf2e3dcb%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
manuru mohan
Oct 14, 2019, 4:18:11 PM10/14/19
to rabbitm...@googlegroups.com
Hi Luke,
After changing to "verify_none", I am able to execute rabbitmqctl.bat commands. This confirms that the certificates I am using are problematic.
I used below commands to generate "pem" files. Can you please let me know is there a different way I can generate "pem" files?
Note: I am using Windows Server 2016
- openssl
pkcs12 -in <filename.pfx> -nocerts -nodes -out <clientcert.key.pem>
- openssl
pkcs12 -in <filename.pfx> -clcerts -nokeys -out <clientcert.cer.pem>
- openssl pkcs12 -in <filename.pfx> -cacerts -nokeys –chain –out <cacerts.cer.pem>
Thanks,
Mohan. Manuru
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/504ee333-fd16-416b-bc9e-61bbdf2e3dcb%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7c6ffb63-cc53-464c-a1cc-282a831422df%40googlegroups.com.
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/d8092d77-8648-4f5c-865a-23c558673f83%40googlegroups.com.
Luke Bakken
Oct 14, 2019, 10:34:08 PM10/14/19
to rabbitmq-users
Hi Mohan,
This issue probably doesn't have anything to do with how you're converting your certs to pem format. The CN= value in the certificate must match the host name that is used for the RabbitMQ node name.
This issue probably doesn't have anything to do with how you're converting your certs to pem format. The CN= value in the certificate must match the host name that is used for the RabbitMQ node name.
* Could you please provide the host names of your RabbitMQ nodes?
* For one of those nodes, could you run the following command to print the certificate summary? Please re-direct the output to a file and attach it. You'll have to change server_certificate.pem to the actual file being used in the certfile configuration setting:
openssl x509 -text -in server_certificate.pem
* You can use the commands in this doc to check your certificates and hostname validation outside of RabbitMQ: https://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools
Thanks
Luke
On Monday, October 14, 2019 at 1:18:11 PM UTC-7, manuru mohan wrote:
Hi Luke,
manuru mohan
Oct 15, 2019, 1:55:20 PM10/15/19
to rabbitm...@googlegroups.com
Hi Luke,
Our PFX has ASN (Alternative Subject Names) with the node names and CN is different than the node name(s).
Node Names:
RW1-VIMEX-01, 02, 03, 04.
BTW, I am testing only on 03 VM to see if I am able to execute rabbitmqctl commands.
I am not able to load the certificate using the command. Let me double check the certificates using the commands in the URL you provided.
Let me
Thanks,
Mohan. Manuru
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/03278d7d-3cbe-44b9-9441-624b93e78733%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages