Unable to connect to rabbitmq server 3.7.4 using rabbit mq java client 5.1.2 - Connection refused

[Aniket Patil]

Hi, 

I am running into an issue and need some help. 

I am using Rabbit MQ 3.7.4 with Rabbit MQ java client 5.1.2. I started the rabbitmq-server.

1. Created user 

rabbitmqctl add_user 8ce7dae1-7f59-4a45-8e57-896316f541bf 7356382b49484e73546a4f454b34333753786c5071734f707441423467465177394f4279476e59796c7a593d

2. Set user Tags

rabbitmqctl  set_user_tags 8ce7dae1-7f59-4a45-8e57-896316f541bf administrator

3. Set user Permissions

rabbitmqctl  set_permissions, -p / 8ce7dae1-7f59-4a45-8e57-896316f541bf ".*" ".*" ".*"

4. Tested authenticating the  user

rabbitmqctl  authenticate_user 8ce7dae1-7f59-4a45-8e57-896316f541bf 7356382b49484e73546a4f454b34333753786c5071734f707441423467465177394f4279476e59796c7a593d

5. Tested the user permissions 

rabbitmqctl list_user_permissions 8ce7dae1-7f59-4a45-8e57-896316f541bf

6. trying to connect using the following code.

 public static void connectToRabbitMQ() {

    try {

        factory = new ConnectionFactory();

        factory.setHost("localhost");

        factory.setPort(27271);    ----> have set the port in rabbitmq.config file  --  listeners.ssl.default   = 27171

        factory.useSslProtocol();   --- > have set ssl options in rabbitmq.config file.

        factory.setUsername("8ce7dae1-7f59-4a45-8e57-896316f541bf");

        factory.setPassword("7356382b49484e73546a4f454b34333753786c5071734f707441423467465177394f4279476e59796c7a593d");

        connection = factory.newConnection();

        channel = connection.createChannel();

        channel.exchangeDeclare(EXCHANGE_NAME, "fanout");

        QUEUE_NAME = channel.queueDeclare().getQueue();

        channel.queueBind(QUEUE_NAME, EXCHANGE_NAME, "");

    } catch (Exception e) {

      e.printStackTrace();

    }

  }

  

I get the following exception while creating a new connection.

SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".

SLF4J: Defaulting to no-operation (NOP) logger implementation

SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.

java.net.ConnectException: Connection refused: connect

at java.base/java.net.DualStackPlainSocketImpl.waitForConnect(Native Method)

at java.base/java.net.DualStackPlainSocketImpl.socketConnect(DualStackPlainSocketImpl.java:85)

at java.base/java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:400)

at java.base/java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:243)

at java.base/java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:225)

at java.base/java.net.PlainSocketImpl.connect(PlainSocketImpl.java:148)

at java.base/java.net.SocksSocketImpl.connect(SocksSocketImpl.java:402)

at java.base/java.net.Socket.connect(Socket.java:591)

at java.base/sun.security.ssl.SSLSocketImpl.connect(SSLSocketImpl.java:657)

at com.rabbitmq.client.impl.SocketFrameHandlerFactory.create(SocketFrameHandlerFactory.java:60)

at com.rabbitmq.client.impl.recovery.RecoveryAwareAMQConnectionFactory.newConnection(RecoveryAwareAMQConnectionFactory.java:62)

at com.rabbitmq.client.impl.recovery.AutorecoveringConnection.init(AutorecoveringConnection.java:99)

at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:948)

at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:907)

at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:865)

at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1018)

at com.test.rabbit.RabbitMQTest.connectToRabbitMQ(RabbitMQTest.java:26)

at com.test.rabbit.RabbitMQTest.main(RabbitMQTest.java:38)   

Am I missing something here. Please suggest 

Thanks,
Aniket

[Arnaud Cogoluègnes]

Can you please post the Erlang version you're using, the server logs, and the server configuration as well?

You can also check on the management plugin which listeners are enabled and on which ports. Ensure also your configuration file has been taken into account (same thing, on the management plugin).

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Hi Aniket,

In addition to the information Arnaud requested, we have a thorough TLS/SSL troubleshooting guide here: http://www.rabbitmq.com/troubleshooting-ssl.html

"Connection refused" means that the port to which your application is connecting (27171) is reachable but RabbitMQ is not listening there, or the port may be blocked by a firewall, or there may be a more obscure TCP error (unlikely).

Thanks!

[Michael Klishin]

 > java.net.ConnectException: Connection refused: connect

suggests it's a TCP connection issue, so the client has never gotten to the TLS handshake stage.

I'd recommend starting with https://www.rabbitmq.com/troubleshooting-networking.html and not the TLS guide.

Keep in mind that telnet connections to a TLS-enabled port will "hang" and be closed by the server in N seconds
since telnet will not perform a TLS upgrade expected by the server. Nonetheless telnet must be able to connect

as described in the guide.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Aniket Patil]

Thank you for your response. 

1. My erlang version is 19.3 

2. Please find attached the configuration file and server logs.

3. I can see see my configuration file is taken into account in the management plugin. 

4. Also the rabbitmqctl status shows the following as listeners : 

     {listeners,

      [{clustering,25672,"::"},

      {amqp,5672,"::"},

      {amqp,5672,"0.0.0.0"},

      {'amqp/ssl',27171,"::"},

      {'amqp/ssl',27171,"0.0.0.0"},

      {https,15672,"::"},

      {https,15672,"0.0.0.0"}]},

5. Also I did try disabling the firewall and changing the ports but still see the same issue. 

Thanks,
Aniket

    

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote:

[Michael Klishin]

There are no inbound connections in the log, successful or not.

Please follow the process described in https://www.rabbitmq.com/troubleshooting-networking.html

to narrow the issue down. Members of this list cannot know why inbound TCP connections

do not succeed in your system but there are tools available that can gather all the information you need.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Aniket Patil]

Thanks.   Are we looking for entries like this as a inbound connection. 

2018-03-19 10:52:32.573 [info] <0.1477.0> accepting AMQP connection <0.1477.0> (127.0.0.1:64073 -> 127.0.0.1:5672)

2018-03-19 10:52:32.633 [info] <0.1477.0> connection <0.1477.0> (127.0.0.1:64073 -> 127.0.0.1:5672): user '8ce7dae1-7f59-4a45-8e57-896316f541bf' authenticated and granted access to vhost '/'

I just tried a test and I can connection with using ssl.   Does that indicate a problem with the SSL certificates. Please advice. 

Thanks,

Aniket

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote:

[Aniket Patil]

Correction : typo

Thanks.   Are we looking for entries like this as a inbound connection. 

2018-03-19 10:52:32.573 [info] <0.1477.0> accepting AMQP connection <0.1477.0> (127.0.0.1:64073 -> 127.0.0.1:5672)

2018-03-19 10:52:32.633 [info] <0.1477.0> connection <0.1477.0> (127.0.0.1:64073 -> 127.0.0.1:5672): user '8ce7dae1-7f59-4a45-8e57-896316f541bf' authenticated and granted access to vhost '/'

I just tried a test and I can connection without using ssl.   Does that indicate a problem with the SSL certificates. Please advice. 

Thanks,

Aniket

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote:

[Michael Klishin]

Connection lifecycle events are documented in [1].

If connections to port 5672 without TLS succeed, this is a positive sign. TLS connections will use port 5671,

however, so the process of elimination has to be performed again for port 5671 before you move on to [2].

1. http://www.rabbitmq.com/networking.html
2. http://www.rabbitmq.com/troubleshooting-ssl.html

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Aniket Patil]

Hi,

I  did tried the troubleshooting steps. 

I am setting couple of options in rabbitmq-config  which would enable connection even if client connect with out any certificate.( I am using java client to connect in a similar way without passing a client certificate).

ssl_options.verify                               = verify_none

ssl_options.fail_if_no_peer_cert        = false

I am expecting the following command to work "openssl s_client -connect localhost:27171"   but it fails with following logs

 

2018-03-19 16:37:14.975 [info] <0.3465.0> accepting AMQP connection <0.3465.0> (127.0.0.1:54704 -> 127.0.0.1:27171)

2018-03-19 16:37:14.975 [warning] <0.3465.0> closing AMQP connection <0.3465.0> (127.0.0.1:54704 -> 127.0.0.1:27171):

{handshake_timeout,handshake}

Suspecting the amqp connection to be the issue.  I downloaded the perfect tool and did test the amqp connection "bin/runjava com.rabbitmq.perf.PerfTest -h amqps://localhost:27171 ".  However this test succeeds and works fine. 

