[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:646)
322 views
Skip to first unread message
Jiahang Chen
Oct 30, 2019, 9:48:30 AM10/30/19
to rabbitmq-users
Hello,
i tried to utilize the mechanism regarding x.509 certificate to authenticate server and client. This was tested against RabbitMQ 3.8, python 3.5 and pika 1.0.
The Python Code:
import pika
import ssl
context = ssl.create_default_context(cafile = "C:/Users/chen/Desktop/CA/ca/root-cert.cer")
context.load_cert_chain("C:/Users/chen/Desktop/CA/client/client-cert.cer",
"C:/Users/chen/Desktop/CA/client/client-key.pem")
ssl_options = pika.SSLOptions(context, "localhost")
conn_params = pika.ConnectionParameters(port = 5671, ssl_options = ssl_options)
connection = pika.BlockingConnection(conn_params)
channel = connection.channel()
channel.queue_declare(queue= 'mmi.news', durable = True, arguments = {'x-queue-type':'classic'})
channel.basic_publish(exchange= 'exchange.direct', routing_key= 'mmi.news', body = 'test11')
connection.close()
And the Setting in rabbitmq config file:
[
{rabbit, [
{ssl_listeners, [5671]},
{auth_mechanisms, ['PLAIN','EXTERNAL']},
{ssl_options, [{cacertfile, "C:/Users/chen/Desktop/CA/ca/root-cert.cer"},
{certfile, "C:/Users/chen/Desktop/CA/server/server-cert.cer"},
{keyfile,"C:/Users/chen/Desktop/CA/server/server-key.pem" },
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
]}
].
After running a error was displayed: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:646)
Does someone have a idea, what is the reason?
Kinds Regards
Jiahang Chen
Luke Bakken
Oct 30, 2019, 11:10:16 AM10/30/19
to rabbitmq-users
Hello,
What version of Erlang are you using?
That means that your client couldn't verify the server certificate.
Please carefully read this document and perform the tests indicated: https://www.rabbitmq.com/troubleshooting-ssl.html
Finally, if you are trying to use client certificate authentication, see my message here: https://groups.google.com/forum/#!msg/pika-python/lHv1Ho_I_DU/L4uoxKu3DQAJ
Finally, if you are trying to use client certificate authentication, see my message here: https://groups.google.com/forum/#!msg/pika-python/lHv1Ho_I_DU/L4uoxKu3DQAJ
Thanks,
Luke
Jiahang Chen
Oct 31, 2019, 6:31:46 AM10/31/19
to rabbitmq-users
Hi Luke,
the used erlang is V10.5
I have also tested the client and server certificate via s_client and s_server and got a return code 18 (self signed certificate)
Thanks
Jiahang
在 2019年10月30日星期三 UTC+1下午4:10:16,Luke Bakken写道:
在 2019年10月30日星期三 UTC+1下午4:10:16,Luke Bakken写道:
Wesley Peng
Oct 31, 2019, 6:34:18 AM10/31/19
to rabbitm...@googlegroups.com
Jiahang Chen wrote:
> the used erlang is V10.5
>
> I have also tested the client and server certificate via s_client and
> s_server and got a return code 18 (self signed certificate)
>
I must say this version of erlang is too old. maybe you want to upgrade?
> the used erlang is V10.5
>
> I have also tested the client and server certificate via s_client and
> s_server and got a return code 18 (self signed certificate)
>
Hence my running environment:
RabbitMQ version: 3.8.0
Node name: rabbit@ubuntu
Erlang configuration: Erlang/OTP 22 [erts-10.5.3] [source] [64-bit]
[smp:1:1] [ds:1:1:10] [async-threads:64]
陈家航
Oct 31, 2019, 8:22:52 AM10/31/19
to rabbitm...@googlegroups.com
Hi Wesley,
i have installed the new erlang/OPT 22 [erst-10.5][64 bit]. But nothing has changed.
Wesley Peng <wes...@myrambler.ru> 于2019年10月31日周四 上午11:34写道:
--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/bd96d062-f749-4415-0ed1-868291307aef%40myrambler.ru.
Jiahang Chen
Oct 31, 2019, 11:02:58 AM10/31/19
to rabbitmq-users
Hey,
update the logs file:
2019-10-31 16:01:07.203 [info] <0.876.0> accepting AMQP connection <0.876.0> ([::1]:52011 -> [::1]:5671)
2019-10-31 16:01:07.203 [error] <0.876.0> closing AMQP connection <0.876.0> ([::1]:52011 -> [::1]:5671):
{handshake_timeout,handshake}
在 2019年10月30日星期三 UTC+1下午4:10:16,Luke Bakken写道:
Hello,
Luke Bakken
Oct 31, 2019, 11:22:47 AM10/31/19
to rabbitmq-users
Hello,
Those log lines are probably from when you ran openssl s_client and indicate that the TLS handshake worked. Since you got "return code 18 (self signed certificate)" there is either an error in how you ran the command, or an error in your certificates.
Please re-run the openssl commands, capture the entire command and the output into a file, and attach the file to your response. Just telling us you ran some commands is insufficient.
Finally, carefully read my message here and follow what I did:
https://groups.google.com/forum/#!msg/pika-python/lHv1Ho_I_DU/L4uoxKu3DQAJ
To generate test certificates, I use this project:
To generate test certificates, I use this project:
Reply all
Reply to author
Forward
0 new messages