ssl_handshake.erl:1624

mela...@synergentl.com

unread,

Oct 2, 2018, 4:37:53 AM10/2/18

to rabbitmq-users

Hello,

I followed these [1], [2] documents to enable TLS on a rabbitmq server with mqtt plugin. I generated the certificates using [3].

My config file looks like this.

[
 {rabbit,
  [
    {tcp_listeners, [{"127.0.0.1", 5672}, {"::1", 5672}]},
    {default_vhost, <<"/">>},
    {default_user, <<"user">>},
    {default_pass, <<"bitnami">>},
    {default_permissions, [<<".*">>, <<".*">>, <<".*">>]},

    {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']},
    {ssl_listeners, [5671]},
    {ssl_options, [{cacertfile,  "/path/ca_certificate.pem"},
                    {certfile,   "/path/server_certificate.pem"},
                    {keyfile,    "/path/server_key.pem"},
                    {password,"xxx"},
                    {verify,     verify_peer},
                    {fail_if_no_peer_cert, true}]},
     {ssl_listeners, [5671]}

  ]
 },
 {kernel, []},
 {rabbitmq_management,
  [
    {listener, [{port, 15672}, {ip, "0.0.0.0"}]}
  ]
 },
 {rabbitmq_shovel,
  [
    {shovels, []}
  ]
 },
 {rabbitmq_stomp, []},
 {rabbitmq_mqtt, [{ssl_cert_login, true},{vhost,           <<"/">>}, {allow_anonymous, false} , {ssl_listeners,    [8883]}, {tcp_listeners,    [1883]}]},
 {rabbitmq_amqp1_0, []},
 {rabbitmq_auth_backend_ldap, []},
 {rabbit, [{vm_memory_high_watermark, 0.6}]
 }].

My localhost log file shows this error.

TLS server: In state certify at ssl_handshake.erl:1624 generated SERVER ALERT: Fatal - Unknown CA

Then I try to followed this troubleshooting tutorial [4]. OpenSSL s_client and s_server[5] works fine. But when I attempt TLS Connection to Broker [6] it gives following error.

openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem

[info] <0.6448.0> accepting AMQP connection <0.6448.0> (127.0.0.1:56196 -> 127.0.0.1:5671)
2018-10-02 07:05:56.161 [warning] <0.6448.0> closing AMQP connection <0.6448.0> (127.0.0.1:56196 -> 127.0.0.1:5671):
{handshake_timeout,handshake}

How should I fix this problem?

BR,

Melanka

[1] https://www.rabbitmq.com/mqtt.html

[2] https://www.rabbitmq.com/ssl.html

[3] https://github.com/michaelklishin/tls-gen

[4] http://www.rabbitmq.com/troubleshooting-ssl.html

[5] http://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools

[6] http://www.rabbitmq.com/troubleshooting-ssl.html#broker-listens-ssl

Michael Klishin

unread,

Oct 2, 2018, 9:25:29 AM10/2/18

to rabbitm...@googlegroups.com

The "Unknown CA" part is mentioned in [1], please search for "Unknown CA".

The "handshake_timeout" part in [2] (see the final paragraph: openssl s_client will not perform AMQP 0-9-1 or AMQP 1.0 handshake which RabbitMQ expects).

1. http://www.rabbitmq.com/ssl.html#peer-verification-how-it-works

2. http://www.rabbitmq.com/troubleshooting-ssl.html#broker-listens-ssl

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

mela...@synergentl.com

unread,

Oct 3, 2018, 1:35:33 AM10/3/18

to rabbitmq-users

Hello Michael,

Thank you for the reply.

1. Unknown CA

I am using the same ca_certificate for both client and server. I have no idea how that is unknown by the node server. Because TLS client works successfully with s_server but not a RabbitMQ node [1] which implies the problem is with the server.

2. handshake_timeout

I am using AMQP 0.9.1 version. Are you suggesting that s_client is not handshaking with RabbitMQ server is AMQP version is 0-9-1 or 1.0?

BR,

Melanka

[1] http://www.rabbitmq.com/troubleshooting-ssl.html#openssl-tools

Michael Klishin

unread,

Oct 3, 2018, 12:46:49 PM10/3/18

to rabbitm...@googlegroups.com

1. RabbitMQ does not implement TLS, Erlang/OTP does. What version is used? Have you tried a different one, e.g. 20.3.8 or 21.0.9? Are you extra sure that

the CA bundle file is readable by the node? Can you post full server logs? Well over 90% of TLS issues end up being environment-specific, the rest is Erlang version-specific.

2. openssl s_client simply opens a TCP connection and performs TLS handshake. It does not send any [higher] application-level protocol data which messaging protocols use/expect.

mela...@synergentl.com

unread,

Oct 4, 2018, 12:52:26 AM10/4/18

to rabbitmq-users

Hi,

RabbitMQ version is 3.7.3 and Erlang version is 20.1 . Here is my server log.

