SSL using Windows generated certs

[Rory Thompson]

Hi,

 

We’re creating a POC using RESTful services, RabbitMq, MassTransit, and a few other underlying applications.

 

We’ve got a need to create these connections over SSL, and followed the instructions here – http://www.rabbitmq.com/ssl.html

 

This is all well and good, however, there is a new need to do this with certs created by Windows, rather than OpenSSL.

 

We’ve created certs, but it is not in a chain the way described in the above link. We cannot get this to work other than using OpenSSL. We have a global trusted Root CA, then a client and server cert, exported the client one to a PFX, but still a no go.

 

Do you have any documentation, or have anyone that can provide any assistance, on how to accomplish this? I can’t seem to find anything online to help.

[Michael Klishin]

RabbitMQ uses certificates and keys in the PEM format. You can produce them using any

tool as long as the result is correct PEM.

You can also convert PFX to PEM using a variety of tools:

http://help.globalscape.com/help/archive/eft6-2/mergedprojects/eft/exporting_a_certificate_from_pfx_to_pem.htm

https://www.sslshopper.com/ssl-converter.html

OpenSSL is available for Windows or you can use a VM or msys2. Once you have the certificate/key pairs

you can uninstall OpenSSL, get rid of the VM, etc.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

The only tricky thing I can think of is that certificate Common Name (CN) is often checked against

the server hostname, so when a VM is used to generate them, you need to make sure that CN has the

value your deployment machine uses, otherwise with most clients peer verification will fail by default.

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Rory Thompson]

Thanks - yeah - we did it on Windows using OpenSSL just fine, client is making a requirement that we cannot use OpenSSL though. I'm going to try out the PEM stuff. Weird that I can't use PFX - In the RabbitMq documentation, and what we did using OpenSSL, was generated P12 files, which are basically the same as a PFX.

Will respond shortly with results. Thanks again.

On Wednesday, February 15, 2017 at 9:52:44 AM UTC-5, Michael Klishin wrote:

RabbitMQ uses certificates and keys in the PEM format. You can produce them using any

tool as long as the result is correct PEM.

You can also convert PFX to PEM using a variety of tools:

http://help.globalscape.com/help/archive/eft6-2/mergedprojects/eft/exporting_a_certificate_from_pfx_to_pem.htm

https://www.sslshopper.com/ssl-converter.html

OpenSSL is available for Windows or you can use a VM or msys2. Once you have the certificate/key pairs

you can uninstall OpenSSL, get rid of the VM, etc.

On Wed, Feb 15, 2017 at 5:42 PM, Rory Thompson <rage...@gmail.com> wrote:

Hi,

 

We’re creating a POC using RESTful services, RabbitMq, MassTransit, and a few other underlying applications.

 

We’ve got a need to create these connections over SSL, and followed the instructions here – http://www.rabbitmq.com/ssl.html

 

This is all well and good, however, there is a new need to do this with certs created by Windows, rather than OpenSSL.

 

We’ve created certs, but it is not in a chain the way described in the above link. We cannot get this to work other than using OpenSSL. We have a global trusted Root CA, then a client and server cert, exported the client one to a PFX, but still a no go.

 

Do you have any documentation, or have anyone that can provide any assistance, on how to accomplish this? I can’t seem to find anything online to help.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

P12 files are used by RabbitMQ .NET client, not RabbitMQ server.

FWIW PEM is the de-facto standard for certificates outside of the Microsoft ecosystem.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

Minor correction: both Java and .NET certificate stores use P12 in our docs.

[Rory Thompson]

Thanks - We got the certs generated via IIS and converted to the appropriate pem files for the server, and all connections go well through the RabbitMq Console. 

However, when using the client.pfx file (that the client certs were extracted from when making a successful connection through openssl s_client), it says there is a problem with the certificate. Wouldn't I get that error when connecting through s_client? Do you know what might be the cause of this random error?

[Michael Klishin]

Hi Rory,

May I ask you to post the entire error? Sorry but "that error" and "this random error"

is not something team RabbitMQ or members of this list can reason about.

Thanks.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

…as well as server logs because TLS-related errors can originate on either server or client.

[Rory Thompson]

When trying to instantiate our client application, it throws the below error and cannot connect to the broker.

