RabbitMQ External X.509 Authentication with python pika

[James Ward]

Hi all!

So far I have been able to ssl connect to rabbitmq with pika with verify_peer enabled on my RabbitMQ backend (mTLS) with pika. So theoretically all things should be awesome when I try connect with the ssl_auth plugin right? Regrettably no.

When I try to connect with the rabbit_auth_mechanism_ssl using the CN it fails with a tricky exception I can't seem to find on the internet anywhere.

I have set up the CN as a passwordless user in RabbitMQ

Below is my config and pika code

_________________________________________________________________________________

These are the plugins I have enabled:

rabbitmq_auth_backend_ldap

rabbitmq_auth_mechanism_ssl

rabbitmq_management

_________________________________________________________________________________

Here is my config for rabbitmq conf:

auth_backends.1=external

auth_backends.2=ldap

auth_backends.3=internal

ssl_cert_login_from = common_name

listeners.tcp = none

listeners.ssl.default = 5671

log.file.level = debug

log.file = rabbit.log

ssl_options.cacertfile = /etc/rabbitmq/certs/cacert.pem

ssl_options.certfile = /etc/rabbitmq/certs/cert.crt

ssl_options.keyfile = /etc/rabbitmq/certs/key.key

ssl_options.verify = verify_peer

ssl_options.fail_if_no_peer_cert = true

##Some management plugin config##

##Some cluster config## 

I have ldap set up in advanced.conf but I wont send that.

_________________________________________________________________________________

Here is the pika code in python3. The certs im using have both the server and client extensions in them, so im using the same certs to authenticate here:

import logging

import pika

import ssl

from pika.credentials import ExternalCredentials

if __name__ == '__main__':

  logging.basicConfig(level=logging.INFO)

  context = ssl.create_default_context(cafile="cacert")

  context.load_cert_chain("cert.crt", "key.key")

  context.verify_mode = ssl.CERT_REQUIRED

  ssl_options = pika.SSLOptions(context, "host_that_is_allowed_on_cert.com")

  conn_params = pika.ConnectionParameters(host="rabbit_mq_host_load_balancer_dns", credentials=ExternalCredentials(), port=5671, ssl_options=ssl_options)

  connection = pika.BlockingConnection(conn_params)

  channel = connection.channel()

_________________________________________________________________________________

Pika exception that I need help with. I'm not sure where to begin

ERROR:pika.adapters.blocking_connection:Connection workflow failed: AMQPConnectionWorkflowFailed: 3 exceptions in all; last exception - 

AMQPConnectorAMQPHandshakeError: AuthenticationError: Server and client could not negotiate use of the EXTERNAL authentication mechanism; first exception

 - AMQPConnectorAMQPHandshakeError: AuthenticationError: Server and client could not negotiate use of the EXTERNAL authentication mechanism

_________________________________________________________________________________

All I can see in the rabbit server logs is that the 'client unexpectedly closed the connection', it doesn't look like the 'log in' attempt starts.

<Date Time> [warning] <> closing AMQP connection <> (client_ip:port -> rabbit_node_ip:5671):client unexpectedly closed TCP connection

_________________________________________________________________________________

Any help with this would be humbly appreciated!

James

[James Ward]

Hi all.

auth_backends.1=external

auth_backends.2=ldap

auth_backends.3=internal

was just plain wrong. Its auth_machanisms.1

Major Derp.

Its all working now

Kind Regards,

James