Connection reset by peer when using TLS connections and X.509 certificate authentication with private certs
3,094 views
Skip to first unread message
Hannu Shemeikka
Jan 10, 2020, 7:09:44 AM1/10/20
to rabbitmq-users
Hi,
I'm having trouble setting up TLS connections and X.509 certificate authentication with Rabbitmq.
I have set a private PKI system using CFSSL and generated few certs using it.
General information:
Rabbitmq version 3.8.2 (using official Docker image)
Erlang version 22.2
I have enabled the rabbitmq_auth_mechanism_ssl plugin.
Story:
Rabbitmq output log shows that TLS listener is active on port 5671 but it doesn't show any connection
attempts when I try to run any test scripts. Nothing gets print to log regarding the failed connection attempt.
Running openssl s_server and openssl s_client with my generated certs will connect just fine, so certs should be in order.
Running simple python server and client scripts with peer verification with my generated certs also work just fine.
I have tried using openssl s_client and simple python script against rabbitmq instance but they fail. Also my Pika client fails.
I have run all my scripts and openssl commands inside the rabbitmq container so there shouldn't be any networking issues.
By the way, the stunnel example on the "troubleshooting ssl" page doesn't work. I have otherwise followed the guide
but I must be missing something since I just can't get this to work.
Below are commands, outputs, and configurations I have made.
Best regards,
Hannu Shemeikka
Running command
# openssl s_client -connect localhost:5671 -cert /etc/ssl/rabbitmq/server.rabbitmq.pem -key /etc/ssl/rabbitmq/server.rabbitmq-key.pem -CAfile /etc/ssl/rabbitmq/knl-backend-chain-ca.pemOutputs
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 293 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---Running python script
import socket
import ssl
import pprint
def main():
print "starting"
ca_cert = "./knl-backend-chain-ca.pem"
cert_file = "./backend.admin.pem"
key_file = "./backend.admin-key.pem"
ssl_context = ssl.create_default_context(
purpose=ssl.Purpose.SERVER_AUTH,
cafile=ca_cert
)
ssl_context.load_cert_chain(cert_file, key_file)
ssl_context.check_hostname = False
ssl_context.verify_mode = ssl.CERT_REQUIRED
print "certs loaded"
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
ssl_sock = ssl_context.wrap_socket(s)
ssl_sock.connect(('localhost', 5670))
print "success"
if __name__ == "__main__":
main()Outputs
starting
certs loaded
Traceback (most recent call last):
File "client.py", line 35, in <module>
main()
File "client.py", line 25, in main
ssl_sock.connect(('localhost', 5670))
File "/usr/lib/python2.7/ssl.py", line 882, in connect
self._real_connect(addr, False)
File "/usr/lib/python2.7/ssl.py", line 869, in _real_connect
socket.connect(self, addr)
File "/usr/lib/python2.7/socket.py", line 228, in meth
return getattr(self._sock,name)(*args)
socket.error: [Errno 111] Connection refusedRabbitmq uses following certificate
# openssl x509 -in server.rabbitmq.pem -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
<omitted>
Signature Algorithm: sha256WithRSAEncryption
Issuer: <omitted>
Validity
Not Before: Jan 9 08:11:00 2020 GMT
Not After : Jan 8 08:11:00 2021 GMT
Subject: <omitted>, CN = server.rabbitmq
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
<omitted>
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Subject Key Identifier:
<omitted>
X509v3 Authority Key Identifier:
<omitted>
X509v3 Subject Alternative Name:
DNS:
Signature Algorithm: sha256WithRSAEncryption
<omitted>Rabbitmq ciphers
# rabbitmq-diagnostics cipher_suites --format openssl --silent
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDH-ECDSA-AES256-GCM-SHA384
ECDH-RSA-AES256-GCM-SHA384
ECDH-ECDSA-AES256-CBC-SHA384
ECDH-RSA-AES256-CBC-SHA384
DHE-RSA-AES256-GCM-SHA384
DHE-DSS-AES256-GCM-SHA384
DHE-RSA-AES256-SHA256
DHE-DSS-AES256-CBC-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDH-ECDSA-AES128-GCM-SHA256
ECDH-RSA-AES128-GCM-SHA256
ECDH-ECDSA-AES128-CBC-SHA256
ECDH-RSA-AES128-CBC-SHA256
DHE-RSA-AES128-GCM-SHA256
DHE-DSS-AES128-GCM-SHA256
DHE-RSA-AES128-SHA256
DHE-DSS-AES128-CBC-SHA256
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA
DHE-DSS-AES256-CBC-SHA
ECDH-ECDSA-AES256-CBC-SHA
ECDH-RSA-AES256-CBC-SHA
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
DHE-RSA-AES128-SHA
DHE-DSS-AES128-CBC-SHA
ECDH-ECDSA-AES128-CBC-SHA
ECDH-RSA-AES128-CBC-SHAOpenssl ciphers
# openssl ciphers
TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:RSA-PSK-CHACHA20-POLY1305:DHE-PSK-CHACHA20-POLY1305:ECDHE-PSK-CHACHA20-POLY1305:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:PSK-CHACHA20-POLY1305:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:ECDHE-PSK-AES256-CBC-SHA384:ECDHE-PSK-AES256-CBC-SHA:SRP-RSA-AES-256-CBC-SHA:SRP-AES-256-CBC-SHA:RSA-PSK-AES256-CBC-SHA384:DHE-PSK-AES256-CBC-SHA384:RSA-PSK-AES256-CBC-SHA:DHE-PSK-AES256-CBC-SHA:AES256-SHA:PSK-AES256-CBC-SHA384:PSK-AES256-CBC-SHA:ECDHE-PSK-AES128-CBC-SHA256:ECDHE-PSK-AES128-CBC-SHA:SRP-RSA-AES-128-CBC-SHA:SRP-AES-128-CBC-SHA:RSA-PSK-AES128-CBC-SHA256:DHE-PSK-AES128-CBC-SHA256:RSA-PSK-AES128-CBC-SHA:DHE-PSK-AES128-CBC-SHA:AES128-SHA:PSK-AES128-CBC-SHA256:PSK-AES128-CBC-SHARabbitmq configuration
log.console.level = debug
log.connection.level = debug
log.upgrade.level = debug
loopback_users.guest = false
listeners.tcp.default = 5672
management.tcp.port = 15672
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/ssl/rabbitmq/ca.pem
ssl_options.certfile = /etc/ssl/rabbitmq/cert.pem
ssl_options.keyfile = /etc/ssl/rabbitmq/key.pem
ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false
ssl_options.versions.1 = tlsv1.3
ssl_options.versions.2 = tlsv1.2
ssl_options.versions.3 = tlsv1.1
ssl_cert_login_from = common_name
auth_mechanisms.1 = PLAIN
auth_mechanisms.2 = AMQPLAIN
auth_mechanisms.3 = EXTERNAL
Successful openssl s_server and s_client connection against each other
# openssl s_server -accept 5670 -cert /etc/ssl/rabbitmq/server.rabbitmq.pem -key /etc/ssl/rabbitmq/server.rabbitmq-key.pem -CAfile /etc/ssl/rabbitmq/knl-backend-chain-ca.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
<omitted>
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported
ERROR
shutting down SSL
CONNECTION CLOSED# openssl s_client -connect localhost:5670 -cert /etc/ssl/rabbitmq/server.rabbitmq.pem -key /etc/ssl/rabbitmq/server.rabbitmq-key.pem -CAfile /etc/ssl/rabbitmq/knl-backend-chain-ca.pem
CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 <omitted>
verify return:1
depth=1 <omitted>
verify return:1
depth=0 <omitted>, CN = server.rabbitmq
verify return:1
---
Certificate chain