Error:

Service cannot be started. MassTransit.RabbitMqTransport.RabbitMqConnectionException: Connect failed: admin@mitvs-atm01:5671/ ---> RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable ---> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

   at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)

   at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)

   --- End of inner exception stack trace ---

   at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)

   at RabbitMQ.Client.ConnectionFactory.CreateConnection(IList`1 hostnames, String clientProvidedName)

   at MassTransit.RabbitMqTransport.Integration.RabbitMqConnectionCache.SendUsingNewConnection(IPipe`1 connectionPipe, ConnectionScope scope, CancellationToken cancellationToken)

...

When trying to connect to the broker via RabbitMq Console, using OpenSSL, it connects properly using the cert/key pair extracted from the PFX.

=INFO REPORT==== 22-Feb-2017::11:02:43 ===

accepting AMQP connection <0.2288.0> (10.166.251.76:61625 -> 10.166.251.76:5671)

=INFO REPORT==== 22-Feb-2017::11:26:41 ===

accepting AMQP connection <0.14113.0> (10.166.251.76:61677 -> 10.166.251.76:5671)

When using the certificates generated from OpenSSL, we do not see the above error.

[Michael Klishin]

> System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure.

means that peer verification *on the client end* has failed. OpenSSL's `s_client` performs no or very basic verification
and .NET apps can provide a function that applies any logic. The most common verification type is
matching certificate's CN against server's hostname but it really can be anything:

This is mentioned in RabbitMQ's TLS guide, see "TLS Peer verification: Who do you say you are?"
on http://www.rabbitmq.com/ssl.html. 

> >>>> wrote:
> >>>>
> >>>>> P12 files are used by RabbitMQ .NET client, not RabbitMQ server.
> >>>>>
> >>>>> FWIW PEM is the de-facto standard for certificates outside of the
> >>>>> Microsoft ecosystem.
> >>>>>
> >>>>> On Wed, Feb 15, 2017 at 6:36 PM, Rory Thompson

> >>>>> wrote:
> >>>>>
> >>>>>> Thanks - yeah - we did it on Windows using OpenSSL just fine, client
> >>>>>> is making a requirement that we cannot use OpenSSL though. I'm going to try
> >>>>>> out the PEM stuff. Weird that I can't use PFX - In the RabbitMq
> >>>>>> documentation, and what we did using OpenSSL, was generated P12 files,
> >>>>>> which are basically the same as a PFX.
> >>>>>>
> >>>>>> Will respond shortly with results. Thanks again.
> >>>>>>
> >>>>>> On Wednesday, February 15, 2017 at 9:52:44 AM UTC-5, Michael Klishin
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> RabbitMQ uses certificates and keys in the PEM format. You can
> >>>>>>> produce them using any
> >>>>>>> tool as long as the result is correct PEM.
> >>>>>>>
> >>>>>>> You can also convert PFX to PEM using a variety of tools:
> >>>>>>>
> >>>>>>>
> >>>>>>> http://help.globalscape.com/help/archive/eft6-2/mergedprojects/eft/exporting_a_certificate_from_pfx_to_pem.htm
> >>>>>>> https://www.sslshopper.com/ssl-converter.html
> >>>>>>>
> >>>>>>> OpenSSL is available for Windows or you can use a VM or msys2. Once
> >>>>>>> you have the certificate/key pairs
> >>>>>>> you can uninstall OpenSSL, get rid of the VM, etc.
> >>>>>>>
> >>>>>>>
> >>>>>>> On Wed, Feb 15, 2017 at 5:42 PM, Rory Thompson

> To post to this group, send an email to rabbitm...@googlegroups.com.

[Rory Thompson]

Ah, the Root CA did not have the same CN as the underlying certs. Was able to create a new CA with the correct CN and it worked.

FWIW, was also able to simply add the line: s.AllowPolicyErrors(System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch);

And that resolved the problem with the other CA, should we use it.

Thanks, Michael.

[Michael Klishin]

On 22 February 2017 at 22:44:52, Rory Thompson (rage...@gmail.com) wrote:
> FWIW, was also able to simply add the line: s.AllowPolicyErrors(System.Net.Security.SslPolicyErrors.RemoteCertificateNameMismatch);
>
> And that resolved the problem with the other CA, should we use
> it.

Ignoring errors carries the risk of exposing your system to MITM attacks (unless you implement
your own verification logic that's not based on CN/hostname matching, of course).