Add Certificate key password to Rabbitmq configuration file
523 views
Skip to first unread message
Rúben Barros
Jan 15, 2015, 11:27:36 AM1/15/15
to rabbitm...@googlegroups.com
I'm trying to configure RabbitMQ with certificates generated by StartSSL. I got a ssl.key, ssl.crt and a ca.pem, which I'm including in the following rabbitmq.config file
[
{rabbit, [
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/usr/bin/testca/ca.pem"},
{certfile, "/usr/bin/server/ssl.cert"},
{keyfile, "/usr/bin/server/ssl.key"},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
]}
].
Then I try to connect and I get this error
Error on AMQP connection <0.367.0>:
{ssl_upgrade_error,{keyfile,function_clause}}
I tried to use the recommended openssl_s_server and openssl_s_client with my old self signed certificate and it was working.
Then I tried with the StartSSL certificate and It asked for my password, and worked.
I'm reading the documentation, but I don't find anything about the error or how to put the ssl.key password in the rabbitmq.config file
Michael Klishin
Jan 15, 2015, 11:36:26 AM1/15/15
to rabbitm...@googlegroups.com, Rúben Barros
On 15 January 2015 at 19:27:38, Rúben Barros (xum...@gmail.com) wrote:
> I'm reading the documentation, but I don't find anything about
> the error or how to put the ssl.key password in the rabbitmq.config
> file
Using the `password` key (next to `keyfile`, `certfile`, etc).
> I'm reading the documentation, but I don't find anything about
> the error or how to put the ssl.key password in the rabbitmq.config
> file
--
MK
Staff Software Engineer, Pivotal/RabbitMQ
Rúben Barros
Jan 15, 2015, 11:38:19 AM1/15/15
to rabbitm...@googlegroups.com, xum...@gmail.com
[
{rabbit, [
{tcp_listeners, [5672]},
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile, "/usr/bin/testca/ca.pem"},
{certfile, "/usr/bin/server/ssl.cert"},
{keyfile, "/usr/bin/server/ssl.key"}, {password, "**********"}, {verify, verify_peer},
{fail_if_no_peer_cert, false}]}
]}
].Like that?
Michael Klishin
Jan 15, 2015, 11:40:07 AM1/15/15
to rabbitm...@googlegroups.com, Rúben Barros
On 15 January 2015 at 19:38:20, Rúben Barros (xum...@gmail.com) wrote:
> [ {rabbit, [ {tcp_listeners, [5672]}, {ssl_listeners, [5671]},
> [ {rabbit, [ {tcp_listeners, [5672]}, {ssl_listeners, [5671]},
> {ssl_options, [{cacertfile, "/usr/bin/testca/ca.pem"},
> {certfile, "/usr/bin/server/ssl.cert"}, {keyfile, "/usr/bin/server/ssl.key"},
> {password, "**********"},
> {verify, verify_peer}, {fail_if_no_peer_cert, false}]}
> ]} ].
> Like that?
Yes.
> {certfile, "/usr/bin/server/ssl.cert"}, {keyfile, "/usr/bin/server/ssl.key"},
> {password, "**********"},
> {verify, verify_peer}, {fail_if_no_peer_cert, false}]}
> ]} ].
> Like that?
Rúben Barros
Jan 15, 2015, 11:43:35 AM1/15/15
to rabbitm...@googlegroups.com, xum...@gmail.com
Still getting this error
Error on AMQP connection <0.333.0>:
{ssl_upgrade_error,{keyfile,function_clause}}
Do you know what it can be, or where I can find more information about it.
Michael Klishin
Jan 15, 2015, 11:46:40 AM1/15/15
to rabbitm...@googlegroups.com, Rúben Barros
On 15 January 2015 at 19:43:37, Rúben Barros (xum...@gmail.com) wrote:
> Error on AMQP connection <0.333.0>:
> {ssl_upgrade_error,{keyfile,function_clause}}
This is the first time I see this upgrade error. Is it the entire stack trace?
