RabbitMQ on Windows using TLS

[4integ...@gmail.com]

Hi,

Running RabbitMQ 3.7.0 and Erlang 20.1 on Windows 2016 Server.

I am not that experienced with TLS but would like to encrypt the communication between applications and RabbitMQ.

So looking at 

[

  {rabbit, [

     {ssl_listeners, [5671]},

     {ssl_options, [{cacertfile,"/path/to/testca/cacert.pem"},

                    {certfile,"/path/to/server/cert.pem"},

                    {keyfile,"/path/to/server/key.pem"},

                    {verify,verify_peer},

                    {fail_if_no_peer_cert,false}]}

   ]}

].

I have received the following:

• CA root cert (PEM)
• Should be configured as "cacertfile"
• Wildcard cert (PEM) for the server e.g. *.thedomain.net
• Is this to be used as "certfile" or do I need to generate a new and sign with CA?
• How can I do that?
• Keyfile
• I don't have that - do I need to generate that?
• How can I do that?

/ Joacim

[Michael Klishin]

We link to a few PKI/TLS primers in [1].

You need to have

* A CA certificate or bundle (2 or more certificates concatenated together): the "cacertfile"

* A certificate (public key) and private key pair for the server: the "certfile" and "keyfile", respectively

all in PEM format.

In addition, all client machines must have the CA certificate(s) or the server certificate to be placed

into a trusted certificate store. Whether that store is varies from OS to OS, distribution to distribution and even

runtime to runtime (e.g. the JVM has a completely custom one while most others rely on OS-specific directories).

If you have access to a Linux or Mac machine, I'd recommend using tls-gen [2]'s basic profile to generate

a set and take a look at them. Note that you can use those files in development on Windows as long

as you provide the correct Common Name (CN), which in practice means setting it to the hostname

of the server it will be used on.

For production use certificates should be generated by a known CA such as VeriSign.

It might be easier to use a Linux VM and tls-gen to set things up the first time, then once

you are happy with it move to Windows. It will also give you access to OpenSSL command line tools

mentioned in [4], whereas installing them on Windows is a hassle (likely will require msys2 or similar).

HTH.

1. http://www.rabbitmq.com/ssl.html

2. https://github.com/michaelklishin/tls-gen

3. https://github.com/michaelklishin/tls-gen#overriding-cn-common-name

4. http://www.rabbitmq.com/troubleshooting-ssl.html

--
You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Michael Klishin]

This chapter covers CAs, certificate chains and verification in the context of HTTPS

but the concepts are not any different with any other tool that uses PKI and TLS, of course:

https://hpbn.co/transport-layer-security-tls/#chain-of-trust-and-certificate-authorities

To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

--

MK

Staff Software Engineer, Pivotal/RabbitMQ

[Luke Bakken]

Hello -

I suggest using directories that do not contain space characters to make your life easier. Be sure to use forward-slashes in your path configurations.

CA root cert should be configured as cacertfile: {cacertfile,"C:/certs/cacert.pem"}

Wildcard cert should be configured as certfile: {cacertfile,"C:/certs/wildcard.pem"}

Your key file might be in the certfile: {keyfile,"C:/certs/wildcard.pem"}

Use the above configuration and see if it works.

You can use the openssl command or import the certificate into your personal store on Windows to examine its contents. The "TLS/SSL Troubleshooting" guide that Michael linked to has a comprehensive set of instructions for testing your TLS/SSL setup.

http://www.rabbitmq.com/troubleshooting-ssl.html

Thanks,

Luke

[4integ...@gmail.com]

Hi,

Sorry for being late here :) Thanks for your replies.

What I would like to have is to have TLS encrypted communication but authentication done via userid/password (similar to HTTPS and basic authentication).

Is that possible?

I have received certificates etc and configured the same on the RabbitMQ server with the following config:

#----------

listeners.tcp.default = 5672

listeners.ssl.default = 5671

ssl_options.cacertfile           = D:/RabbitMQ/cert/tacdisCAroot.pem

ssl_options.certfile             = D:/RabbitMQ/cert/startacdis.pem

ssl_options.keyfile              = D:/RabbitMQ/cert/startacdis.key

ssl_options.fail_if_no_peer_cert = false

#----------

When connecting a Java Client I get:

java.net.SocketTimeoutException: Read timed out

at java.net.SocketInputStream.socketRead0(Native Method)

at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)

at java.net.SocketInputStream.read(SocketInputStream.java:171)

at java.net.SocketInputStream.read(SocketInputStream.java:141)

at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)

at sun.security.ssl.InputRecord.read(InputRecord.java:503)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:973)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1375)

at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:747)

at sun.security.ssl.AppOutputStream.write(AppOutputStream.java:123)

at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:82)

at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:140)

at java.io.DataOutputStream.flush(DataOutputStream.java:123)

at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:147)

at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:153)

at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:294)

at com.rabbitmq.client.impl.recovery.RecoveryAwareAMQConnectionFactory.newConnection(RecoveryAwareAMQConnectionFactory.java:63)

at com.rabbitmq.client.impl.recovery.AutorecoveringConnection.init(AutorecoveringConnection.java:99)

at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:918)

at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:877)

at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:835)

at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:987)

at com.domain.poc.rabbitmq.fnf.Sender_CRM.createConnection(Sender_CRM.java:159)

at com.domain.poc.rabbitmq.fnf.Sender_CRM.main(Sender_CRM.java:101)

The code snippet:

ConnectionFactory factory = new ConnectionFactory();

factory.setUri("amqps://"+USER_NAME+":"+PASSWORD+"@"+HOST+":5671/%2F");//%2F

connection = factory.newConnection();

channel = connection.createChannel();

Any suggestion what is wrong?

/ Joacim

[Luke Bakken]

Hi Joacim,

Even though you are using an amqps:// URI, you must configure the client to use TLS/SSL and the correct certificates.

First, though, use this guide and the openssl command to ensure that you have RabbitMQ set up correctly:

http://www.rabbitmq.com/troubleshooting-ssl.html

Once you have confirmed that RabbitMQ TLS/SSL is working correctly via port 5671, you can proceed to set up your client code.

In your existing code, you should add this call:

factory.useSslProtocol();

It will enable TLS/SSL but will not do any certificate validation. To enable server certificate validation, configure the Java Client / JVM to use the certificates:

https://www.rabbitmq.com/ssl.html#managers-and-stores

Thanks,

Luke

On Tuesday, January 30, 2018 at 7:41:00 AM UTC-8, 4integ...@gmail.com wrote:

Hi,

[Michael Klishin]

A client connection timed out, most likely because it is not actually configured to use TLS

but the server expects a TLS handshake/upgrade.

Please see server logs and use http://www.rabbitmq.com/troubleshooting-ssl.html.

I'd refrain from using URIs initially and set port and enable TLS explicitly, as demonstrated

in http://www.rabbitmq.com/ssl.html#connecting-without-validating.

--

You received this message because you are subscribed to the Google Groups "rabbitmq-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.

To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[4integ...@gmail.com]

Hi,

After a lot of disturbing things I have been able to do some tests using http://www.rabbitmq.com/troubleshooting-ssl.html and it fails at

"Attempt TLS Connection to Broker"

1. RabbitMQ starts with SSL support and in logs:

2018-03-05 12:54:23.899 [info] <0.465.0> started SSL Listener on [::]:5671

2018-03-05 12:54:23.902 [info] <0.481.0> started SSL Listener on 0.0.0.0:5671

2. Checking (remotely) if the listener is alive (YES)

c:/> portqry -n rabbitmq-dev.domain -e 5671,5672 -p TCP

Querying target system called:

 rabbitmq-dev.domain

Attempting to resolve name to IP address...

Name resolved to 10.57.126.132

querying...

TCP port 5671 (unknown service): LISTENING

TCP port 5672 (unknown service): LISTENING

3. Testing openssl client connection. Nothing appears in logs

C:\OpenSSL-Win32\bin\openssl.exe  s_client -connect 127.0.0.1:5671 -cert clientCert\clientcert.pem -key clientCert\clientcert.key -CAfile ..\RabbitMQ\cert\tacdisCAroot.pem

CONNECTED(00000134)

4. After a while (< 5 min) the listener stops. Nothing appears in logs

portqry -n rabbitmq-dev.domain -e 5671,5672 -p TCP

Querying target system called:

 rabbitmq-dev.domain

Attempting to resolve name to IP address...

Name resolved to 10.57.126.132

querying...

TCP port 5671 (unknown service): NOT LISTENING

TCP port 5672 (unknown service): LISTENING

Any idea what could be wrong?

/ Joacim

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-user...@googlegroups.com.
To post to this group, send email to rabbitm...@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Michael Klishin]

Please use the tools and techniques covered in our docs. "portqry" is a 3rd party tool and we have no idea

what it really does to determine if a port is "listening".

I'd rather use telnet and openssl s_client which are widely used and well understood.

You can verify what ports are listened on using OS-specific tools that have nothing to do with TLS:
https://www.rabbitmq.com/troubleshooting-networking.html.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Luke Bakken]

Joacim,

* What is the output if you run OpenSSL again after the listener stops?

* Have you tried running OpenSSL as a server (via s_server) using your certificates on the same Windows machine you run RabbitMQ? Instructions are in the troubleshooting-ssl document.

* Did you install both Erlang and RabbitMQ using an administrative account?

I just spent time enabling TLS/SSL support for the Pika test suite on Windows, so I know that it works. You can see build output here: https://ci.appveyor.com/project/gmr/pika

The configuration and certificates are here (https://github.com/pika/pika/tree/master/testdata) and you can use the certs there to test. The certs were generated by tls-gen's "basic" profile and the CN= is "localhost".

Another thing you can do is use Michael's tls-gen project to generate some known good certificates and test with those - https://github.com/michaelklishin/tls-gen/tree/master/basic

Thanks,

Luke

[4integ...@gmail.com]

@Luke and @Michael

"What is the output if you run OpenSSL again after the listener stops?"

Here it is :

C:\>C:\OpenSSL-Win32\bin\openssl.exe  s_client -connect rabbitmq-dev.domain:5671 -cert clientCert\clientcert.pem -key clientCert\clientcert.key -CAfile ..\RabbitMQ\cert\theCAroot.pem

12028:error:0200274D:system library:connect:reason(1869):crypto\bio\b_sock2.c:108:

12028:error:2008A067:BIO routines:BIO_connect:connect error:crypto\bio\b_sock2.c:109:

connect:errno=0

"Have you tried running OpenSSL as a server (via s_server) using your certificates on the same Windows machine you run RabbitMQ? Instructions are in the troubleshooting-ssl document."

Yes I have and it works as described - what is enterered in either command windows appears in the other

"Did you install both Erlang and RabbitMQ using an administrative account?"

I didn't do the installation myself but thing it was - I will double check with the person who did it

When using telnet instead of portqry (while LISTENING)

[joacim@MYHOST ~]$ telnet rabbitmq-dev.domain 5672

Trying 10.57.126.132...

Connected to rabbitmq-dev.domain.

Escape character is '^]'.

12345

Connection closed by foreign host.

[joacim@MYHOST ~]$ telnet rabbitmq-dev.domain 5671

Trying 10.57.126.132...

Connected to rabbitmq-dev.domain.

Escape character is '^]'.

12345 <<== Hanging here

After the listener stops I again try to telnet I get:

[joacim@MYHOST ~]$ telnet rabbitmq-dev.domain 5671

Trying 10.57.126.132...

telnet: connect to address 10.57.126.132: Connection refused

I will also check the other information provided.

/ Joacim

[Michael Klishin]

A telnet connection to a TLS port is expected to hang: the server will wait it to perform

a TLS upgrade which telnet won't do.

"Connection refused" to port 5672 likely has nothing to do with TLS. Port 5672 can be configured

to use TLS but it is not a common configuration and it goes against extremely common practices.

So either the node isn't running at all, or it is a network connectivity issue in general,

for which we have a troubleshooting methodology to recommend: https://www.rabbitmq.com/troubleshooting-networking.html.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[4integ...@gmail.com]

@Michael

As you see I tested with telnet - first to 5672 (no TLS) since I know that is working fine. Testing to 5671 with TLS and when listener is active I get connected and hanging (what you say is correct behavior). When the SSL listener stops I also get connection refused (expected).

Does RabbitMQ support wildcard TLS certificates?

/ Joacim

[Michael Klishin]

It does. There isn't much special about wildcard certificates, actually.

Any issues with certificates should result in visible exceptions in the log.

To unsubscribe from this group and stop receiving emails from it, send an email to rabbitmq-users+unsubscribe@googlegroups.com.
To post to this group, send email to rabbitmq-users@googlegroups.com.

For more options, visit https://groups.google.com/d/optout.