Need Help - Exception - RabbitMQ.Client.Exceptions.BrokerUnreachableException:

[Shrikant Borole]

Hey Team,

I am new to rabbitMQ. I enabled TLS for rabbitMQ on my local. As a part of it I created the certificate on my WINDOWS machine as discussed in the https://www.rabbitmq.com/ssl.html.

Also updated the rabbitMQ.config file as below:

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [
            {cacertfile,"/etc/ca_certificate.pem"},
                    {certfile,"/etc/private_key.pem"},
                    {keyfile,"/etc/server_certificate.pem"},
            {password,  "MySecretPassword"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,true}
            ]}
   ]}
].

Steps followed to create the certificates:

Bash Cmd Prompt:

cd /C/temp/ThirdOne
mkdir testca
cd testca
mkdir certs private
chmod 700 private
echo 01 > serial
touch index.txt

Using OpenSSL CMD

openssl req -x509 -config openssl.cnf -newkey rsa:2048 -days 365 -out ca_certificate.pem -outform PEM -subj /CN=MyTestCA/ -nodes

openssl x509 -in ca_certificate.pem -out ca_certificate.cer -outform DER

mkdir server

cd server

openssl genrsa -out private_key.pem 2048

openssl req -new -key private_key.pem -out req.pem -outform PEM -subj /CN=desktop-s08pnk3/O=server/ -nodes

cd..

openssl ca -config openssl.cnf -in ./server/req.pem -out ./server/server_certificate.pem -notext -batch -extensions server_ca_extensions

openssl pkcs12 -export -out ./server/server_certificate.p12 -in ./server/server_certificate.pem -inkey ./server/private_key.pem -passout pass:MySecretPassword

mkdir client

cd client

openssl genrsa -out private_key.pem 2048

openssl req -new -key private_key.pem -out req.pem -outform PEM -subj /CN=desktop-s08pnk3/O=client/ -nodes

cd..

openssl ca -config openssl.cnf -in ./client/req.pem -out ./client/client_certificate.pem -notext -batch -extensions client_ca_extensions

openssl pkcs12 -export -out ./client/client_certificate.p12 -in ./client/client_certificate.pem -inkey ./client/private_key.pem -passout pass:MySecretPassword

On top of it I installed the certificate of client on Local.

NOTE: My client and server are both are local machine only.

Code that I am using for connecting to rabbit MQ:

 private static void RabbitMQWithSSLEnable()
        {
            try
            {
                string rabbitmqHostName = "desktop-s08pnk3";
                string rabbitmqServerName = "desktop-s08pnk3";
                string certificateFilePath = @"C:\temp\ThirdOne\client\client_certificate.pem";
                string certificatePassphrase = "MySecretPassword";
                string rabbitmqUsername = "test";
                string rabbitmqPassword = "test";

                var factory = new ConnectionFactory();

                factory.HostName = rabbitmqHostName;
                factory.UserName = rabbitmqUsername;
                factory.Password = rabbitmqPassword;

                //factory.Uri = new Uri("amqps://test:test@desktop-s08pnk3");

                factory.AuthMechanisms = new IAuthMechanismFactory[] { new ExternalMechanismFactory() };

                // Note: This should NEVER be "localhost"
                factory.Ssl.ServerName = rabbitmqServerName;

                // Path to my .p12 file.
                factory.Ssl.CertPath = certificateFilePath;
                // Passphrase for the certificate file - set through OpenSSL
                factory.Ssl.CertPassphrase = certificatePassphrase;

                factory.Ssl.Enabled = true;
                // Make sure TLS 1.2 is supported & enabled by your operating system
                factory.Ssl.Version = SslProtocols.Tls12;

                // This is the default RabbitMQ secure port
                factory.Port = 15672;
                factory.VirtualHost = "/";
                factory.Ssl.AcceptablePolicyErrors = SslPolicyErrors.RemoteCertificateChainErrors | SslPolicyErrors.RemoteCertificateNameMismatch | SslPolicyErrors.RemoteCertificateNotAvailable;

                //System.Net.ServicePointManager.Expect100Continue = false;


                using (var connection = factory.CreateConnection())
                {
                    using (var channel = connection.CreateModel())
                    {
                        // publish some messages...
                    }
                }
            }
            catch (System.Exception ex)
            {
                var error = ex.ToString();
                System.Console.WriteLine(error);
            }
        }

The above code is throwing error:

RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable
 ---> System.AggregateException: One or more errors occurred. (Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..)
 ---> System.IO.IOException: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host..
 ---> System.Net.Sockets.SocketException (10054): An existing connection was forcibly closed by the remote host.
   --- End of inner exception stack trace ---
   at System.Net.Security.SslStream.StartSendBlob(Byte[] incoming, Int32 count, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
   at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken)
   at System.Net.Security.SslStream.BeginAuthenticateAsClient(SslClientAuthenticationOptions sslClientAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.BeginAuthenticateAsClient(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState)
   at System.Net.Security.SslStream.<>c.<AuthenticateAsClientAsync>b__64_1(String arg1, X509CertificateCollection arg2, SslProtocols arg3, AsyncCallback callback, Object state)
   at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions)
   at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state)
   at System.Net.Security.SslStream.AuthenticateAsClientAsync(String targetHost, X509CertificateCollection clientCertificates, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation)
   at RabbitMQ.Client.Impl.SslHelper.<>c__DisplayClass2_0.<TcpUpgrade>b__0(SslOption opts)
   at RabbitMQ.Client.Impl.SslHelper.TcpUpgrade(Stream tcpStream, SslOption options)
   at RabbitMQ.Client.Impl.SocketFrameHandler..ctor(AmqpTcpEndpoint endpoint, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout)
   at RabbitMQ.Client.Framing.Impl.IProtocolExtensions.CreateFrameHandler(IProtocol protocol, AmqpTcpEndpoint endpoint, ArrayPool`1 pool, Func`2 socketFactory, TimeSpan connectionTimeout, TimeSpan readTimeout, TimeSpan writeTimeout)
   at RabbitMQ.Client.ConnectionFactory.CreateFrameHandler(AmqpTcpEndpoint endpoint)
   at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)
   --- End of inner exception stack trace ---
   at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)
   at RabbitMQ.Client.Framing.Impl.AutorecoveringConnection.Init(IEndpointResolver endpoints)
   at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
   --- End of inner exception stack trace ---
   at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
   at RabbitMQ.Client.ConnectionFactory.CreateConnection(String clientProvidedName)
   at RabbitMQ.Client.ConnectionFactory.CreateConnection()
   at RabbitMQ.Explore.Program.RabbitMQWithSSLEnable() in C:\Users\warke\source\repos\RabbitMQ.Explore\RabbitMQ.Explore\Program.cs:line 71

Below are the things that I tried:

A) Enabled the TLS on internet options.
B) Enabled Ports also.

Can any please help me to get it resolved?

Thanks,
Shrikant Borole

[Shrikant Borole]

Just to update you all, I am using  below versions:

RabbitMQ 3.11.5

Erlang 25.2

Thanks,

Shrikant Borole

[Luke Bakken]

The first question is - have you been able to connect without using TLS?

Please see our guide for troubleshooting TLS connections: https://www.rabbitmq.com/troubleshooting-ssl.html

We need to know what RabbitMQ logs at the time of the error.

Finally, you are configuring your C# application to use EXTERNAL auth (i.e. certificate based auth) but you have not configured RabbitMQ to do so, and you're using username/password. You should comment out the factory.AuthMechanisms line.

Just as a note, you are configuring RabbitMQ using the "classic config" format. You really should be using the rabbitmq.conf format that is given in the examples: https://www.rabbitmq.com/ssl.html#enabling-tls

[Shrikant Borole]

Hey Bakeen,

Thanks for the reply. Please find below details:

Have you been able to connect without using TLS? => Yes, for that I used below code:

Troubleshooting TLS connections: https://www.rabbitmq.com/troubleshooting-ssl.html

I verified with each option and the setup looks good to me. I am attaching the word file in case I missed something for the same. (RabbitMQ-Certificates.docx)

The only thing I am not sure about the step is : Validate Client Connections with Stunnel, I attached the screen shot in the docx file. (FYI: I added some steps in between for my reference)

We need to know what RabbitMQ logs at the time of the error.  => Attached(rab...@DESKTOP-S08PNK3.txt), I can see listeners are enabled properly as per log and guid mentioned on rabbitmq. 