> Error on AMQP connection <0.333.0>:
> {ssl_upgrade_error,{keyfile,function_clause}}
Rúben Barros
Jan 15, 2015, 11:49:11 AM1/15/15
to rabbitm...@googlegroups.com, xum...@gmail.com
=INFO REPORT==== 15-Jan-2015::16:41:14 ===
accepting AMQP connection <0.310.0> (172.17.42.1:51802 -> 172.17.0.8:5671)
=INFO REPORT==== 15-Jan-2015::16:41:14 ===
accepting AMQP connection <0.314.0> (172.17.42.1:51804 -> 172.17.0.8:5671)
=INFO REPORT==== 15-Jan-2015::16:41:14 ===
accepting AMQP connection <0.318.0> (172.17.42.1:51806 -> 172.17.0.8:5671)
=ERROR REPORT==== 15-Jan-2015::16:41:19 ===
Error on AMQP connection <0.310.0>:
{ssl_upgrade_error,{keyfile,function_clause}}
=ERROR REPORT==== 15-Jan-2015::16:41:19 ===
Error on AMQP connection <0.314.0>:
{ssl_upgrade_error,{keyfile,function_clause}}
From /var/log/rabbitmq/rabbit\@62057d8bbd3a.log
It's not very helpfull. I try to connect and then get that error.
Michael Klishin
Jan 15, 2015, 11:50:44 AM1/15/15
to rabbitm...@googlegroups.com, Rúben Barros
On 15 January 2015 at 19:49:12, Rúben Barros (xum...@gmail.com) wrote:
> =ERROR REPORT==== 15-Jan-2015::16:41:19 ===
> Error on AMQP connection <0.314.0>:
> {ssl_upgrade_error,{keyfile,function_clause}}
Anything in the SASL log?
> =ERROR REPORT==== 15-Jan-2015::16:41:19 ===
> Error on AMQP connection <0.314.0>:
> {ssl_upgrade_error,{keyfile,function_clause}}
Rúben Barros
Jan 15, 2015, 11:52:52 AM1/15/15
to rabbitm...@googlegroups.com, xum...@gmail.com
No. SASL log file is empty. Do I need to activate something to generate logs?
Michael Klishin
Jan 15, 2015, 11:55:08 AM1/15/15
to rabbitm...@googlegroups.com, Rúben Barros
On 15 January 2015 at 19:52:53, Rúben Barros (xum...@gmail.com) wrote:
> No. SASL log file is empty. Do I need to activate something to
> generate logs?
You don't.
> No. SASL log file is empty. Do I need to activate something to
> generate logs?
Are you running at least Erlang R16B03? There are limitations to SSL implementation in earlier versions.
Michael Klishin
Jan 15, 2015, 11:58:51 AM1/15/15
to rabbitm...@googlegroups.com, Rúben Barros
On 15 January 2015 at 19:52:53, Rúben Barros (xum...@gmail.com) wrote:
> Then I tried with the StartSSL certificate and It asked for my
> password, and worked.
What does s_client output when it successfully connects?
> password, and worked.
