Rabbitmq SSL configuration issue for mqtt

[Hw Siew]

Hi, I attempt to configure TLS/SSL for my rabbitmq server for both management and mqtt plugins. Both plugins use the same files for SSL configuration. I can successfully access web management panel using https and browser confirmed that the ssl cert is valid. However, when i try to connect a mqtt client in ssl, it failed. Server log shows an error report as follow. I am wondering why same cert but not working on both management panel and mqtt client. Any helps are very much appreciated. Thank you.

Configuration file:

[ {rabbit, [ {ssl_listeners, [5671]}, {tcp_listeners, [{"127.0.0.1", 5672}, {"::1", 5672}]}, {ssl_options, [{cacertfile,"/ssl/cacert.pem"}, {certfile,"/ssl/fullchain.pem"}, {keyfile,"/ssl/privkey.pem"}, {depth, 2}, {verify,verify_none}, {fail_if_no_peer_cert,false}]}, {default_vhost, <<"/">>}, {default_user, <<"user">>}, {default_pass, <<"AAAAA">>}, {default_permissions, [<<".*">>, <<".*">>, <<".*">>]} %% {default_user, <<"guest">>}, %% {default_pass, <<"guest">>}, %% {default_permissions, [<<".*">>, <<".*">>, <<".*">>]} ] }, {kernel, []}, {rabbitmq_management, [ {listener, [ {port, 15672}, {ip, "0.0.0.0"}, {ssl, true}, {ssl_opts, [{cacertfile, "/ssl/cacert.pem"}, {certfile, "/ssl/fullchain.pem"}, {keyfile, "/ssl/privkey.pem"}]} ] } ] }, {rabbitmq_shovel, [ {shovels, []} ] }, {rabbitmq_stomp, []}, {rabbitmq_mqtt, [{ssl_listeners,[8883]},{tcp_listeners,[1883]}]}, {rabbitmq_amqp1_0, []}, {rabbitmq_auth_backend_ldap, []} ].

Mqtt Client connection error:

=ERROR REPORT==== 12-Apr-2016::14:54:40 ===SSL: certify: ssl_alert.erl:92:Fatal error: certificate unknown

[Michael Klishin]

It's not the certificate but your client settings, for example, you use peer verification
but the client isn't instructed to trust the server certificate.
 Can you post your MQTT client code? What
client library is used?

I'm guessing this is a continuation to https://github.com/rabbitmq/rabbitmq-server/issues/741 — have you set certificate chain verification depth?

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.
> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
>

--
MK

Staff Software Engineer, Pivotal/RabbitMQ

[Hw Siew]

[Michael Klishin]

+rabbitmq-users, please CC the list. 

On 12 April 2016 at 19:11:57, Hw Siew (qrw...@gmail.com) wrote: 
> > I tried two mqtt clients, Mqtt.fx (http://mqttfx.jfx4ee.org/) 
> and Esp8266 pubsubclient (https://github.com/knolleary/pubsubclient). 
> 
> For, Mqtt.fx. I tried two methods. First, simply connect to my 
> rabbitmq server with build in CA verification in client. Second, 
> i upload my CA cert to allow Mqtt.fx for verification. But both 
> shows the same result, eg. =ERROR REPORT==== 12-Apr-2016::14:54:40 

> ===SSL: certify:ssl_alert.erl:92:Fatal error: certificate 

> unknown. 
> 
> For the second client which run on a hardware module. It was successfully 
> connected to my server. However, the library i used to connect 
> mqtt seems to be ignoring the verification process for ssl/tls, 
> because i checked the fingerprint against the ssl cert. It doesn't 
> match. if proper verification, the connection will be rejected. 

Where do you "upload" the certificate? 

Explaining how PKI is out of scope for this list and there have been numerous 
discussions about this in the past. 

For TLS verification (authentication) to succeed, both client and server need to trust 
the certificate chain provided by the peer. In other words, RabbitMQ needs to trust 
the CA that signed a client's certificate, and client needs to trust the CA that signed 
RabbitMQ server certificate. 

