SSL connection issues through haproxy

[Robert White]

This is the backstory that I think might  be important.

Ok, I have almost everything working. This is what is working.

* TLS port 15671 connections to the management GUI directly connected to each RabbitMQ server in the cluster

* TLS port 15671 connections to the management GUI connected through haproxy to the RabbitMQ cluster

* 5672 connections through haproxy to the RabbitMQ cluster

* 5672 connections directly to each RabbitMQ server in the RabbitMQ cluster

* TLS port 5671 connections directly connected to any RabbitMQ server in the RabbitMQ cluster

What is not working is

* TLS port 5671 traffic through haproxy

This is the error message I receive from my python script. haproxy name redacted

ERROR:pika.adapters.blocking_connection:Connection workflow failed: AMQPConnectionWorkflowFailed: 1 exceptions in all; last exception - AMQPConnectorTransportSetupError: SSLCertVerificationError(1, "[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for 'haproxy.hostname.com'. (_ssl.c:1051)"); first exception - None

ERROR:pika.adapters.blocking_connection:Error in _create_connection().

This is the error message I receive from RabbitMQ from this connection attempt

2021-02-10 16:00:32.322 [debug] <0.27538.13> Supervisor {<0.27538.13>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.27539.13>

2021-02-10 16:00:32.323 [debug] <0.27538.13> Supervisor {<0.27538.13>,rabbit_connection_sup} started rabbit_reader:start_link(<0.27539.13>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.27540.13>

I wonder if I RabbitMQ is complaining that the connect originated from somewhere other than the haproxy and the connection is coming from the haproxy server? Any help would be greatly appriciated

[Robert White]

Adding my haproxy config file to see if anything there could be setup more optiamally.

#---------------------------------------------------------------------

# Global settings

#---------------------------------------------------------------------

global

    log         127.0.0.1 local1

    log         127.0.0.1 local0 notice

    chroot      /var/lib/haproxy

    pidfile     /var/run/haproxy.pid

    maxconn     32768

    debug

    user        haproxy

    group       haproxy

    daemon

    stats socket /var/run/haproxy.sock mode 600 level admin

    stats timeout 2m

 

#---------------------------------------------------------------------

# common defaults that all the 'listen' and 'backend' sections will

# use if not designated in their block

#---------------------------------------------------------------------

defaults

    mode        tcp

    log         global

    option      dontlognull

    option      redispatch

    timeout connect 5000

    timeout client 30m

    timeout server 30m

    maxconn     60000

    retries     3

 

#---------------------------------------------------------------------

# balancing between the various backends

#---------------------------------------------------------------------

listen OPEN_cluster :5672

    balance     leastconn

    option tcpka

    server amqp-dev1 192.168.0.1:5672 check inter 5000 rise 2 fall 3

    server amqp-dev2 192.168.9.2:5672 check inter 5000 rise 2 fall 3

 

listen SECURE_cluster :5671

    mode        tcp

    balance     roundrobin

    server amqp-dev1 192.168.0.1:5671 check

    server amqp-dev2 192.168.9.2:5671 check

 

listen stomp_listener :61613

    balance     roundrobin

    server amqp-dev1 192.168.0.1:61613 check inter 5000 rise 2 fall 3

    server amqp-dev2 192.168.9.2:61613 check inter 5000 rise 2 fall 3

 

listen webstomp_listener :15674

    balance     leastconn

    server amqp-dev1 192.168.0.1:15674 check inter 5000 rise 2 fall 3

    server amqp-dev2 192.168.9.2:15674 check inter 5000 rise 2 fall 3

 

listen secure_GUI :15671

    balance     source

    server amqp-dev1 192.168.0.1:15671 check inter 5000 rise 2 fall 3

    server amqp-dev2 192.168.9.2:15671 check inter 5000 rise 2 fall 3

 

listen private_monitoring :8100

    mode   http

    option dontlog-normal

    stats  enable

    stats  show-node amqp-dev

    stats  uri /stats

    stats  refresh 5s