Rúben Barros
Jan 15, 2015, 11:59:20 AM1/15/15
to rabbitm...@googlegroups.com, xum...@gmail.com
I have a fresh built docker. This was my workaround heartbleed a few months ago
dpkg -i erlang-solutions_1.0_all.deb
apt-get update
apt-get install erlang
How can I know what version of erlang I'm using? I think it's R16B01
Rúben Barros
Jan 15, 2015, 12:01:30 PM1/15/15
to rabbitm...@googlegroups.com, xum...@gmail.com
Enter pass phrase for server/ssl.key:
CONNECTED(00000003)
depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
verify error:num=27:certificate not trusted
verify return:1
depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/C=PT/CN=www.aalmq.net/emailAddress=tbs...@inescporto.pt
i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGODCCBSCgAwIBAgIHBQupW6O2ATANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE
BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE
aWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNVBAMTL1N0YXJ0Q29tIENs
YXNzIDEgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVyIENBMB4XDTE1MDExNDEy
NTUwMFoXDTE2MDExNTAwMDUxOFowSzELMAkGA1UEBhMCUFQxFjAUBgNVBAMTDXd3
dy5hYWxtcS5uZXQxJDAiBgkqhkiG9w0BCQEWFXRic291c2FAaW5lc2Nwb3J0by5w
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALFw0MGXSyX6TbccYlji
hfFIXtPMMaCHQI9AZ4zY8fVuy+uDRz0vOzTEGqM3knlr32P74RdFS6bryCxA5pfb
NBSiX66bok8Qb3QG1SebCaeZnbtcPwxs62zWvRflmDoyjzjnuVqMhqLjkRZgIrMw
vdKaMD8G8Q7fixRBJ9Mu1S/AmQuxS3PTuMAzl/lovpyl6biNU8GUG9oi59v2NH9U
NpJIRHNjLJRtdQSauHiSar+3+135V9YRYzD7HvsLMd1qvKV4OWRfQWS4BF8c7/cS
OVrGAvcWxbrNr0Vm7EXy7RMggbmdBTEBpwqhU8fnX/hzalO9pEAVMjxM78Ttzxzq
+rcCAwEAAaOCAt0wggLZMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgOoMBMGA1UdJQQM
MAoGCCsGAQUFBwMBMB0GA1UdDgQWBBS0L254Be0vs3/KXpqYLjKwO2OevTAfBgNV
HSMEGDAWgBTrQjTQmLCrn/Qbawj3zGQu7w4sRTAjBgNVHREEHDAagg13d3cuYWFs
bXEubmV0gglhYWxtcS5uZXQwggFWBgNVHSAEggFNMIIBSTAIBgZngQwBAgEwggE7
BgsrBgEEAYG1NwECAzCCASowLgYIKwYBBQUHAgEWImh0dHA6Ly93d3cuc3RhcnRz
c2wuY29tL3BvbGljeS5wZGYwgfcGCCsGAQUFBwICMIHqMCcWIFN0YXJ0Q29tIENl
cnRpZmljYXRpb24gQXV0aG9yaXR5MAMCAQEagb5UaGlzIGNlcnRpZmljYXRlIHdh
cyBpc3N1ZWQgYWNjb3JkaW5nIHRvIHRoZSBDbGFzcyAxIFZhbGlkYXRpb24gcmVx
dWlyZW1lbnRzIG9mIHRoZSBTdGFydENvbSBDQSBwb2xpY3ksIHJlbGlhbmNlIG9u
bHkgZm9yIHRoZSBpbnRlbmRlZCBwdXJwb3NlIGluIGNvbXBsaWFuY2Ugb2YgdGhl
IHJlbHlpbmcgcGFydHkgb2JsaWdhdGlvbnMuMDUGA1UdHwQuMCwwKqAooCaGJGh0
dHA6Ly9jcmwuc3RhcnRzc2wuY29tL2NydDEtY3JsLmNybDCBjgYIKwYBBQUHAQEE
gYEwfzA5BggrBgEFBQcwAYYtaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL3N1Yi9j
bGFzczEvc2VydmVyL2NhMEIGCCsGAQUFBzAChjZodHRwOi8vYWlhLnN0YXJ0c3Ns
LmNvbS9jZXJ0cy9zdWIuY2xhc3MxLnNlcnZlci5jYS5jcnQwIwYDVR0SBBwwGoYY
aHR0cDovL3d3dy5zdGFydHNzbC5jb20vMA0GCSqGSIb3DQEBCwUAA4IBAQBasJbk
xDf+yh0PoJSSZzUQU1JbB3c0LfpzKWP8kBT466ZxMA9toxHbUugjDKhtlgXQ4NoM
Q8YFG9RmHHwfgBFN9NK+HS1wMpV/V98vE+hSiSLrGvg61xQtEixSFxzDeAeJitYc