How exactly you specify trusted certificates varies from TLS implementation to implementation. 
There is a set of system-wide CA certificates that are trusted ("root CAs") and everything 
they sign is trusted by proxy )provided that verification depth used is at least as long as 
the number of certificates in the chain). You can also provide a set of certificates to be 
treated as trusted in most TLS libraries. 

One client you use is Java-based and built on Paho. Java uses its own format for certificate stores, 
as briefly described in http://www.rabbitmq.com/ssl.html (which does not cover MQTT specifically 
but it doesn't matter). 

Paho Java is actually what our MQTT plugin 
test suite uses: 
https://github.com/rabbitmq/rabbitmq-mqtt/blob/master/test/src/com/rabbitmq/mqtt/test/tls/MqttSSLTest.java 

So take a look and get it to work with Paho Java first (and please post code examples with your questions). 

You can also generate some (self-signed) certificates with tls-gen and give it a try to compare: 
http://github.com/michaelklishin/tls-gen.  

Lastly, make sure you use Erlang 17.5 or 18.x, earlier versions had certain limitations related to TLS 
which sometimes to result in otherwise correct certificates to be rejected. 

> I also tried the method suggested on the website "tls/ssl troubleshooting". 
> Run the command as follow. 
> 
> openssl s_client -connect localhost:5671 -cert /ssl/fullchain.pem 
> -key /ssl/privkey.pem -CAfile /ssl/cacert.pem 
> 
> Server log an error report : 
> 
> =ERROR REPORT==== 12-Apr-2016::16:04:49 === 
> closing AMQP connection <0.7990.0> (127.0.0.1:51821(http://127.0.0.1:51821) 
> -> 127.0.0.1:5673(http://127.0.0.1:5673)): 
> {handshake_timeout,handshake} 

The error message says that client was connected to port 5673, not 5671, so 
I'll assume that port 5673 uses TLS. 

Whenever you see a handshake timeout when connecting to a TLS port on localhost, 
it almost always means that the client *wasn't* configured to use TLS and so it never 
performs the TLS upgrade the server expects, and the server logs a handshake timeout message. 

[Hw Siew]

Hi Mk,

>Where do you "upload" the certificate?

In Mqtt.fx under the connection profile SSL/TLS tab, I tried out the first and second options. 

 

To simplify my testing, I made all ssl certs in its simplest form. I disable the client cert {verify, verify_none}. Also, i set the depth to 2. 

cacertfile : cacert.pem (I assumed cacertfile is a list of all Root CAs, correct me if i am wrong). This is also the cert i uploaded to Mqtt.fx as shown in pic above.

-----BEGIN CERTIFICATE-----

Root CA : DST Root CA X3

-----END CERTIFICATE-----

certfile : cert.pem

-----BEGIN CERTIFICATE-----

Server cert 

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Intermediate CA

-----END CERTIFICATE-----

>Lastly, make sure you use Erlang 17.5 or 18.x, earlier versions had certain limitations related to TLS 
>which sometimes to result in otherwise correct certificates to be rejected. 

I am totally new to erlang. Pardon me if anything is silly. 

I check my server with erlang command 

erlang:system_info(otp_release).

"17"

I also notice the rabbitmq web management panel stated i am using "RabbitMQ 3.6.0, Erlang 17.4".

Is there any way i can update the erlang version to latest? I tried the erlang solution method listed on website. it doesnt work tho.

For the testing part, i will try it in a bit.

Thank you so much for your time and advice.

[Hw Siew]

Hi MK,

I finally get the Mqtt.fx connected over ssl with your advice. However, i notice some strange on the web management panel. Same Mqtt client i tried to connect to two different rabbitmq servers (one mine, one others), both under ssl. I highlighted in the pics below. SSL information about the connection are missing under my web management panel. Am i configure somewhere wrong? so the information didnt show up? or other cause? Thanks for the advice

others rabbitmq server :

my rabbitmq server :

​

​

[Michael Klishin]

If this client accepts a single file, I suspects it needs a certificate bundle, that is, certificates concatenated together in order?