2022-12-27 10:04:10.753000+05:30 [info] <0.594.0> started TCP listener on [::]:5672
2022-12-27 10:04:10.755000+05:30 [info] <0.612.0> started TCP listener on 0.0.0.0:5672
2022-12-27 10:04:10.758000+05:30 [info] <0.632.0> started TLS (SSL) listener on [::]:5671
2022-12-27 10:04:10.761000+05:30 [info] <0.652.0> started TLS (SSL) listener on 0.0.0.0:5671
2022-12-27 10:04:10.967000+05:30 [info] <0.479.0> Server startup complete; 4 plugins started.
2022-12-27 10:04:10.967000+05:30 [info] <0.479.0>  * rabbitmq_auth_mechanism_ssl
2022-12-27 10:04:10.967000+05:30 [info] <0.479.0>  * rabbitmq_management
2022-12-27 10:04:10.967000+05:30 [info] <0.479.0>  * rabbitmq_web_dispatch
2022-12-27 10:04:10.967000+05:30 [info] <0.479.0>  * rabbitmq_management_agent

You should comment out the factory.AuthMechanisms line:

I did try with this option, but getting the same error. The config file is classic mode only.

Configuration used:

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [
   {cacertfile,"/etc/ca_certificate.pem"},

                    {certfile,"/etc/server/private_key.pem"},
                    {keyfile,"/etc/server/server_certificate.pem"},

   {password,  "MySecretPassword"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,true}
   ]}
   ]}
].

 

In the errors log on rabbitMQ I am getting this issue, but not sure for the reason.

2022-12-27 10:04:58.398000+05:30 [info] <0.655.0> accepting AMQP connection <0.655.0> ([fe80::24de:6737:38df:da7a]:51122 -> [fe80::24de:6737:38df:da7a]:5672)
2022-12-27 10:04:58.459000+05:30 [info] <0.655.0> connection <0.655.0> ([fe80::24de:6737:38df:da7a]:51122 -> [fe80::24de:6737:38df:da7a]:5672): user 'test' authenticated and granted access to vhost '/'

2022-12-27 10:05:01.460000+05:30 [info] <0.655.0> closing AMQP connection <0.655.0> ([fe80::24de:6737:38df:da7a]:51122 -> [fe80::24de:6737:38df:da7a]:5672, vhost: '/', user: 'test')

 You really should be using the rabbitmq.conf format that is given in the examples: https://www.rabbitmq.com/ssl.html#enabling-tls

I did tried with this option, but my rabbitMQ is getting crashed. No error logs are getting generated for the rabbitMQ, but I can see the erlang.dump file. I checked for it but did not get much about the things logged into the file. I am attaching the same.

Configuration used:

listeners.tcp = none
listeners.ssl.default = 5671
ssl_options.cacertfile = /etc/ca_certificate.pem
ssl_options.certfile   = /etc/server/server_certificate.pem
ssl_options.keyfile    = /etc/server/etc/private_key.pem
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = true
ssl_options.password   = MySecretPassword

Note: I placed the certificate in the server folder, just to avoid confusion.

Thanks and Regards,

Shrikant Borole
M: +91.827.551.9466  |  Nagpur, MS, 440022 | shrikan...@gmail.com

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/5913d60c-8cb6-499f-b29c-4715f0522050n%40googlegroups.com.

[Luke Bakken]

Hello,

You are running RabbitMQ on Windows, but are trying to use the Unix location for your certificates in /etc

If you look at your log file, you can see where RabbitMQ thinks configuration should be located:

https://www.rabbitmq.com/configure.html#verify-configuration-config-file-location

The log shows that you are using the old style configuration:

2022-12-27 10:04:07.733000+05:30 [info] <0.226.0>  config file(s) : c:/Users/warke/AppData/Roaming/RabbitMQ/rabbitmq.config

Here is what I would like you to do:

