getting "javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message"

sajja...@hotmail.com

unread,

Oct 1, 2018, 2:04:31 PM10/1/18

to rabbitmq-users

We have been getting "javax.net.ssl.SSLKeyException: Invalid signature on ECDH server key exchange message" since we changed the configuration file from erlang to sysctl format(rabbitmq.config to rabbitmq.conf) the reason we changed this format is because not sure how to incorporate rabbit_peer_discovery_consul using erlan. if i change the configuration file back to erlang we dont get ssl error however nodes don't register with the consul.

RabbitMQ version 3.7.4

consul: 0.8.0

Any idea what could be the issue?

current rabbitmq.conf

##

## Generated by Chef

##

listeners.tcp.default = 5672

listeners.ssl.default = 5671

cluster_partition_handling = autoheal

num_acceptors.tcp = 10

num_acceptors.ssl = 1

handshake_timeout = 10000

reverse_dns_lookups = true

loopback_users.guest = true

ssl_options.cacertfile = /var/lib/rabbitmq/certs/cacert_reverse_withcert.pem

ssl_options.certfile = /var/lib/rabbitmq/certs/cacert_reverse_withcert.pem

ssl_options.keyfile = /var/lib/rabbitmq/certs/key.pem

ssl_options.verify = verify_peer

ssl_options.fail_if_no_peer_cert = false

auth_mechanisms.1 = PLAIN

auth_mechanisms.2 = AMQPLAIN

auth_backends.1 = internal

ssl_cert_login_from = common_name

ssl_handshake_timeout = 5000

default_vhost = /

default_user = "adminuser"

default_pass = ""

default_permissions.configure = .*

default_permissions.read = .*

default_permissions.write = .*

default_user_tags.administrator = true

heartbeat = 600

frame_max = 131072

##Set the max frame size the server will accept before connection

## tuning occurs

##

initial_frame_max = 4096

channel_max = 128

tcp_listen_options.backlog = 128

tcp_listen_options.nodelay = true

tcp_listen_options.exit_on_close = false

vm_memory_high_watermark.relative = 0.4

## DO NOT SET rotation date to ''. Leave the value unset if "" is the desired value

# log.file.rotation.date = $D0

# log.file.rotation.size = 0

## Logging to console (can be true or false)

##

# log.console = false

## Log level for console logging

##

# log.console.level = info

## Logging to the amq.rabbitmq.log exchange (can be true or false)

##

log.exchange = false

## Log level to use when logging to the amq.rabbitmq.log exchange

##

# log.exchange.level = debug

cluster_partition_handling = ignore

mirroring_sync_batch_size = 4096

cluster_keepalive_interval = 10000

collect_statistics = none

collect_statistics_interval = 5000

hipe_compile = false

mnesia_table_loading_retry_timeout = 30000

queue_index_embed_msgs_below = 4096

cluster_formation.peer_discovery_backend = rabbit_peer_discovery_consul

cluster_formation.consul.host = localhost

cluster_formation.consul.acl_token =

#cluster_name = "MIDCHEF13-7"

cluster_formation.consul.svc = RabbitMQ-MIDCHEF13-7-ssb-z3-dev-MIDENG-BDC

cluster_formation.consul.cluster_name = RabbitMQ 3.7.4

Luke Bakken

unread,

Oct 1, 2018, 2:41:25 PM10/1/18

to rabbitmq-users

Hello,

You can use a combination of Erlang term format and sysctl-style format if you create the following two files:

/etc/rabbitmq/rabbitmq.conf

/etc/rabbitmq/advanced.config

The former is the sysctl-style file, and the latter is Erlang term format.

As long as the sections don't overlap in the two files, you will be fine.

I recommend comparing the generated file from your current rabbitmq.conf configuration with your old rabbitmq.config to see what's different. If you'd like, post the files in a response because I would be curious to see what is different, if anything.

