CRL configuration in Federation plugin treating all the certificate as bad certificate

211 views

Skip to first unread message

Sushil Dwivedi

unread,

Jan 9, 2023, 1:03:36 PM1/9/23

to rabbitmq-users

Hello Luke and Team,

I am using Federation Plugin , Below is Erlang and RabbitMQ version.

RabbitMQ 3.10.7

Erlang 25.0.4

I have below configuration for CRL revocation check in "advanced.config",

{crl_check, true},

{crl_cache, {ssl_crl_cache, {internal, [{http, 50000}]}}}

When I include above 2 lines in "advanced.config", For all the certificate even those certificate which are not yet revoked , facing below error -

When I remove above 2 lines, those Certificates works perfectly fine , I can see federation links are getting created after removing these 2 lines.

-----------------------------------------------------------------------------------------------------------------------------

2023-01-09 04:46:05.079491+00:00 [notice] <0.1875.0> TLS client: In state cipher received SERVER ALERT: Fatal - Bad Certificate

2023-01-09 04:46:05.079491+00:00 [notice] <0.1875.0>

2023-01-09 04:46:05.080727+00:00 [warning] <0.1830.0> Federation exchange 'E-Mesh' in vhost '/' did not connect to exchange 'E-Mesh' in vhost '/' on amqps://10.77.116.149:8671. Reason: {error,

2023-01-09 04:46:05.080727+00:00 [warning] <0.1830.0> {tls_alert,

2023-01-09 04:46:05.080727+00:00 [warning] <0.1830.0> {bad_certificate,

2023-01-09 04:46:05.080727+00:00 [warning] <0.1830.0> "TLS client: In state cipher received SERVER ALERT: Fatal - Bad Certificate\n"}}}

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> supervisor: {<0.636.0>,rabbit_federation_link_sup}

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> errorContext: child_terminated

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> reason: {shutdown,restart}

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> offender: [{pid,<0.1830.0>},

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> {id,{upstream,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> [{encrypted,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> <<"TOW5w25VsYXK8RVlMG4PH94wfe6lxL88q80oG4dMctsioBvrRK/Bv/6PkntBHxnBQZ5dMT51pFyPKQZcEGwu26QTCFL1G3+1K0XXlNomIxRVmjLt0MJ03YnjN4+4MATLx8lyvS1OHiFxo3EwcKJfxbu9zNo51q5smuKUr65plrAF4k+SUdHN7dJVNrIa/tm/U36hlXsQhkePLoiaQ+AncgyRchtb88SOZ4kUNQ1BILhTZB+YVkqOqyvFbombzMJAuAYTDX4oC+pmNSW56a6hGm7PjGKnC/NTl47dfnNJyXmZH4M2v2Mo7DjkEdUbdU5hVkFDwDLDLn12Hj7Tk/E2eMNv753yYjNFouqNFrUH/H31qdb3miagL5GtFWWJ6d7Zbks8NxlnZ1ssONTO2QHkBcuA9xLh2gY/7Q7EHuD5r4fEIKOb/pM20beAR3l//hmIB4o+BCz/BmW1My9kOKNe4EuJHfm3tiVRmYW2gqJp/DbrDsAyANNHNwjMce0RxAt3">>}],

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> <<"E-Mesh">>,<<"E-Mesh">>,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> <<"federation-link-E-Mesh-FOR-sushil002.demo.local:8671-TO-sushil001.demo.local">>,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> 1000,1,10,none,none,false,'no-ack',none,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> <<"E-Mesh-FOR-sushil002.demo.local:8671-TO-sushil001.demo.local">>,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> false,default,multiple}},

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> {mfargs,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> {rabbit_federation_exchange_link,start_link,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> [{{upstream,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> [{encrypted,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> <<"E-Mesh">>,<<"E-Mesh">>,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> <<"federation-link-E-Mesh-FOR-sushil002.demo.local:8671-TO-sushil001.demo.local">>,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> 1000,1,10,none,none,false,'no-ack',none,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> <<"E-Mesh-FOR-sushil002.demo.local:8671-TO-sushil001.demo.local">>,