gdKyllxDOtofp0jX8GuKiPW2ivl618ji+mM4Gn+jW46syjjp1GA38gpoFRLGqabx
zf7zQYfZAh6++SYBkNVj4jsKZEFyRuKWIXtca8/8BpB2M/WBkKCiZDdSCUHviu5H
nivS7Iq/Sf+LcPGkzuoBWmS2/cF1H+cGcCSsSnaOQlCO5ky83QJSPHioESwzRI0s
LNE9QTAJICOFDstT
-----END CERTIFICATE-----
subject=/C=PT/CN=www.aalmq.net/emailAddress=tbs...@inescporto.pt
issuer=/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 1 Primary Intermediate Server CA
---
No client certificate CA names sent
---
SSL handshake has read 2255 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 0F131B252242141F0837A25CC278695691A7B661814D729324650B0A468F6527
Session-ID-ctx:
Master-Key: BA7320FC3683D15A1F147623EE3853043B63CB5C7894D9148E1158F5A951A810FA581488EFD1EA7C47F110A815B9CAED
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - e8 a4 7a a0 31 81 80 23-6b 75 89 9c 5b e5 76 77 ..z.1..#ku..[.vw
0010 - 4d b5 de 5a a7 87 46 30-63 22 ef 31 e3 68 a5 58 M..Z..F0c".1.h.X
0020 - 18 60 76 8c db 0c da 78-ae 45 6f 3f b9 35 d8 fe .`v....x.Eo?.5..
0030 - c5 57 34 99 66 6a b0 0e-ab 62 23 cb cc 8e 4b 43 .W4.fj...b#...KC
0040 - 54 a1 ca 0d 0e 67 7e b5-c8 e0 2e 6a df 89 3c 77 T....g~....j..<w
0050 - c0 f4 23 1b 06 c0 42 15-9b d5 95 4d ab bc a2 b4 ..#...B....M....
0060 - 88 54 00 72 60 b5 da c2-52 cd 27 7e 3c 84 fa d5 .T.r`...R.'~<...
0070 - 6e a5 42 94 1c 6a 97 1d-46 bc 71 18 61 6f df 69 n.B..j..F.q.ao.i
0080 - 2f 4e d9 76 a1 32 5f 50-46 e3 6f f2 8f 9e b9 66 /N.v.2_PF.o....f
0090 - c7 7d 06 d5 b8 38 77 00-a3 bc 8d bb b9 cd 5c 1b .}...8w.......\.
Start Time: 1421341355
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
Michael Klishin
Jan 15, 2015, 12:20:48 PM1/15/15
to rabbitm...@googlegroups.com, Rúben Barros
On 15 January 2015 at 20:01:31, Rúben Barros (xum...@gmail.com) wrote:
> Enter pass phrase for server/ssl.key:
> CONNECTED(00000003)
> depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
> verify error:num=21:unable to verify the first certificate
> verify return:1
…
> Enter pass phrase for server/ssl.key:
> CONNECTED(00000003)
> depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
> verify error:num=20:unable to get local issuer certificate
> verify return:1
> depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
> verify error:num=27:certificate not trusted
> verify return:1
> depth=0 C = PT, CN = www.aalmq.net, emailAddress = tbs...@inescporto.pt
> verify error:num=21:unable to verify the first certificate
> verify return:1
> Start Time: 1421341355
> Timeout : 300 (sec)
> Verify return code: 21 (unable to verify the first certificate)
with your *client* certificate, though. Using a "real" CA for server and self-signed for client, for example.
I'd suggest asking on erlang-questions. The underlying error comes from the TLS implementation,
maybe OTP engineers have a clue.
Reply all
Reply to author
Forward
0 new messages