0 s:C = FI, L = Oulu, CN = server.rabbitmq
i:<omitted>
1 s:<omitted>
i:<omitted>
2 s:<omitted>
i:<omitted>
---
Server certificate
-----BEGIN CERTIFICATE-----
<omitted>
-----END CERTIFICATE-----
<omitted>, CN = server.rabbitmq
issuer=<omitted>
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4096 bytes and written 373 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: AC00AB7DD48ECF7B21D39E8729F82CD3556E4CB9724B29FE5C8282782098AB86
Session-ID-ctx:
Resumption PSK: 88922F1E36AA8B90AE9F25A0D9F508D993D4999E773FAA3F6DB392DB4A05FE7464E8F4AD2F2A512A4662A592603B0D89
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
<omitted>
Start Time: 1578656216
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Luke Bakken
Jan 10, 2020, 9:02:31 AM1/10/20
to rabbitmq-users
Hello,
All the information you have provided suggests that connections to RabbitMQ running inside of Docker are failing, especially the output from your python program:
socket.error: [Errno 111] Connection refused
You should run RabbitMQ outside of Docker to prove this hypothesis. Or, you can do some network troubleshooting:
Thanks,
Luke
On Friday, January 10, 2020 at 4:09:44 AM UTC-8, Hannu Shemeikka wrote:
Hi,I'm having trouble setting up TLS connections and X.509 certificate authentication with Rabbitmq.I have set a private PKI system using CFSSL and generated few certs using it.General information:Rabbitmq version 3.8.2 (using official Docker image)Erlang version 22.2
Rabbitmq output log shows that TLS listener is active on port 5671 but it doesn't show any connection
attempts when I try to run any test scripts. Nothing gets print to log regarding the failed connection attempt.
Hannu Shemeikka
Jan 13, 2020, 1:32:06 AM1/13/20
to rabbitmq-users
Hi,
I installed rabbitmq 3.8.2 on my Ubuntu 18.04 and used the same configuration file as posted in my first post. I used my simple python script and pika client and both still fail to make the TLS connection.
Output from the test script
starting
certs loaded
Traceback (most recent call last):
File "client.py", line 35, in <module>
main()
File "client.py", line 25, in main
ssl_sock.connect(('localhost', 5671))
File "/usr/lib/python2.7/ssl.py", line 864, in connect
self._real_connect(addr, False)
File "/usr/lib/python2.7/ssl.py", line 855, in _real_connect
self.do_handshake()
File "/usr/lib/python2.7/ssl.py", line 828, in do_handshake
self._sslobj.do_handshake()
socket.error: [Errno 104] Connection reset by peer
This output suggests that the TLS handshake fails for some reason. Again, there's nothing logged on to Rabbitmq's logs.
Maybe something is wrong with the cert/ciphers?
BR,
Hannu
Philip Kuryloski
Jan 13, 2020, 8:55:57 AM1/13/20
to rabbitmq-users
Hi,
For a successful connection, I believe the following three conditions must be met:
1. The client presents it's certificate
2. The broker accepts the certificate and extracts a username (in the case of your configuration this appears to be the common name)
3. the authenticated user will then be looked up in the configured authentication / authorisation backend(s).
From the output you've shared, it's not clear to me which (if any) of the above are successful. Might I suggest running your openssl command with additional flags (-state & -debug) to see if you can narrow down the issue, as in:
# openssl s_client -connect localhost:5671 -cert /etc/ssl/rabbitmq/server.rabbitmq.pem -key /etc/ssl/rabbitmq/server.rabbitmq-key.pem -CAfile /etc/ssl/rabbitmq/knl-backend-chain-ca.pem -state -debugSee the plugin readme for additional details:
Hannu Shemeikka
Jan 14, 2020, 3:20:16 AM1/14/20
to rabbitmq-users
Hi,
I run the command and here's the output:
# openssl s_client -connect localhost:5671 -cert /etc/ssl/rabbitmq/server.rabbitmq.pem -key /etc/ssl/rabbitmq/server.rabbitmq-key.pem -CAfile /etc/ssl/rabbitmq/knl-backend-chain-ca.pem -state -debugCONNECTED(00000003)SSL_connect:before SSL initializationwrite to 0x563e189eb640 [0x563e189ff6c0] (293 bytes => 293 (0x125))0000 - 16 03 01 01 20 01 00 01-1c 03 03 8c 7f 5d 8c 2f .... ........]./0010 - cc 7a 70 cf 33 2d 8e b5-19 76 7f 09 73 26 f6 1f .zp.3-...v..s&..0020 - 97 f6 f4 15 da 1b 04 9b-d3 0c 21 20 f6 50 a1 a3 ..........! .P..0030 - f0 6f ad bd db c6 af 3c-ca 4a 75 25 69 0d 2e 7f .o.....<.Ju%i...0040 - 0d eb 63 ec 3d d9 1a ce-15 94 a3 e8 00 3e 13 02 ..c.=........>..0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.'0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3..0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 95 ...=.<.5./......0090 - 00 0b 00 04 03 00 01 02-00 0a 00 0c 00 0a 00 1d ................00a0 - 00 17 00 1e 00 19 00 18-00 23 00 00 00 16 00 00 .........#......00b0 - 00 17 00 00 00 0d 00 30-00 2e 04 03 05 03 06 03 .......0........00c0 - 08 07 08 08 08 09 08 0a-08 0b 08 04 08 05 08 06 ................00d0 - 04 01 05 01 06 01 03 03-02 03 03 01 02 01 03 02 ................00e0 - 02 02 04 02 05 02 06 02-00 2b 00 09 08 03 04 03 .........+......00f0 - 03 03 02 03 01 00 2d 00-02 01 01 00 33 00 26 00 ......-.....3.&.0100 - 24 00 1d 00 20 dd 84 75-7c 8f 87 c1 fd e4 c7 ee $... ..u|.......0110 - eb b1 30 dc eb fe ac c8-1e 4f f2 45 bb 27 18 27 ..0......O.E.'.'0120 - 78 2d 23 c1 6f x-#.oSSL_connect:SSLv3/TLS write client helloread from 0x563e189eb640 [0x563e189f64a3] (5 bytes => -1 (0xFFFFFFFFFFFFFFFF))SSL_connect:error in SSLv3/TLS write client hellowrite:errno=104---no peer certificate available---No client certificate CA names sent---SSL handshake has read 0 bytes and written 293 bytesVerification: OK---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---read from 0x563e189eb640 [0x563e189dffb0] (8192 bytes => 0 (0x0))
So step 1 is ok but rabbitmq can't handle the certificate?
I also tried using certificates generated by the tls-gen software mentioned in the rabbitmq examples but even using those certs, same errors exist.
- Hannu
Philip Kuryloski
Jan 14, 2020, 5:00:09 AM1/14/20
to rabbitmq-users
Hi,
Step 1 does not appear okay given the output. "SSL handshake has read 0 bytes and written 293 bytes" Indicates to me that no client cert was sent, and there was no response data from the server.
This still leaves plenty of possibilities open as to what exactly is going wrong. As Luke suggested previously, you may want to run RabbitMQ outside of docker, but with the same config, to reduce the number of possibilities in play.
Best,
Phil
Hannu Shemeikka
Jan 14, 2020, 5:46:42 AM1/14/20
to rabbitmq-users
Hi,
I have run my setup outside of docker but that doesn't change anything. Same connectivity problems with local rabbitmq as with inside docker.
Though the openssl s_client shows slightly different output when running against rabbitmq outside of docker.
# openssl s_client -connect localhost:5671 -cert ./backend.admin.pem -key ./backend.admin-key.pem -CAfile ../knl-backend-chain-ca.pem -state -debug CONNECTED(00000005)SSL_connect:before SSL initializationwrite to 0x55c13fa4bd10 [0x55c13fa5fdc0] (311 bytes => 311 (0x137))0000 - 16 03 01 01 32 01 00 01-2e 03 03 bc ae 51 da 5e ....2........Q.^0010 - 0a 05 75 9d 20 61 cd 13-eb 07 5e 4d 06 b5 d2 bf ..u. a....^M....0020 - 0c ae e3 81 c2 a4 e1 66-f0 63 f3 20 77 33 15 97 .......f.c. w3..0030 - cc 3f f6 ca 38 16 50 04-0a 7d 84 64 76 01 df bf .?..8.P..}.dv...0040 - 4e 07 f6 6a 2e 9f c0 ce-ed 07 01 d5 00 3e 13 02 N..j.........>..0050 - 13 03 13 01 c0 2c c0 30-00 9f cc a9 cc a8 cc aa .....,.0........0060 - c0 2b c0 2f 00 9e c0 24-c0 28 00 6b c0 23 c0 27 .+./...$.(.k.#.'0070 - 00 67 c0 0a c0 14 00 39-c0 09 c0 13 00 33 00 9d .g.....9.....3..0080 - 00 9c 00 3d 00 3c 00 35-00 2f 00 ff 01 00 00 a7 ...=.<.5./......0090 - 00 00 00 0e 00 0c 00 00-09 6c 6f 63 61 6c 68 6f .........localho00a0 - 73 74 00 0b 00 04 03 00-01 02 00 0a 00 0c 00 0a st..............00b0 - 00 1d 00 17 00 1e 00 19-00 18 00 23 00 00 00 16 ...........#....00c0 - 00 00 00 17 00 00 00 0d-00 30 00 2e 04 03 05 03 .........0......00d0 - 06 03 08 07 08 08 08 09-08 0a 08 0b 08 04 08 05 ................00e0 - 08 06 04 01 05 01 06 01-03 03 02 03 03 01 02 01 ................00f0 - 03 02 02 02 04 02 05 02-06 02 00 2b 00 09 08 03 ...........+....0100 - 04 03 03 03 02 03 01 00-2d 00 02 01 01 00 33 00 ........-.....3.0110 - 26 00 24 00 1d 00 20 8f-73 31 25 93 4b 0e a2 d1 &.$... .s1%.K...0120 - 52 17 2f 85 a1 e2 02 49-7f 5f 26 f6 f2 55 16 dc R./....I._&..U..0130 - 52 1f 0d 58 b1 86 63 R..X..cSSL_connect:SSLv3/TLS write client helloread from 0x55c13fa4bd10 [0x55c13fa56ba3] (5 bytes => 0 (0x0))SSL_connect:error in SSLv3/TLS write client hellowrite:errno=104---no peer certificate available---No client certificate CA names sent---SSL handshake has read 0 bytes and written 311 bytesVerification: OK---New, (NONE), Cipher is (NONE)Secure Renegotiation IS NOT supportedCompression: NONEExpansion: NONENo ALPN negotiatedEarly data was not sentVerify return code: 0 (ok)---read from 0x55c13fa4bd10 [0x55c13fa40d80] (8192 bytes => 0 (0x0))- Hannu
On Tuesday, January 14, 2020 at 12:00:09 PM UTC+2, Philip Kuryloski wrote:
Hi,
Philip Kuryloski
Jan 14, 2020, 6:53:40 AM1/14/20
to rabbitmq-users
You might try adding the '-servername' option to the openssl command, which I presume would be the common name of the cert you are using for rabbit. From above that looks like server.rabbitmq. Beyond that, the SSL negotiation is failing so early that I believe it's falling out of the scope of RabbitMQ specifics, and thus I don't have further advice to offer.
-Phil
Luke Bakken
Jan 14, 2020, 12:20:02 PM1/14/20
to rabbitmq-users
Hello,
Please re-attach your entire RabbitMQ configuration file, as well as your RabbitMQ log file.
How did you generate your certificates?
Can you confirm that the user RabbitMQ is running as has permission to read the certificate files?
Please use the s_server and s_client OpenSSL commands to ensure your certificates work as expected: https://www.rabbitmq.com/troubleshooting-ssl.html
Thanks,
Luke
Hannu Shemeikka
Jan 15, 2020, 3:11:43 AM1/15/20
to rabbitmq-users
Hi,
Thank you for your answers. I completely started over by deleting my whole setup and creating everything from scratch. Followed the rabbitmq ssl guide, troubleshooting guide, and cfssl guides and finally got everything working.
I still don't know what was wrong with my original setup but at least for now, connecting to my rabbitmq over tls works.
Thanks again,
Hannu
Reply all
Reply to author
Forward
0 new messages