Unknown CA after rabbitmq server update

394 views
Skip to first unread message

Sergey Krasilnikov

unread,
Nov 3, 2016, 2:10:47 PM11/3/16
to rabbitmq-users
Good day, everyone!

We had a rabbitmq-server 3.5.6 running and once sunny morning decided to update it to the latest 3.6.5 version. Also, honorable mention is an update Erlang from 16 to 18.3.4.
Right after update using the same configurations we started to have a issue: "SSL: certify: ssl_handshake.erl:1525:Fatal error: unknown ca".

So here is bunch of configs and certificates (attached):

rabbitmq.config:
[
  {rabbit, [
      {default_user, <<"guest">>},
      {default_pass, <<"guest">>},
      {vm_memory_high_watermark, 0.7},
      {auth_mechanisms, ['PLAIN','EXTERNAL']},
      {ssl_listeners, [5671]},
      {auth_backends, [rabbit_auth_backend_internal]},
      {ssl_handshake_timeout, 15000},
      {ssl_options, [{cacertfile,"/etc/rabbitmq/keys/root-cert.pem"},
                     {certfile,"/etc/rabbitmq/keys/srv0-cert.pem"},
                     {keyfile,"/etc/rabbitmq/keys/srv0-key.pem"},
                     {depth, 1},
                     {verify,verify_peer},
                     {fail_if_no_peer_cert,true}]}
   ]},
  {rabbitmq_management, [{load_definitions, "/etc/rabbitmq/definitions.json"}]}
].

Openssl command, where server+root.pem is a simple concatenation. 
openssl s_client -connect localhost:5671 -cert cln0-cert.pem -key cln0-key.pem -CAfile server+root.pem

Full command line output:
openssl s_client -connect localhost:5671 -cert cln0-cert.pem -key cln0-key.pem -CAfile server+root.pem
CONNECTED(00000003)
depth=2 CN = ROOT
verify return:1
depth=1 CN = Servers Root
verify return:1
depth=0 CN = broker
verify return:1
140176646219416:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1472:SSL alert number 48
140176646219416:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
Certificate chain
 0 s:/CN=broker
   i:/CN=Servers Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC0jCCAbqgAwIBAgIBATANBgkqhkiG9w0BAQUFADAXMRUwEwYDVQQDDAxTZXJ2
ZXJzIFJvb3QwHhcNMTYxMTAzMTY1MjU2WhcNMjYxMTAxMTY1MjU2WjARMQ8wDQYD
VQQDDAZicm9rZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDLzqKc
2+vOrACPLliMIcz4V5rrEUbQ/EarfA3x7A7NclR+L004vryJS+nSM+tvDrZn3Azv
q85hk96jjIXN/4rqighb4IBZAupNztSHq1/dNSOvNnjTNfdrQqmLAAsT2gHVAWr7
+a6gPvlEUyaIodrUqW/Yg4qaTvBt6evo7sykTjSyOu6A7EsFoaQYaK5Z+Dft4qQH
bsuu+fT1/2PJGK4lxpZza/pRhwoeyxyHENH0MkC1SA0514dy7/gICl3hNj8X5wuR
VMIjulIdc+YDfBk9HVGOZs+GorQRNwoT0KydawZKwvbQ8rGb6COAR0W7AixZJRrt
p2qNA94GnREfDg+nAgMBAAGjLzAtMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgUgMBMG
A1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQCwLY9NTtzmddT1
lv27bbF3Cpy2XSzI3LmCYgf4NtTr8L/XqeEb4juvzUEgU6NCrvkYk+dzPQpdqEg+
2R9YdiPsH30faXK9EIzyOmqQrqDRGlMLX5wqb9H27hgUaykg6CESELJa1Ny2ahI2
ZWlfrTKcRfr3kD0XOt8dLXeTO/hNyPtoqY1txfn8brFqsoi8TlHKRUOK/8BuRD5q
VKJcE110AtsOehTlvbS5Xfs89kn1tI+pcGcHzFTVIQLU8mV0LZ2HZAgh+XT5wRNL
ufF/S+DWBzmJ8itf9mpyhEZmTn1gXy/UBWFJResgTTU3sY3Nueedk2ujDHI300eq
0ImFeyJ5
-----END CERTIFICATE-----
subject=/CN=broker
issuer=/CN=Servers Root
---
Acceptable client certificate CA names
/CN=ROOT
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1:RSA+MD5
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
---
SSL handshake has read 909 bytes and written 1323 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : AES256-GCM-SHA384
    Session-ID: EF0D8305D7A816F484E93FA546F90BE3A93AF55C762A196ABA4CA547A63319A0
    Session-ID-ctx: 
    Master-Key: 2E5CC16A08B9C0A8691920057B0EB2D9EE908F05104AB6F750B8A2497129FF73C9B6432319C84BA7E42A053E8BF4DDA0
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1478196510
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


Thanks, Sergey
clients-cert.pem
srv0-key.pem
server+root.pem
clients-key.pem
cln0-cert.pem
cln0-key.pem
root-cert.pem
root-key.pem
servers-cert.pem
servers-key.pem
srv0-cert.pem

Vineet Nair

unread,
Nov 4, 2016, 9:44:08 AM11/4/16
to rabbitmq-users
Hi Sergey.. 
I had faced a similar issue. It seems it is a problem with the new erlang version having issues with ssl.
Could you try using erlang 18.1.x . That had solved the problem for me.