C:\Users\anik7857\Desktop\tools\rabbitmq\bin>runjava com.rabbitmq.perf.PerfTest -h amqps://localhost:27171

16:41:21.422 [main] WARN com.rabbitmq.client.TrustEverythingTrustManager - This trust manager trusts every certificate, effectively disabling peer verification. This is convenient for local development but prone to man-in-the-middle attacks. Please see http://www.rabbitmq.com/ssl.html#validating-cerficates to learn more about peer certificate validation.

id: test-164121-191, starting consumer #0

id: test-164121-191, starting consumer #0, channel #0

id: test-164121-191, starting producer #0

id: test-164121-191, starting producer #0, channel #0

id: test-164121-191, time: 1.002s, sent: 9905 msg/s, received: 2166 msg/s, min/median/75th/95th/99th latency: 17999/138437/186465/242923 µs

id: test-164121-191, time: 2.002s, sent: 12225 msg/s, received: 12013 msg/s, min/median/75th/95th/99th latency: 368761/640514/848225/874926 µs

id: test-164121-191, time: 3.003s, sent: 12212 msg/s, received: 14373 msg/s, min/median/75th/95th/99th latency: 319446/561493/638350/721989 µs

id: test-164121-191, time: 4.003s, sent: 20375 msg/s, received: 18324 msg/s, min/median/75th/95th/99th latency: 286900/418532/452727/496176 µs

I am not sure if my following configuration is correct which should ideally allow to connect to RabbitMQ server over SSL without validating the server certificate, and without presenting any client certificate.

ssl_options.verify                               = verify_none

ssl_options.fail_if_no_peer_cert        = false

Please advise. Appreciate all the help.

Thanks,

Aniket

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote:

[Luke Bakken]

Hi Aniket,

 

I am expecting the following command to work "openssl s_client -connect localhost:27171"   but it fails with following logs

 

2018-03-19 16:37:14.975 [info] <0.3465.0> accepting AMQP connection <0.3465.0> (127.0.0.1:54704 -> 127.0.0.1:27171)

2018-03-19 16:37:14.975 [warning] <0.3465.0> closing AMQP connection <0.3465.0> (127.0.0.1:54704 -> 127.0.0.1:27171):

{handshake_timeout,handshake}

You are seeing expected behavior. openssl s_client has successfully negotiated a TLS connection, but it doesn't know how to do an AMQP handshake, so RabbitMQ closes the connection.

 

I downloaded the perfect tool and did test the amqp connection "bin/runjava com.rabbitmq.perf.PerfTest -h amqps://localhost:27171 ".  However this test succeeds and works fine. 

Great, this result plus the result you see with openssl s_client means that you have TLS configured correctly in RabbitMQ.

 

I am not sure if my following configuration is correct which should ideally allow to connect to RabbitMQ server over SSL without validating the server certificate, and without presenting any client certificate.

ssl_options.verify                               = verify_none

ssl_options.fail_if_no_peer_cert        = false

These two settings configure how the RabbitMQ server deals with certificates that a client application presents. They do not have anything to do with how clients verify a server certificate. Using the settings you list above means that RabbitMQ will neither require a client certificate nor, if one is presented, verify it.

You do want to configure your Java application to verify the server certificate presented by RabbitMQ, in my opinion. Please read this link and the document to which it links: https://www.rabbitmq.com/api-guide.html#tls

Thanks,

Luke

[Aniket Patil]

Thanks Luke. Appreciate the inputs. 

Looks like the  TLS configured correctly in RabbitMQ.  