• Rename the rabbitmq.config file to rabbitmq.config.BACKUP
• Download the rabbitmq.conf file that I attached to this response, and put it in the C:/Users/warke/AppData/Roaming/RabbitMQ directory
• Re-generate your certificates without a password. If you have a password, you can not run RabbitMQ as a Windows service because it will prompt you for a password when it starts, and it does not start interactively as a service.
• Put your new certificates in the  C:/Users/warke/AppData/Roaming/RabbitMQ directory. Ensure that the files are named the same as what is specified in the rabbitmq.conf file.
• Open an administrative command prompt and navigate to C:\Program Files\RabbitMQ Server\rabbitmq*\sbin
• Stop the Windows service: .\rabbitmq-service.bat stop
• Start RabbitMQ in the console: .\rabbitmq-server.bat
• Ensure that RabbitMQ starts correctly. If not, copy all of the console output to a file. Attach that and your log file to your next response.
• If RabbitMQ starts correctly, you can remove the log.* lines in the rabbitmq.conf file or change debug to info
• You can stop RabbitMQ using CTRL-C, or open another admin console, navigate to the sbin dir, and run .\rabbitmqctl.bat shutdown
• Re-start the Windows service:  .\rabbitmq-service.bat start

Let me know how the above process goes. Ideally, you will run everything in one or two admin console windows. If you have any errors, you must copy the contents of the windows into a file for me to check. Otherwise I have no idea what you have done.

Thanks,

Luke

[Shrikant Borole]

Hey Bakeen,

Thanks for the quick response.

Please find below details:

Rename the rabbitmq.config file to rabbitmq.config.BACKUP

=> Done

Download the rabbitmq.conf file that I attached to this response, and put it in the C:/Users/warke/AppData/Roaming/RabbitMQ directory

=> Done

Re-generate your certificates without a password. If you have a password, you can not run RabbitMQ as a Windows service because it will prompt you for a password when it starts, and it does not start interactively as a service.

=> Done, but I used the steps provided in the link: https://www.rabbitmq.com/ssl.html

As a part of the step, for creating a certificate without password on the below step I did below thing, please verify and advice.

openssl pkcs12 -export -out ./client/client_certificate.p12 -in ./client/client_certificate.pem -inkey ./client/private_key.pem -passout pass:MySecretPassword

I just removed the pass out argument and used the below command.

openssl pkcs12 -export -out ./client/client_certificate.p12 -in ./client/client_certificate.pem -inkey ./client/private_key.pem

passout pass:MySecretPassword

This prompted me for the password and just hit enter 2 times. Please advise if this is correct or not. In case it's not, can you please send me the reference link for generating the certificate on windows.

FYI: I recreated the certificate in the same manner as above for client and server. I installed the CA and client certificate on windows.

Put your new certificates in the  C:/Users/warke/AppData/Roaming/RabbitMQ directory. Ensure that the files are named the same as what is specified in the rabbitmq.conf file.

=> Done

Open an administrative command prompt and navigate to C:\Program Files\RabbitMQ Server\rabbitmq*\sbin
Stop the Windows service: .\rabbitmq-service.bat stop

=> Done, working properly.

Start RabbitMQ in the console: .\rabbitmq-server.bat

=>Done

Ensure that RabbitMQ starts correctly. If not, copy all of the console output to a file. Attach that and your log file to your next response.

=>Working properly, I was able to login into the management console.

If RabbitMQ starts correctly, you can remove the log.* lines in the rabbitmq.conf file or change debug to info
You can stop RabbitMQ using CTRL-C, or open another admin console, navigate to the sbin dir, and run .\rabbitmqctl.bat shutdown

=>Done

Re-start the Windows service:  .\rabbitmq-service.bat start

=>Done

Everything worked for me, but while trying to connect through code I need to do below changes:

 

I mark

ssl_options.fail_if_no_peer_cert = false

and in code I need to comment:

factory.Ssl.CertPath = certificateFilePath
factory.Ssl.CertPassphrase = certificatePassphrase;

then only I am able to connect to rabbitMQ, which means Peer Connection is not working. I verified for the log below is the log:

2022-12-28 22:57:48.708000+05:30 [notice] <0.619.0> TLS server: In state certify at tls_dtls_connection.erl:315 generated SERVER ALERT: Fatal - Handshake Failure
2022-12-28 22:57:48.708000+05:30 [notice] <0.619.0>  - no_client_certificate_provided

I am providing the certificate and Password in below properties:
factory.Ssl.CertPath = certificateFilePath
factory.Ssl.CertPassphrase = certificatePassphrase;

where

 string certificateFilePath = @"C:\temp\ThirdOne\client\client_certificate.pem";

  string certificatePassphrase = "";

Is this because I am creating the certificates in the wrong manner as described in the link mentioned above.

Please give me some advice. Thanks.

Also, apart from this I am trying to set up the same thing on my work-machine. While setting it on work-machine we are using old version:

RabbitMQ: 3.7.16
Erlang 22.0

With my work-machine I tried the same steps, but I am getting an error on the last step while starting the rabbitmq service. With rabbitmq-server.bat I am able to login into the management console, please find attached logs for the same. Not sure what's the wrong thing happening with it.

Attaching logs for work-machine for step:rabbitmq-server.bat with rabbitmq-server.bat.logs and normal one.

Please let me know in case you need more information.

Thanks and Regards,

Shrikant Borole
M: +91.827.551.9466  |  Nagpur, MS, 440022 | shrikan...@gmail.com

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/37f62b4d-6e18-4098-83b1-0ade3da9e575n%40googlegroups.com.

[Luke Bakken]

Answers in-line

 

This prompted me for the password and just hit enter 2 times. Please advise if this is correct or not. In case it's not, can you please send me the reference link for generating the certificate on windows.

FYI: I recreated the certificate in the same manner as above for client and server. I installed the CA and client certificate on windows.

You should be able to use this project to generate certificates on Windows -

https://github.com/rabbitmq/tls-gen

You need to have GNU make and Python in your PATH. You can install both using chocolatey.

 Then:

git clone https://github.com/rabbitmq/tls-gen.git

cd tls-gen/basic

make PYTHON=python

The certificates will be in the result directory.

 

Is this because I am creating the certificates in the wrong manner as described in the link mentioned above.

Probably. Please use the tls-gen project to create certificates. We know that they work.

Also, apart from this I am trying to set up the same thing on my work-machine. While setting it on work-machine we are using old version:

RabbitMQ: 3.7.16
Erlang 22.0

Both that RabbitMQ and Erlang version are no longer supported. 

[Shrikant Borole]

Hey Bukken,

Thanks. It worked for me. Initially I was doing below two things wrong, just to confirm my understanding.

1. Creation of the certificate.

2. Using old rabbitmq config.

Thanks,

Shrikant Borole

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/670938e5-ec79-4999-822b-8a40122104b8n%40googlegroups.com.

[Luke Bakken]

I am uncertain what was exactly wrong. More than likely it was a combination of incorrect configuration as well as incorrectly created certificates.

[Shrikant Borole]

Hey Bukken,

One more question, do we need to import the CA certificate on the client machine incertmgr in windows for Peer verification? The tls-gen created the below certificates.

Thanks and Regards,

Shrikant Borole
M: +91.827.551.9466  |  Nagpur, MS, 440022 | shrikan...@gmail.com

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/dd1cba8b-16a4-4f98-b19a-a573da330f7fn%40googlegroups.com.

[Luke Bakken]

Yes if you would like to have .NET verify the server certificate. You need to put the CA cert into the appropriate trusted root store.

You also need to remove the "factory.Ssl.AcceptablePolicyErrors" in your code.

[Shrikant Borole]

Hey Bakken,

I did setup with the latest version of rabbitMQ and Erlang on my office work machine. With the setup I am good with TLS connection, but at the time of mTLS I am facing issues. 

I imported the ca certificate in the certmgr under the trusted root certificate section.

Below is the error on rabbitMQ side:

2023-01-04 14:20:30.225000+05:30 [notice] <0.789.0> TLS server: In state certify at tls_dtls_connection.erl:315 generated SERVER ALERT: Fatal - Handshake Failure
2023-01-04 14:20:30.225000+05:30 [notice] <0.789.0>  - no_client_certificate_provided

I am setting the below property at the time of mTLS.

// Path to my .p12 file - Client certificate
factory.Ssl.CertPath = certificateFilePath;
// Passphrase for the certificate file - set through OpenSSL, it's blank in our case
factory.Ssl.CertPassphrase = certificatePassphrase;

FYI: 

A) I created the certificate using the tls-gen as suggested by you. I am not sure but it might be the issue related to some access.

B) ssl_options.fail_if_no_peer_cert = false => TLS connection => Working Fine

C) ssl_options.fail_if_no_peer_cert = true => mTLS connection => Giving above error 

D)Attached the exception, that I am getting on .net side.

Do you know what is exactly happening on the machine, what might be the possible issue?

 

Please let me know in case you need more information.

