rabbitmq TLS with intermediate certificates (chained certificates)

[Marcel Zoll]

Hi,

I am pretty much struggling to set up rabbitmq with server as well as client side authentification. After some trying my problem seems to stem from the fact that I have intermediate certificates in use. I just cannot figure out a configuration that works. Any help is appriciated:

Here my setup:

Certificates : server: Root (self-signed) -> Intermediate -> Server-cert ;;; Client: Root (self-signed) -> Intermediate -> Client_cert;

I appended the ca-chain to the server-cert and client-cert, respectively, so that the file looks something like this (for the client in pem format):

---BEGIN CERTIFICATE ---

  (client-cert)

---END CERTIFICATE ---

---BEGIN CERTIFICATE ---

  (intermediate-cert)

---END CERTIFICATE ---

---BEGIN CERTIFICATE ---

  (root-cert)

---END CERTIFICATE ---

so i end up with the following files:

ca_cert.pem (rootca)

ca_chained.pem (interm > rootca)

server_cert_chained.pem (server > interm > rootca)

server_key.pem

client_cert_chained.pem (client > interm > rootca)

client_key.pem

distributing now the files to rabbitmq, I use the following configuration:

```

listeners.ssl.default = 5671

#auth_mechanisms.1 = EXTERNAL

auth_mechanisms.1 = PLAIN

ssl_options.cacertfile = ca_cert.pem

ssl_options.certfile   = server_cert_chained.pem

ssl_options.keyfile    = server_key.pem

ssl_options.versions.1 = tlsv1.2

ssl_options.versions.2 = tlsv1.1

ssl_options.versions.3 = tlsv1

ssl_options.verify     = verify_peer

#ssl_cert_login_from    = common_name

ssl_options.depth  = 3

ssl_options.fail_if_no_peer_cert = true

```

Now start the server and try to connect with a simple openssl client:

```

openssl s_client -connect localhost:5671 -cert client_cert_chained.pem -key client_key.pem -CAfile ca_cert.pem -verify 6

```

i will get similar output to this:

```

....

Certificate chain

 0 s: CN = [server_name]

   i: CN = [XXX Intermediate CA]

---

Server certificate

-----BEGIN CERTIFICATE-----

  (server_cert)

-----END CERTIFICATE

....

```

This tells me that RabbitMQ did not send any intermediate certificates with his SSL-auth package. Therefore, the client is unable to establish a chain of trust up to its root ca's.

If I set up a simple openssl server like this:

```

openssl s_server -accept 8443 -cert server_cert.pem -key server_key.pem -CAfile ca_cert.pem -cert ca_chained.pem

```

and test against a simple openssl s_cliens connection, the intermediates are delivered, as expected, along with the server-cert

```

....

Certificate chain

 0 s: CN = [server_name]

   i: CN = [XXX Intermediate CA]

 1 s CN = [XXX Intermediate CA]

   i: CN = [XXX ROOT CA]: 

 2 s CN = [XXX ROOT CA]

   i: CN = [XXX ROOT CA]

---

```

So, how can I get RabbitMQ to deliver its intermediate certificates so that I can establish the chain of trust up to my root-CA's ?

[Reading the docs, I thought that chaining the intermediate and root certs to the server-cert would actually do the trick, but it obviously does not ! 

As the setup is currently working I can only verify certs against depth of 1 (No intermediats), which is certainly restricting my use-cases and deployment possibilities.

]

Thanks

Marcel

[Luke Bakken]

Hi Marcel,

Include the full signing chain in the cacertfile file (ca_cert.pem). You do not need this full chain in server_cert_chained.pem.

Erlang's TLS implementation differs in this manner from openssl.

Thanks,

Luke

[Marcel Zoll]

Thanks for the answer Luke,

I am a bit confused then what the 'ssl_options.cacertfile' option really should be. I thought this file should contain the stacked rootCA-certificates, i.e. all trusted certificates. Implicitly, i guess, the chained certs from my common intermediats up to the root are also trusted. It still seems a bit fishy to me, that this file then fulfills this double purpose, as rootCA stash and cert-chain stash for all own intermediats.

On a quick check with openssh (see above), it appears to work, however. I will spin up the full test of all components, including server and client auth etc,  tomorrow.

Thanks for promt answer again.

Marcel