The generated configuration file will be /var/lib/rabbitmq/config/generated/rabbitmq.config

Thanks,

Luke

sajja...@hotmail.com

unread,

Oct 1, 2018, 3:02:59 PM10/1/18

to rabbitmq-users

Luke thanks for looking:

the generated config and the old rabbitmq.config files are:

[root@vcld010214 ~]# vi /var/lib/rabbitmq/config/generated/rabbitmq.config

[{rabbitmq_management,

[{rates_mode,basic},

{listener,

[{ssl_opts,

[{keyfile,"/var/lib/rabbitmq/certs/key.pem"},

{certfile,"/var/lib/rabbitmq/certs/cert.pem"},

{cacertfile,

"/var/lib/rabbitmq/certs/cacert_reverse_withcert.pem"}]},

{ssl,true},

{ip,"0.0.0.0"},

{port,15672}]},

{http_log_dir,"/var/log/rabbitmq/httpd.log"},

{sample_retention_policies,

[{global,[{86400,1200},{3600,60},{60,5}]},

{basic,[{3600,60},{60,5}]},

{detailed,[{10,5}]}]}]},

{rabbitmq_amqp1_0,[{protocol_strict_mode,false},{default_user,none}]},

{kernel,[{net_ticktime,60}]},

{rabbit,

[{log,

[{file,[{level,debug},{file,"rabbit.log"}]},

{exchange,[{enabled,false}]}]},

{queue_index_embed_msgs_below,4096},

{mnesia_table_loading_retry_timeout,30000},

{hipe_compile,false},

{collect_statistics_interval,5000},

{collect_statistics,none},

{cluster_keepalive_interval,10000},

{mirroring_sync_batch_size,4096},

{memory_monitor_interval,2500},

{vm_memory_high_watermark_paging_ratio,0.5},

{tcp_listen_options,

[{exit_on_close,false},{nodelay,true},{backlog,128}]},

{channel_max,128},

{initial_frame_max,4096},

{frame_max,131072},

{heartbeat,600},

{ssl_handshake_timeout,5000},

{ssl_cert_login_from,common_name},

{ssl_options,

[{keyfile,"/var/lib/rabbitmq/certs/key.pem"},

{certfile,"/var/lib/rabbitmq/certs/cacert_reverse_withcert.pem"},

{cacertfile,"/var/lib/rabbitmq/certs/cacert_reverse_withcert.pem"},

{fail_if_no_peer_cert,false},

{verify,verify_peer}]},

{reverse_dns_lookups,true},

{handshake_timeout,10000},

{num_tcp_acceptors,10},

{num_ssl_acceptors,1},

{tcp_listeners,[5672]},

{ssl_listeners,[5671]},

{loopback_users,[<<"guest">>]},

{auth_mechanisms,['AMQPLAIN','PLAIN']},

{auth_backends,[rabbit_auth_backend_internal]},

{default_vhost,<<"/">>},

{default_user,<<"\"adminuser\"">>},

{default_pass,<<"\" \"">>},

{default_permissions,[<<".*">>,<<".*">>,<<".*">>]},

{default_user_tags,[administrator]},

{vm_memory_high_watermark,0.4},

{disk_free_limit,50000000},

{cluster_partition_handling,ignore},

{cluster_formation,

[{peer_discovery_backend,rabbit_peer_discovery_consul},

{peer_discovery_consul,

[{consul_host,"localhost"},

{consul_acl_token,"7ee32c70-d412-de5b-fa53-f55e9a43908c"},

{cluster_name,"RabbitMQ 3.7.4"},

{consul_svc,

"RabbitMQ-MIDCHEF13-7-ssb-z3-dev-MIDENG-BDC"}]}]}]},

{lager,[{log_root,"/var/log/rabbitmq"}]}].

[root@vclp012151 ~]# cat /etc/rabbitmq/rabbitmq.config

%%%

%% Generated by Chef

%%%

[

{rabbit, [

{tcp_listeners, [{"localhost", 5672}]},

{ssl_listeners, [5671]},

{cluster_partition_handling, autoheal},

{num_tcp_acceptors, 10},

{num_ssl_acceptors, 1},

{handshake_timeout, 10000},

{reverse_dns_lookups, true},

{loopback_users, [<<"guest">>]},

{ssl_options, [

{cacertfile, "/var/lib/rabbitmq/certs/cacert_reverse_withcert.pem"},

{certfile, "/var/lib/rabbitmq/certs/cert.pem"},

{keyfile, "/var/lib/rabbitmq/certs/key.pem"},

{verify, verify_none},

{fail_if_no_peer_cert, false}]},

{auth_mechanisms, ['PLAIN', 'AMQPLAIN']},

{auth_backends, [rabbit_auth_backend_internal]},

{ssl_cert_login_from, common_name},

{ssl_handshake_timeout, 5000},

{password_hashing_module, rabbit_password_hashing_sha256},

{default_vhost, <<"/">>},

{default_user, <<"adminuser">>},

{default_pass, <<" ">>},

{default_permissions, [<<".*">>, <<".*">>, <<".*">>]},

{default_user_tags, [administrator]},

{heartbeat, 600},

{frame_max, 131072},

{initial_frame_max, 4096},

{channel_max, 128},

{tcp_listen_options, [{backlog, 128},

{nodelay, true},

{exit_on_close, false}]},

{vm_memory_high_watermark, 0.4},

{vm_memory_high_watermark_paging_ratio, 0.5},

{memory_monitor_interval, 2500},

{disk_free_limit, 50000000},

{cluster_partition_handling, ignore},

{mirroring_sync_batch_size, 4096},

{cluster_keepalive_interval, 10000},

{collect_statistics, none},

{collect_statistics_interval, 5000},

{hipe_compile, false},

{mnesia_table_loading_timeout, 30000},

{queue_index_embed_msgs_below, 4096}

]},

{kernel,[

{net_ticktime, 60}

]},

{rabbitmq_management,[

{http_log_dir, "/var/log/rabbitmq/httpd.log"},

{listener, [

{port, 15672},

{ip, "0.0.0.0"},

{ssl, true},

{ssl_opts, [

{cacertfile, "/var/lib/rabbitmq/certs/cacert_reverse_withcert.pem"},

{certfile, "/var/lib/rabbitmq/certs/cert.pem"},

{keyfile, "/var/lib/rabbitmq/certs/key.pem"}

]}

]},

{rates_mode, basic},

{sample_retention_policies,[

{global, [{60, 5}, {3600, 60}, {86400, 1200}]},

{basic, [{60, 5}, {3600, 60}]},

{detailed, [{10, 5}]}]}

]},

{rabbitmq_amqp1_0, [

{default_user, "none"},

{protocol_strict_mode, false}

]},

{lager, [

{log_root, "/var/log/rabbitmq"},

{handlers, [{lager_file_backend, [{file, "rabbit.log"},{level, info},{date, ""},{size, 0}]}]},

{rabbit_log_lager_event,[{handlers, [{lager_forwarder_backend,[lager_event, info]}]}]},

{rabbit_channel_lager_event,[{handlers, [{lager_forwarder_backend,[lager_event, info]}]}]},

{rabbit_conection_lager_event,[{handlers, [{lager_forwarder_backend,[lager_event, info]}]}]},

{rabbit_mirroring_lager_event,[{handlers, [{lager_forwarder_backend,[lager_event, info]}]}]}

]},

{rabbitmq_tracing, [

{directory, "/var/log/rabbitmq"},

{username, "adminuser"},

{password, " "}

]},

{autocluster,

[

{backend, consul},

{consul_host, "localhost"},

{consul_port, 8500},

{consul_acl_token, "b2f22c10-3beb-4b82-00a4-329ab6e3717b"},

{consul_svc, "RabbitMQ-MIDCHEF13-7-ssb-z3-dev-MIDENG-BDC"},

{cluster_name, "RabbitMQ-MIDCHEF13-7"},

{autocluster_log_level, debug}

]

}

].

Reply all

Reply to author

Forward