On 13 abr 2016, at 6:48, Hw Siew <qrw...@gmail.com> wrote:

Hi Mk,

>Where do you "upload" the certificate?

In Mqtt.fx under the connection profile SSL/TLS tab, I tried out the first and second options. 

 <image.png>

[Hw Siew]

Hi, MK.

I had updated my server cert file to full chain certificate in the following order. No luck tho, the web management panel SSL section remains empty as in the last email, but connection status indicates that the connection is in SSL. 

cert file ;

-----BEGIN CERTIFICATE-----

Server cert

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Intermediate CA

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

Root CA

-----END CERTIFICATE-----

[Michael Klishin]

I wasn't suggesting concatenation will help with that, only that there is more than one file required for TLS to work and your client accepts just one: this typically means all certificates must be concatenated.

First thing to check when investigating differences between environments is RabbitMQ version: is it the same? If so, what version is that?

Sorry but you provide very little information. Engineers need specific details in order to recommend anything.

[Hw Siew]

Thanks, MK. I should have provided more information.

The other server uses older version : RabbitMQ 3.4.2, Erlang 17.4.

My server using : RabbitMQ 3.6.0, Erlang 17.4.

[Michael Klishin]

So you are not comparing versions in the same release series.

Which version does not display connection information?

[Michael Klishin]

I'll assume the version with missing connection is 3.6.1.

It should be resolved in 3.6.2 (in fact, you can try 3.6.2 M3 today, see GitHub releases for rabbitmq/rabbitmq-server):

https://github.com/rabbitmq/rabbitmq-stomp/issues/55

https://github.com/rabbitmq/rabbitmq-mqtt/pull/66

[Hw Siew]

Yup, the missing connection one is 3.6.1.

Glad that it had been brought up and fixed.

I will try it later.

Thank you so much for your help in this issue. Very much appreciated.

Thank you.

[jagaran das]

Looks like client certificate CN/DN needs to be same as a user in Rabbit to proceed. We have million devices, how would that work for us? :(

[Luke Bakken]

Hello,

Yes, that is a standard practice when using X509 certificates for authentication and is not unique to RabbitMQ.

[jagaran das]

Thanks for your reply. Is that something we can disable or use a same user every time. We can achieve this altering the MQTT plugin code. 

Please confirm.

Thank you

Jagaran 

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.

To post to this group, send email to rabbitm...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/rabbitmq-users/a2857062-a72a-41b0-b510-19a10aa5ee6f%40googlegroups.com.

[Luke Bakken]

Hello,

You can use a well-known username, and use that value in CN= in all of your certificates. No changes to RabbitMQ or the MQTT plugin are needed.

On Tuesday, July 9, 2019 at 4:04:09 AM UTC-7, jagaran das wrote:

Thanks for your reply. Is that something we can disable or use a same user every time. We can achieve this altering the MQTT plugin code. 

Please confirm.

Thank you

Jagaran 

On Mon, Jul 8, 2019 at 9:39 PM Luke Bakken <lba...@pivotal.io> wrote:

Hello,

Yes, that is a standard practice when using X509 certificates for authentication and is not unique to RabbitMQ.

On Monday, July 8, 2019 at 7:39:08 AM UTC-7, jagaran das wrote:

Looks like client certificate CN/DN needs to be same as a user in Rabbit to proceed. We have million devices, how would that work for us? :(

On Wednesday, April 13, 2016 at 3:34:02 PM UTC+5:30, Hw Siew wrote:

Yup, the missing connection one is 3.6.1.

Glad that it had been brought up and fixed.

I will try it later.

Thank you so much for your help in this issue. Very much appreciated.

Thank you

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.