With the following configuration in rabbitmq-conf

ssl_options.verify                               = verify_none

ssl_options.fail_if_no_peer_cert        = false

I am not sure why the following connection code does not work. This is java client which does not provide any certificates. ( I am using example from https://www.rabbitmq.com/ssl.html#trust-levels )  which should work ideally with above configurations.

  public static void connectToRabbitMQ() {

    try {

        factory = new ConnectionFactory();

        factory.setHost("localhost");

        factory.setPort(27271);

        factory.useSslProtocol();

        connection = factory.newConnection();

        channel = connection.createChannel();

        channel.exchangeDeclare(EXCHANGE_NAME, "fanout");

        QUEUE_NAME = channel.queueDeclare().getQueue();

        channel.queueBind(QUEUE_NAME, EXCHANGE_NAME, "");

    } catch (Exception e) {

      e.printStackTrace();

    }

  }

 and fails with java.net.ConnectException: Connection refused: connect 

Thanks,
Aniket

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote:

[Luke Bakken]

Hi Aniket,

I just noticed that your code is using port 27271, but the configuration and openssl commands you've mentioned use port 27171

Thanks for using RabbitMQ!

Luke

[Aniket Patil]

Thanks Luke. I updated my test code to use port 27171 but still see the same issue.

Thanks,
Aniket

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote:

[Aniket Patil]

Also I see the same issue if i use the default port for SSL ie 5671. 

Thanks,

Aniket

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote:

[Michael Klishin]

On 20 March 2018 at 02:47:07, Aniket Patil (app...@asu.edu) wrote:
> 2018-03-19 16:37:14.975 [warning] <0.3465.0> closing AMQP
> connection <0.3465.0> (127.0.0.1:54704 -> 127.0.0.1:27171):
> {handshake_timeout,handshake}

Very likely means that the server was instructed to use TLS but the client wasn't, therefore it never performed a TLS upgrade the server expected
and connection (AMQP 0-9-1 handshake) was never completed.

[Michael Klishin]

Aniket,

What port does your node actually use for TLS and why? If the goal is to change the port to a non-default one, consider first getting
things to work with the default port (5671) and only then changing the port.

You are not posting your entire config file. E.g. we cannot know what port (or multiple ports) the node
is configured to use. http://www.rabbitmq.com/configure.html#verify-configuration-effective-configuration explains
how to verify effective configuration.

Both the handshake timeout message and the port mismatch spotted by Luke suggest to me this may be a basic
configuration mismatch issue. Using default ports would a good first step to narrowing the issue down further.

> --
> You received this message because you are subscribed to the Google Groups "rabbitmq-users"
> group.

> To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
> To post to this group, send an email to rabbitm...@googlegroups.com.

> For more options, visit https://groups.google.com/d/optout.
>

[Aniket Patil]

Thanks Micheal . Appreciate the inputs. 

Following is my entire config file. 

listeners.ssl.default                              = 27171

ssl_options.verify                                 = verify_none

ssl_options.fail_if_no_peer_cert          = false

ssl_options.cacertfile                            = C:/Users/anik7857/Desktop/rabbitmq/ssl/cacert.pem

ssl_options.certfile                                = C:/Users/anik7857/Desktop/rabbitmq/ssl/cert.pem

ssl_options.keyfile                                 = C:/Users/anik7857/Desktop/rabbitmq/ssl/key.pem

management.listener.port                      = 15672

management.listener.ip                          = 127.0.0.1

management.listener.ssl                 = true

management.listener.ssl_opts.cacertfile = C:/Users/anik7857/Desktop/rabbitmq/ssl/cacert.pem

management.listener.ssl_opts.certfile     = C:/Users/anik7857/Desktop/rabbitmq/ssl/cert.pem

management.listener.ssl_opts.keyfile      = C:/Users/anik7857/Desktop/rabbitmq/ssl/key.pem

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote:

[Michael Klishin]

Note that I linked to a doc guide section that explains how to inspect *effective* configuration.

In other words, have you verified that the config file was actually loaded? That's the 2nd step

in https://www.rabbitmq.com/troubleshooting-networking.html.

Consider making things work with port 5671 first, then change the port.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Aniket Patil]

Thanks all for the inputs. I am exactly sure of the problem but i restarted the system and this seem to work.

I also tried out the other VM machine and it works. Thanks for all the help. 

Appreciate it. 

On Sunday, March 18, 2018 at 6:30:14 PM UTC-7, Aniket Patil wrote: