mochiweb certfile badmatch

Bill Schwanitz

unread,

Apr 12, 2016, 3:52:57 PM4/12/16

to rabbitmq-users

I'm not sure what I'm doing wrong with this one. Moving the configs I was working with in my vagrant vm setup out to our testing environment and ran in to a huge snag ;(

No matter what I do I can't get rid of the badmatch error below. I've tried a few things which I'll enumerate below as well.

=ERROR REPORT==== 12-Apr-2016::15:42:40 ===

application: mochiweb

"Accept failed error"

"{error,{certfile,{badmatch,[]}}}"

1) default config from puppet

% This file managed by Puppet

% Template Path: rabbitmq/templates/rabbitmq.config

[

{ssl, [{versions, ['tlsv1', 'tlsv1.1', 'tlsv1.2']}]},

{rabbit, [

{cluster_nodes, {['rabbit@rabbit_n1', 'rabbit@rabbit_n2'], disc}},

{cluster_partition_handling, ignore},

{tcp_listen_options,

[binary,

{packet, raw},

{reuseaddr, true},

{backlog, 128},

{nodelay, true},

{exit_on_close, false}]

},

{tcp_listeners, []},

{ssl_listeners, [5671]},

{ssl_options, [

{cacertfile,"/etc/pki/tls/certs/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle"},

{certfile,"/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile,"/etc/pki/tls/private/rabbitmq.key"},

{verify,verify_none},

{fail_if_no_peer_cert,false}

,{versions, ['tlsv1', 'tlsv1.1', 'tlsv1.2']}

]},

{default_user, <<"guest">>},

{default_pass, <<"guest">>}

]},

{kernel, [

]}

,

{rabbitmq_management, [

{listener, [

{port, 15671},

{ssl, true},

{ssl_opts, [

{cacertfile, "/etc/pki/tls/certs/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle"},

{certfile, "/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile, "/etc/pki/tls/private/rabbitmq.key"}

,{versions, ['tlsv1', 'tlsv1.1', 'tlsv1.2']}

]}

].

% EOF

2) manually set the listen address

% This file managed by Puppet

% Template Path: rabbitmq/templates/rabbitmq.config

[

{ssl, [{versions, ['tlsv1', 'tlsv1.1', 'tlsv1.2']}]},

{rabbit, [

{cluster_nodes, {['rabbit@rabbit_n1', 'rabbit@rabbit_n2'], disc}},

{cluster_partition_handling, ignore},

{tcp_listen_options,

[binary,

{packet, raw},

{reuseaddr, true},

{backlog, 128},

{nodelay, true},

{exit_on_close, false}]

},

{tcp_listeners, []},

{ssl_listeners, [{ "rabbit_n1.internal.lan", 5671}]},

{ssl_options, [

{cacertfile,"/etc/pki/tls/certs/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle"},

{certfile,"/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile,"/etc/pki/tls/private/rabbitmq.key"},

{verify,verify_none},

{fail_if_no_peer_cert,false}

,{versions, ['tlsv1', 'tlsv1.1', 'tlsv1.2']}

]},

{default_user, <<"guest">>},

{default_pass, <<"guest">>}

]},

{kernel, [

]}

,

{rabbitmq_management, [

{listener, [

{port, 15671 },

{ssl, true},

{ssl_opts, [

{cacertfile, "/etc/pki/tls/certs/comodo-rsa-domain-validation-sha-2-w-root.ca-bundle"},

{certfile, "/etc/pki/tls/certs/rabbitmq.pem"},

{keyfile, "/etc/pki/tls/private/rabbitmq.key"}

,{versions, ['tlsv1', 'tlsv1.1', 'tlsv1.2']}

]}

].

% EOF

3) The hostname of the test env hosts use short names so I modified the systems to show fqdn and rebooted. No change in behavior

4) verified the ssl keys ( was actually step 0 in this list if you look at order ). All verified fine. openssl was run via sudo as rabbitmq - same as the rabbitmq-server processes ( minus sudo but should be functionally the same )

Versions

rpm -qa|egrep 'rabbit|erlang'

erlang-18.3-1.el7.centos.x86_64

rabbitmq-server-3.6.1-1.noarch

cat /etc/redhat-release

Red Hat Enterprise Linux Server release 7.2 (Maipo)

The blank data in the badmatch has me worried. I diff'd out the rabbitmq.config files between the working and non-working environments. The only changes are hostname related.

Anyone have an idea of what I'm doing wrong here?

Michael Klishin

unread,

Apr 12, 2016, 3:58:35 PM4/12/16

to rabbitm...@googlegroups.com, Bill Schwanitz

See https://groups.google.com/forum/#!searchin/rabbitmq-users/mochiweb$20certfile$20badmatch/rabbitmq-users/sbnDX7gIYpA/PQK4nQTJkZ0J.

Also, you don't need to specify TLS versions everywhere, in fact, the versions you list are
enabled by default in recent 3.5.x and 3.6.x releases.

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Bill Schwanitz

unread,

Apr 12, 2016, 4:04:12 PM4/12/16

to rabbitmq-users, bil...@gmail.com

ah good to know. is sslv3 disabled by default then too? That was my main reason for doing the def

Michael Klishin

unread,

Apr 12, 2016, 4:23:03 PM4/12/16

to rabbitm...@googlegroups.com, Bill Schwanitz

On 12 April 2016 at 23:04:15, Bill Schwanitz (bil...@gmail.com) wrote:
> ah good to know. is sslv3 disabled by default then too? That was
> my main reason for doing the def

Please take a look at the docs, for example, the 2nd line in the TLS guide:
http://www.rabbitmq.com/ssl.html

bill

unread,

Apr 12, 2016, 5:18:05 PM4/12/16

to rabbitm...@googlegroups.com

Second line betting the erlang version? I have 18.something on there. Should I go back in erlang version? ( This matched my vagrant setup too so...)

Bill Schwanitz

If A is a success in life, then A equals x plus y plus z. Work is x; y is play; and z is keeping your mouth shut. - Albert Einstein.

Michael Klishin

unread,

Apr 12, 2016, 5:41:43 PM4/12/16

to rabbitm...@googlegroups.com

I'm not aware of any reason to not use 18.x.

Bill Schwanitz

unread,

Apr 13, 2016, 10:59:24 AM4/13/16

to rabbitmq-users

So I'm not sure why but erlang does not appear to like the cert or the chain. given the lack of detail I'm not sure which.

I switched out to puppet generated cert/key ( used by the puppet agent/server ) and all is well - same config otherwise.

Reply all

Reply to author

Forward