RabbitMQ External X.509 Authentication with python pika

459 views
Skip to first unread message

James Ward

unread,
Nov 12, 2021, 11:11:54 PM11/12/21
to rabbitmq-users
Hi all!

So far I have been able to ssl connect to rabbitmq with pika with verify_peer enabled on my RabbitMQ backend (mTLS) with pika. So theoretically all things should be awesome when I try connect with the ssl_auth plugin right? Regrettably no.

When I try to connect with the rabbit_auth_mechanism_ssl using the CN it fails with a tricky exception I can't seem to find on the internet anywhere.

I have set up the CN as a passwordless user in RabbitMQ

Below is my config and pika code
_________________________________________________________________________________
These are the plugins I have enabled:

rabbitmq_auth_backend_ldap
rabbitmq_auth_mechanism_ssl
rabbitmq_management
_________________________________________________________________________________
Here is my config for rabbitmq conf:

auth_backends.1=external
auth_backends.2=ldap
auth_backends.3=internal

ssl_cert_login_from = common_name

listeners.tcp = none
listeners.ssl.default = 5671

log.file.level = debug
log.file = rabbit.log

ssl_options.cacertfile = /etc/rabbitmq/certs/cacert.pem
ssl_options.certfile = /etc/rabbitmq/certs/cert.crt
ssl_options.keyfile = /etc/rabbitmq/certs/key.key
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = true

##Some management plugin config##

##Some cluster config## 

I have ldap set up in advanced.conf but I wont send that.
_________________________________________________________________________________

Here is the pika code in python3. The certs im using have both the server and client extensions in them, so im using the same certs to authenticate here:

import logging
import pika
import ssl
from pika.credentials import ExternalCredentials

if __name__ == '__main__':
  logging.basicConfig(level=logging.INFO)
  context = ssl.create_default_context(cafile="cacert")
  context.load_cert_chain("cert.crt", "key.key")
  context.verify_mode = ssl.CERT_REQUIRED
  ssl_options = pika.SSLOptions(context, "host_that_is_allowed_on_cert.com")
  conn_params = pika.ConnectionParameters(host="rabbit_mq_host_load_balancer_dns", credentials=ExternalCredentials(), port=5671, ssl_options=ssl_options)
  connection = pika.BlockingConnection(conn_params)
  channel = connection.channel()

_________________________________________________________________________________

Pika exception that I need help with. I'm not sure where to begin

ERROR:pika.adapters.blocking_connection:Connection workflow failed: AMQPConnectionWorkflowFailed: 3 exceptions in all; last exception - 
AMQPConnectorAMQPHandshakeError: AuthenticationError: Server and client could not negotiate use of the EXTERNAL authentication mechanism; first exception
 - AMQPConnectorAMQPHandshakeError: AuthenticationError: Server and client could not negotiate use of the EXTERNAL authentication mechanism

_________________________________________________________________________________

All I can see in the rabbit server logs is that the 'client unexpectedly closed the connection', it doesn't look like the 'log in' attempt starts.

<Date Time> [warning] <> closing AMQP connection <> (client_ip:port -> rabbit_node_ip:5671):client unexpectedly closed TCP connection

_________________________________________________________________________________

Any help with this would be humbly appreciated!

James

James Ward

unread,
Nov 14, 2021, 7:27:31 AM11/14/21
to rabbitmq-users
Hi all.

auth_backends.1=external
auth_backends.2=ldap
auth_backends.3=internal

was just plain wrong. Its auth_machanisms.1

Major Derp.

Its all working now

Kind Regards,

James
Reply all
Reply to author
Forward
0 new messages