Thanks,
Vineet

Sergey Krasilnikov

unread,
Nov 4, 2016, 10:41:34 AM11/4/16
to rabbitmq-users
Hey, Vineet,

Just tried to redo everything with erlang 18.1. Still got the same message about unknown CA.

Michael Klishin

unread,
Nov 4, 2016, 10:50:40 AM11/4/16
to rabbitm...@googlegroups.com
Start with http://www.rabbitmq.com/troubleshooting-ssl.html instead of assuming it's a Erlang/OTP or RabbitMQ issue.
Guessing is a really inefficient approach to solving technical problems.

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.



--
MK

Staff Software Engineer, Pivotal/RabbitMQ

Sergey Krasilnikov

unread,
Nov 4, 2016, 11:39:27 AM11/4/16
to rabbitmq-users
Hey, Michael

Just I've seen this article and done part about openssl client and server verification, so I assume my keys and certs are ok.

At the same time, when I'm trying to connect to the 5671 port it gives me 'Unknown CA' error output. (whole output listed above).
139840481240728:error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:s3_pkt.c:1472:SSL alert number 48
139840481240728:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:


Openssl check output following:
Server:
openssl s_server -accept 7777 -cert srv0-cert.pem -key srv0-key.pem -CAfile root-cert.pem
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MFUCAQECAgMDBALAMAQABDD8dgJznH0jK4HK6vdZiggWGQq+MkcRqkMeC7tGcLRk
cT6lBew8MNAa4oa3pIi0PyOhBgIEWByqFqIEAgIBLKQGBAQBAAAA
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DH-DSS-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DH-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:DH-RSA-AES256-SHA256:DH-DSS-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA:DH-RSA-AES256-SHA:DH-DSS-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-DSS-CAMELLIA256-SHA:DH-RSA-CAMELLIA256-SHA:DH-DSS-CAMELLIA256-SHA:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:ECDH-RSA-AES256-SHA:ECDH-ECDSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DH-DSS-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DH-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:DH-RSA-AES128-SHA256:DH-DSS-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA:DH-RSA-AES128-SHA:DH-DSS-AES128-SHA:DHE-RSA-SEED-SHA:DHE-DSS-SEED-SHA:DH-RSA-SEED-SHA:DH-DSS-SEED-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-DSS-CAMELLIA128-SHA:DH-RSA-CAMELLIA128-SHA:DH-DSS-CAMELLIA128-SHA:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:ECDH-RSA-AES128-SHA:ECDH-ECDSA-AES128-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:SEED-SHA:CAMELLIA128-SHA:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:RC4-SHA:RC4-MD5:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:EDH-DSS-DES-CBC3-SHA:DH-RSA-DES-CBC3-SHA:DH-DSS-DES-CBC3-SHA:ECDH-RSA-DES-CBC3-SHA:ECDH-ECDSA-DES-CBC3-SHA:DES-CBC3-SHA
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
Shared Elliptic curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283
CIPHER is ECDHE-RSA-AES256-GCM-SHA384
Secure Renegotiation IS supported
123
DONE
shutting down SSL
CONNECTION CLOSED

Client:
openssl s_client -connect localhost:7777 -cert cln0-cert.pem -key cln0-key.pem -CAfile server+root.pem
CONNECTED(00000003)
depth=2 CN = ROOT
verify return:1
depth=1 CN = Servers Root
verify return:1
depth=0 CN = broker
verify return:1
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1385 bytes and written 431 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E8D638752799E5314B41614501AF4DEDC81D9479F2399E8B65AE7A3113C06F95
    Session-ID-ctx: 
    Master-Key: FC7602739C7D232B81CAEAF7598A0816190ABE324711AA431E0BBB4670B464713EA505EC3C30D01AE286B7A488B43F23
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 03 ca ac 57 88 1b 0c 91-3e d8 37 d9 24 8a e7 a1   ...W....>.7.$...
    0010 - cb 29 26 79 a1 f4 48 46-e4 a6 f5 b2 c2 98 56 dc   .)&y..HF......V.
    0020 - 0a 7a 89 73 8f e6 a6 e9-7a 86 eb f8 3f bf 8f 58   .z.s....z...?..X
    0030 - 79 f9 45 60 81 9d 50 e7-39 45 7c 83 65 79 e2 30   y.E`..P.9E|.ey.0
    0040 - 5b cc cb 28 42 f3 8e 3b-c9 e3 27 3c e7 3e 6f 41   [..(B..;..'<.>oA
    0050 - c8 e5 b3 ab 78 23 c9 96-b6 d9 a1 84 7c d3 7c 05   ....x#......|.|.
    0060 - 93 34 49 f2 07 4c 35 58-6d 4f 91 58 46 88 de f1   .4I..L5XmO.XF...
    0070 - 7e 18 bb 39 15 53 dd 80-a4 40 54 2d 4f 9d 05 0d   ~..9.S...@T-O...
    0080 - 87 a4 f2 49 e4 55 63 e3-63 b8 d8 88 eb 5e 1a 06   ...I.Uc.c....^..
    0090 - 32 56 6c b3 be a8 24 d5-16 11 d1 a3 fd fa c3 b8   2Vl...$.........

    Start Time: 1478273558
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
123
DONE
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.
Reply all
Reply to author
Forward
0 new messages