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> false,default,multiple},

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> {resource,<<"/">>,exchange,<<"E-Mesh">>}}]}},

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> {restart_type,{permanent,10}},

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> {shutdown,300000},

2023-01-09 04:46:05.081708+00:00 [error] <0.636.0> {child_type,worker}]

2023-01-09 04:46:05.085125+00:00 [notice] <0.1833.0> TLS client: In state cipher received SERVER ALERT: Fatal - Bad Certificate

---------------------------------------------------------------------------------------------------------------------------------------------------------------

I have also referred below project created by Luke, Here also I can see below error , even basic.crl has no revoked certificate as confirmed by below command

Project: https://github.com/lukebakken/rabbitmq-users-crl-6LjcEo9cn98

openssl crl -in basic.crl -inform DER -text -noout
Certificate Revocation List (CRL):
Version 1 (0x0)
Signature Algorithm: sha256WithRSAEncryption
Issuer: /CN=TLSGenSelfSignedtRootCA 2022-11-28T10:45:31.937808/L=$$$$
Last Update: Nov 28 18:45:34 2022 GMT
Next Update: Dec 5 18:45:34 2022 GMT
No Revoked Certificates.
Signature Algorithm: sha256WithRSAEncryption

.....

After running this project below is error log -

rabbitmq-users-crl-6ljceo9cn98-crl-1 | 172.19.0.3 - - [05/Jan/2023 10:23:02] "GET /basic.crl HTTP/1.1" 200 -

rabbitmq-users-crl-6ljceo9cn98-rmq1-1 | 2023-01-05 10:23:02.171034+00:00 [notice] <0.9533.1> TLS client: In state wait_cert at ssl_handshake.erl:2093 generated CLIENT ALERT: Fatal - Bad Certificate

rabbitmq-users-crl-6ljceo9cn98-rmq1-1 | 2023-01-05 10:23:02.171034+00:00 [notice] <0.9533.1> - {bad_crls,no_relevant_crls}

rabbitmq-users-crl-6ljceo9cn98-rmq0-1 | 2023-01-05 10:23:02.171700+00:00 [notice] <0.13811.0> TLS server: In state wait_cert received CLIENT ALERT: Fatal - Bad Certificate

rabbitmq-users-crl-6ljceo9cn98-rmq0-1 | 2023-01-05 10:23:02.171700+00:00 [notice] <0.13811.0>

rabbitmq-users-crl-6ljceo9cn98-rmq1-1 | 2023-01-05 10:23:02.173002+00:00 [debug] <0.9538.1> Closing all channels from connection '<rab...@rmq1.1672907331.9514.1>' because it has been closed

rabbitmq-users-crl-6ljceo9cn98-rmq1-1 | 2023-01-05 10:23:02.172778+00:00 [warning] <0.9511.1> Federation exchange 'federated-direct' in vhost '/' did not connect to exchange 'federated-direct' in vhost '/' on amqps://rmq0. Reason: {error,

rabbitmq-users-crl-6ljceo9cn98-rmq1-1 | 2023-01-05 10:23:02.172778+00:00 [warning] <0.9511.1> {tls_alert,

rabbitmq-users-crl-6ljceo9cn98-rmq1-1 | 2023-01-05 10:23:02.172778+00:00 [warning] <0.9511.1> {bad_certificate,

rabbitmq-users-crl-6ljceo9cn98-rmq1-1 | 2023-01-05 10:23:02.172778+00:00 [warning] <0.9511.1> "TLS client: In state wait_cert at ssl_handshake.erl:2093 generated CLIENT ALERT: Fatal - Bad Certificate\n {bad_crls,no_relevant_crls}"}}}

rabbitmq-users-crl-6ljceo9cn98-rmq1-1 | 2023-01-05

Luke Bakken

unread,

Jan 9, 2023, 5:17:14 PM1/9/23

to rabbitmq-users

Hello,

Let's start with my project that demonstrates using a CRL and Federation. Note that the project is to demonstrate that the HTTP server that provides the CRL is actually queried. There are no certs actually added to the CRL (we will get to that later).

