TLS server: In state certify at ssl_handshake.erl:2098 generated SERVER ALERT: Fatal - Unknown CA

[Maxim “Max”]

hi

i get these message trying to test tls connection to rabbitmq management api on windows. i tried to use manually generated self-signed certs as described in the tutorial and also AD CA signed ones. i get this error all the time. 

my versions are 

• windows server 2019 datacenter on vSphere Client version 7.0.3.01100
• RabbitMQ 3.11.4
• Erlang 25.1.2
• client is .net framework 4.8
• RabbitMQ.Client 6.2.1
• OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

when I test certificates using openssl s_server/client:

please advise what can be wrong

[Luke Bakken]

Hi Maxim,

Please note "hostname mismatch" in the screenshot you provide. Other than that, there isn't much you've provided for us to work with.

I can generate my own certs using tls-gen (https://github.com/rabbitmq/tls-gen). It would be very helpful to have the .NET code you're using to make HTTP API requests.

Thanks,

Luke

[Maxim “Max”]

hi

i think i managed to localize the problem.

the failing request is "https://RabbitMQhost:15674/api/" through HttpWebRequest.

the same request succeeds from browser, because the appropriate certificate is installed

this certificate is signed by Active Directory CA and verified as valid for windows

but it looks like it isn't valid for RabbitMq, although I provided all pem-files in configuration.

openssl test shows "hostname mismatch error" although the certificate's SAN contains all possible variations

I am going to check upper/lower case sensitivity in CN and SAN because this server has both in its name

will be happy to read any comments

thank you