2018-10-04 04:05:04.741 [info] <0.280.0> Starting rabbit_node_monitor
2018-10-04 04:05:04.788 [info] <0.246.0> Management plugin: using rates mode 'basic'
2018-10-04 04:05:04.789 [info] <0.306.0> Making sure data directory '/opt/bitnami/rabbitmq/var/lib/rabbitmq/mnesia/rabbitmq@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost '/' exists
2018-10-04 04:05:04.798 [info] <0.306.0> Starting message stores for vhost '/'
2018-10-04 04:05:04.799 [info] <0.310.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_transient": using rabbit_msg_store_ets_index to provide index
2018-10-04 04:05:04.801 [info] <0.306.0> Started message store of type transient for vhost '/'
2018-10-04 04:05:04.802 [info] <0.313.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": using rabbit_msg_store_ets_index to provide index
2018-10-04 04:05:04.806 [info] <0.306.0> Started message store of type persistent for vhost '/'
2018-10-04 04:05:04.885 [info] <0.494.0> started TCP Listener on [::]:5672
2018-10-04 04:05:04.889 [info] <0.510.0> started SSL Listener on [::]:5671
2018-10-04 04:05:04.890 [info] <0.246.0> Setting up a table for connection tracking on this node: tracked_connection_on_node_rabbitmq@localhost
2018-10-04 04:05:04.890 [info] <0.246.0> Setting up a table for per-vhost connection counting on this node: tracked_connection_per_vhost_on_node_rabbitmq@localhost
2018-10-04 04:05:04.891 [info] <0.33.0> Application rabbit started on node rabbitmq@localhost
2018-10-04 04:05:04.892 [info] <0.33.0> Application amqp_client started on node rabbitmq@localhost
2018-10-04 04:05:04.893 [info] <0.523.0> MQTT retained message store: rabbit_mqtt_retained_msg_store_dets
2018-10-04 04:05:04.895 [info] <0.541.0> started MQTT TCP Listener on [::]:1883
2018-10-04 04:05:04.898 [info] <0.548.0> started MQTT SSL Listener on [::]:8883
2018-10-04 04:05:04.898 [info] <0.33.0> Application rabbitmq_mqtt started on node rabbitmq@localhost
2018-10-04 04:05:04.899 [info] <0.33.0> Application rabbitmq_auth_mechanism_ssl started on node rabbitmq@localhost
2018-10-04 04:05:04.903 [info] <0.33.0> Application rabbitmq_management_agent started on node rabbitmq@localhost
2018-10-04 04:05:04.904 [info] <0.33.0> Application cowlib started on node rabbitmq@localhost
2018-10-04 04:05:04.904 [info] <0.33.0> Application cowboy started on node rabbitmq@localhost
2018-10-04 04:05:04.904 [info] <0.33.0> Application rabbitmq_web_dispatch started on node rabbitmq@localhost
2018-10-04 04:05:04.954 [info] <0.606.0> Management plugin started. Port: 15672
2018-10-04 04:05:04.955 [info] <0.712.0> Statistics database started.
2018-10-04 04:05:04.956 [info] <0.33.0> Application rabbitmq_management started on node rabbitmq@localhost
2018-10-04 04:05:04.956 [notice] <0.86.0> Changed loghwm of /opt/bitnami/rabbitmq/var/log/rabbitmq/rabb...@localhost.log to 50
2018-10-04 04:05:05.192 [info] <0.5.0> Server startup complete; 5 plugins started.
* rabbitmq_management
* rabbitmq_web_dispatch
* rabbitmq_management_agent
* rabbitmq_auth_mechanism_ssl
* rabbitmq_mqtt

Today I used mosquitto_pub.

mosquitto_pub -h xx.xx.xx.17 -d  -u xxx -P xxx --cafile /opt/bitnami/rabbitmq/tls/ca_certificate.pem --cert /opt/bitnami/rabbitmq/tls/client_certificate.pem --key /opt/bitnami/rabbitmq/tls/client_key.pem  -p 8883 -m "test" -t data

and it gave this output.

Client mosqpub/14569-rabbitmq- sending CONNECT
Error: A TLS error occurred.

In the server side there was this log.

2018-10-04 04:10:36.530 [info] <0.1734.0> TLS server: In state certify received CLIENT ALERT: Fatal - Internal Error

Meanwhile I will change the Erlang version and try again.

Michael Klishin

unread,

Oct 4, 2018, 11:40:41 AM10/4/18

to rabbitm...@googlegroups.com

With 3.7.5 you can use any 20.x version, e.g. 20.3.8.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply all

Reply to author

Forward