You will have to provide more information, because when I run my project everything works fine. I have attached the output from my environment to this response.

Please run the following commands exactly in your environment. Copy the commands and their output to a file to attach to your response. Do NOT paste a large amount of text!

docker version

docker compose version

git clone https://github.com/lukebakken/rabbitmq-users-crl-6LjcEo9cn98.git

cd rabbitmq-users-crl-6LjcEo9cn98

git submodule update --init

docker compose build --no-cache --pull

docker compose up --no-color |& tee /tmp/crl-6LjcEo9cn98-logs.txt

Let the above run for a few minutes, then stop the project and attach the /tmp/crl-6LjcEo9cn98-logs.txt file to your response as well.

Thanks,

Luke

rabbitmq-users-crl-6LjcEo9cn98-logs.txt

Sushil Dwivedi

unread,

Jan 10, 2023, 4:46:52 AM1/10/23

to rabbitm...@googlegroups.com

Thanks Luke.

I have followed aforesaid steps to run your project. It's working, I have run it locally on my MacBook, I have attached the logs, I can also see the CRL server is being called - "GET /basic.crl HTTP/1.1" 200 -

How can I test revoked certificates in your project?

I have also attached "advanced.config" file from my project, When I compare this file from your project I observed that config related "amqp_client" is not present, Does it make any difference?

I want to mention again that if I delete below 2 lines from "advanced.config" file, Everything works fine, Federation Link is getting created successfully. Please let me know if you need more information on this.

{crl_check, true},

{crl_cache, {ssl_crl_cache, {internal, [{http, 50000}]}}}

Thanks,

Sushil

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/7ebf7727-9f19-42ee-9a1b-e76a7b9cfe38n%40googlegroups.com.

crl-6LjcEo9cn98-logs.txt

dockerVersion.txt

advanced.config

Luke Bakken

unread,

Jan 10, 2023, 11:16:20 AM1/10/23

to rabbitmq-users

I don't see any messages like this in your log file so I can't be 100% sure it's working in your environment:

rabbitmq-users-crl-6ljceo9cn98-consumer-1 | INFO 2023-01-09 22:07:37,197 __main__ on_message 26 : CONSUMER received at 2023-01-09 22:07:37.197199, sent at 2023-01-09 22:07:33.245890 - iteration 8, delay: 0:00:03.951309
rabbitmq-users-crl-6ljceo9cn98-producer-1 | INFO 2023-01-09 22:07:38,252 __main__ main 75 : PRODUCER sent message 9 at 2023-01-09 22:07:38.251488

To test revoked certificates you have to add the certificates to the revocation list. I have some basic instructions here - https://github.com/rabbitmq/tls-gen/tree/main/basic#crl

I have also attached "advanced.config" file from my project, When I compare this file from your project I observed that config related "amqp_client" is not present, Does it make any difference?

My project is using client certificate authentication for the Federation links. I don't know how you are declaring your links. Having the amqp_client section in advanced.config means I do not have to specify the certificate information in the Federation AMQPS URIs.

I want to mention again that if I delete below 2 lines from "advanced.config" file, Everything works fine, Federation Link is getting created successfully. Please let me know if you need more information on this.

{crl_check, true},
{crl_cache, {ssl_crl_cache, {internal, [{http, 50000}]}}}

If you want me to investigate, you'll have to provide a git repository like I did where I can clone it and run it. I really can't assist by guessing.

Everything you need is in my project.

Thanks,

Luke

Reply all

Reply to author

Forward

0 new messages