RabbitMQ over TLS port 5671

[Meena Reddy]

Hi All,

Any one has luck in making RabbitMQ to work on TLS port.  I am getting "Connection reset by peer" 

My environment is Ubuntu 16.04/18.04 ,  Rabbitmq version 3.8.14  , erlang 23.x 

I did follow https://www.rabbitmq.com/ssl.html#enabling-tls to enable TLS port. 

I could see 5671 port listing.  5672 non TLS port working fine without issues. I did try to disable 5672 and  only enabling 5671 also same issue Connection reset. 

Listeners

Interface: [::], port: 15671, protocol: https, purpose: HTTP API over TLS (HTTPS)

Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication

Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0

Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS

Rabbitmq configuration: 

 {rabbit, [{log_levels, [{connection, debug},{channel, debug}]},{tcp_listeners, [5672]},{auth_mechanisms, ['AMQPLAIN','EXTERNAL']},{ssl_listeners, [5671]},{ssl_options, [{cacertfile,           "/etc/rabbitmq/result/ca_certificate.pem"},

                           {certfile,             "/etc/rabbitmq/result/server_certificate.pem"},

                           {keyfile,              "/etc/rabbitma/result/server_key.pem"},

                           {verify,               verify_none},

                           {password,  "bunnies123456!"},

                           {depth, 2},

                           {fail_if_no_peer_cert, false}]}]}

].

Error:

ERROR/MainProcess] consumer: Cannot connect to amqps://kingis:**@x.x.x.x:5671//: [Errno 104] Connection reset by peer.

 telnet x.x.x.x 5671

Trying x.x.x.x...

Connected to x.x.x.x

Escape character is '^]'.

Connection closed by foreign host.

tcpdump:

23:28:12.016322 IP .compute.internal.amqps > ip-.us-west-2.compute.internal.36592: Flags [S.], seq 3042883485, ack 4238509389, win 26847, options [mss 8961,sackOK,TS val 2894128443 ecr 2873372815,nop,wscale 7], length 0

23:28:12.016631 IP us-west-2.compute.internal.36592 > ip-.us-west-2.compute.internal.amqps: Flags [.], ack 1, win 211, options [nop,nop,TS val 2873372815 ecr 2894128443], length 0

23:28:12.016958 IP .us-west-2.compute.internal.36592 > ip-.us-west-2.compute.internal.amqps: Flags [P.], seq 1:218, ack 1, win 211, options [nop,nop,TS val 2873372815 ecr 2894128443], length 217

23:28:12.016982 IP .us-west-2.compute.internal.amqps > ip-.us-west-2.compute.internal.36592: Flags [.], ack 218, win 219, options [nop,nop,TS val 2894128443 ecr 2873372815], length 0

23:28:12.017222 IP .us-west-2.compute.internal.amqps > ip-.us-west-2.compute.internal.36592: Flags [R.], seq 1, ack 218, win 219, options [nop,nop,TS val 2894128443 ecr 2873372815], length 0

^C

Appreciate the help and thank you in advance. 

[Mirah Gary]

Hi, 

It looks like you're having a certificate validation error, and that is resulting in the connection being rejected. Have you ensured that your certificates are configured correctly with the appropriate SANs and that your client trusts the CA used to sign your RabbitMQ certificate? See https://www.rabbitmq.com/ssl.html#certificates-and-keys for an overview of the steps necessary to ensure that RabbitMQ TLS is configured correctly, and also https://www.rabbitmq.com/troubleshooting-ssl.html for troubleshooting TLS issues.

--

Mirah

Technical Lead, RabbitMQ

[Meena Reddy]

Thanks Mirah for the response. 

I did generated the tls-gen certificates as per the above link. As this is development setup, I did disable the peer verification for now to test.  But that also not working.  

Config file:

  {rabbit, [{log_levels, [{connection, debug},{channel, debug}]},{tcp_listeners, [5672]},{auth_mechanisms, ['AMQPLAIN','EXTERNAL']},{ssl_listeners, [{"172.28.10.121",5671}]},{ssl_options, [{cacertfile,           "/etc/rabbitmq/result/ca_certificate.pem"},

                           {certfile,             "/etc/rabbitmq/result/server_certificate.pem"},

                           {keyfile,              "/etc/rabbitma/result/server_key.pem"},

                           {verify,               verify_none},

                           {password,  "bunnies123456!"},

                           {depth, 2},

                           {fail_if_no_peer_cert, false}]}]}

I tried manually with ssl client from same machine. 

openssl s_client -connect x.x.x.x:5671 -cert /etc/rabbitmq/result/client_certificate.pem -key /etc/rabbitmq/result/client_key.pem -CAfile /etc/rabbitmq/result/ca_certificate.pem

Enter pass phrase for /etc/rabbitmq/result/client_key.pem:

CONNECTED(00000003)

write:errno=104

---

no peer certificate available

---

No client certificate CA names sent

---

SSL handshake has read 0 bytes and written 247 bytes

---

New, (NONE), Cipher is (NONE)

Secure Renegotiation IS NOT supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : 0000

    Session-ID:

    Session-ID-ctx:

    Master-Key:

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1626714018

    Timeout   : 300 (sec)

    Verify return code: 0 (ok)

[Meena Reddy]

Thank you Mirah for the hints.  I did clean install again, regenerated the certs with tls-gen. Given full permissions for certs. Now I see its accepting the connections.