Thanks and Regards,

Shrikant Borole
M: +91.827.551.9466  |  Nagpur, MS, 440022 | shrikan...@gmail.com

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/53056b95-9b9d-4252-ad68-7cc9ead27188n%40googlegroups.com.

[Luke Bakken]

no_client_certificate_provided is pretty self explanatory. RabbitMQ / Erlang is not receiving a client certificate, or there is something wrong with the provided cert.

Have you run OpenSSL s_server and s_client in order to verify that client cert auth works, using your certificates?

https://www.rabbitmq.com/troubleshooting-ssl.html

Are you still using the certificates generated by our rabbitmq/tls-gen project?

I have been meaning to create a complete example of using TLS, client certificate authentication, and the .NET client on Windows. I suppose this is as good a time as any to do it. It will take some time, however.

Thanks,

Luke

[Shrikant Borole]

Hey Bakken,

Have you run OpenSSL s_server and s_client in order to verify that client cert auth works, using your certificates? 

Yes, and it looks good. Attached here is a snapshot

Are you still using the certificates generated by our rabbitmq/tls-gen project?

Yes

In case if this help, I checkin my code to https://github.com/shrikantborole/RabbitMQ.Explore

Below is the config setting:

log.console = true
log.console.level = debug
log.file.level = debug

listeners.tcp = none
listeners.ssl.default = 5671

ssl_options.cacertfile = C:/Users/warke/AppData/Roaming/RabbitMQ/ca_certificate.pem
ssl_options.certfile   = C:/Users/warke/AppData/Roaming/RabbitMQ/server_DESKTOP-S08PNK3_certificate.pem
ssl_options.keyfile    = C:/Users/warke/AppData/Roaming/RabbitMQ/server_DESKTOP-S08PNK3_key.pem

ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = true

Thanks and Regards,

Shrikant Borole
M: +91.827.551.9466  |  Nagpur, MS, 440022 | shrikan...@gmail.com

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/e2b1379c-bce0-4ad8-80c0-eb69fcb982d9n%40googlegroups.com.

[Luke Bakken]

Hello,

Please do not use screenshots. They are too small to see (google groups resizes them) and very important information is missing.

I will generate my own certificates using tls-gen and will test out your code.

Thanks,

Luke

On Wednesday, January 4, 2023 at 6:32:23 PM UTC-8 shrikan...@gmail.com wrote:

Hey Bakken,

Have you run OpenSSL s_server and s_client in order to verify that client cert auth works, using your certificates? 

[Luke Bakken]

Hello,

I am using the following repository: https://github.com/lukebakken/rabbitmq-users-dotnet-cert-auth-Xd9vkBXK3wwj

I can reproduce the no_client_certificate_provided error!

It seems that you need to use a PFX certificate file as the CertPath argument instead of a P12 file. I have no idea why this is a requirement when client certificates are being used, but it does work. What's strange is that P12 and PFX should be identical, so I'm going to continue investigating.

I have provided instructions in the README for how to create the file: https://github.com/lukebakken/rabbitmq-users-dotnet-cert-auth-Xd9vkBXK3wwj#create-pfx-file

Let me know if you have further questions

Thanks,

Luke

[Luke Bakken]

I double-checked the tls-gen code and you must use the client_localhost_key.p12 file as the CertFile. This p12 file contains BOTH the client cert and key.

Note that my setup.ps1 script also imports the CA certificate into the personal Trusted Root store.

I have updated my code to use the p12 file.

[Shrikant Borole]

Hey Bakken,

It worked. Thanks. 

One question the command for creating the certificate 

make PYTHON=python

Is this a standard command, I can't see in the documentation of tls-gen with this command. Also for running this on windows we need chocolatey, can we mention somewhere in the documentation of rabbitMQ. Not sure if this is a right place to ask for.

Thanks and Regards,

Shrikant Borole
M: +91.827.551.9466  |  Nagpur, MS, 440022 | shrikan...@gmail.com

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/0a63d5a9-529d-4ddb-9190-7dc908aca7fan%40googlegroups.com.

[Luke Bakken]

Well, you need Python on Windows. How you install it is up to you, but chocolatey is one good option.

The tls-gen code expects the python executable to be named python3, but on Windows it's just python, which is why you must use make PYTHON=python

Since everyone should be using Python 3 these days I can change the tls-gen code.

Thanks,

Luke