TLS connection warning. Should I be worried?

[x1021]

TLS connection is working between client and RabbitMQ. However I get error below in the logs

[warning] <0.28690.2> Connection (<0.28690.2>): certificate chain verification is not enabled for this TLS connection. Please see https://rabbitmq.com/ssl.html for more information.

Should I be worried about this? It's a warning message and I'm not seeing any issues so far but I would like to be sure that it won't cause any problem. I tried turning on certificate chain verification but turning it on cause a different error so I turned the verification off since it's working without.

[Luke Bakken]

Hello,

• What version of RabbitMQ and Erlang are you using?
• Are you using the Erlang AMQP client for any of your applications?
• Are you using the Shovel plugin?
• Are you using the Federation plugin?
• How did you try "turning on" certificate chain verification?

The warning message is generated by the Erlang AMQP client when it connects to a server and does not verify the server's X509 certificate. I'm guessing that you are using the Federation or Shovel plugins, which use the Erlang AMQP client internally.

Thanks,

Luke

[Luke Bakken]

When you add these RabbitMQ configuration settings...

ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

...you are telling Erlang / RabbitMQ that every TLS connection to RabbitMQ must include a valid client certificate. Based on your shovel's URI, you are not intending to use client certificates.

You should change  ssl_options.fail_if_no_peer_cert to false.

You must enable TLS verification via your shovel URI, like this (https://www.rabbitmq.com/uri-query-parameters.html#tls)

amqps://ppollpghn00052.unix.gsm1900.org:5671?verify=verify_peer&cacertfile=/path/to/ca-certs.pem

Thanks,

Luke

On Monday, September 11, 2023 at 11:11:35 AM UTC-7 x1021 wrote:

Hello Luke and appreciate your assistance. Apologies on delayed response.

• What version of RabbitMQ and Erlang are you using? RabbitMQ 3.11.7 on Erlang 25.2.1
• Are you using the Erlang AMQP client for any of your applications? Yes, AMQPS
• Are you using the Shovel plugin? Yes, below are the plugins used
  • rabbitmq_management
  • rabbitmq_shovel
  • rabbitmq_shovel_management
  • rabbitmq_message_deduplication
• Are you using the Federation plugin? No

• How did you try "turning on" certificate chain verification?

Got this log Description: "Server authenticity is not verified since certificate path validation is not enabled" & Reason: "The option {verify, verify_peer} and one of the options 'cacertfile' or 'cacerts' are required to enable this." After adding the config below to the rabbitmq.conf

listeners.ssl.1 = 5671
listeners.tcp = none
ssl_options.cacertfile = /etc/ssl/certs/ca-bundle.crt
ssl_options.certfile = /etc/rabbitmq/ssl/iap.pem
ssl_options.keyfile = /etc/rabbitmq/ssl/key.pem
ssl_options.password = pronghorn

management.ssl.port = 15671
management.ssl.cacertfile = /etc/ssl/certs/ca-bundle.crt
management.ssl.certfile = /etc/rabbitmq/ssl/iap.pem
management.ssl.keyfile = /etc/rabbitmq/ssl/key.pem
management.ssl.password = pronghorn

Then added these parameters after following the instruction from RabbitMQ doc

ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.depth = 2

After adding, I received the error below. When I take out the three parameters above, the connection between client rabbitmq works fine.

Shovel 'preserve_iap_events' failed to connect (URI: amqps://ppollpghn00052.unix.gsm1900.org:5671): closed

[x1021]

Hello Luke,

Thanks for your input. I will definitely try False on ssl_options.fail_if_no_peer_cert.

As for client app enabling TLS verification via shovel URI... that I will have a bit of trouble as the code is not managed by me but I do see what you mean and will share the suggestion.

Lastly, does RabbitMQ have a page referring to what level of significance [Warning] carries? Is it something to be taken as a suggestion?