I've modified tls-gen's basic profile [1] locally to be as close as practically possible to the certificate in question:
and I cannot reproduce the issue after locally reverting bunny#578. Bunny successfully connects on Ruby 2.6.0 with OpenSSL
1.0.2q (from 20 Nov 2018) against a RabbitMQ using Erlang 21.3.2 with the same OpenSSL version (that said, Erlang only uses OpenSSL for crypto functions
and not e.g. TLS state machine implementation):
>> dir = "/path/totls-gen.git/basic/result/"; c = Bunny.new(log_level: "debug", hostname: "localhost", port: 5671, tls: true, tls_ca_certificates: ["#{dir}/ca_certificate.pem"]); c.start
D, [2019-04-08T13:40:12.211870 #82967] DEBUG -- #<Bunny::Session:0x7f871fa36468 guest@localhost:5671, vhost=/, addresses=[localhost:5671]>: Using CA certificates at /path/to/tls-gen.git/basic/result//ca_certificate.pem
D, [2019-04-08T13:40:12.211968 #82967] DEBUG -- #<Bunny::Session:0x7f871fa36468 guest@localhost:5671, vhost=/, addresses=[localhost:5671]>: Using 0 inline CA certificates
W, [2019-04-08T13:40:12.224178 #82967] WARN -- #<Bunny::Session:0x7f871fa36468 guest@localhost:5671, vhost=/, addresses=[localhost:5671]>: Using TLS but no client certificate is provided. If RabbitMQ is configured to require & verify peer
certificate, connection will be rejected. Learn more at
https://www.rabbitmq.com/ssl.htmlD, [2019-04-08T13:40:12.224244 #82967] DEBUG -- #<Bunny::Session:0x7f871fa36468 guest@localhost:5671, vhost=/, addresses=[localhost:5671]>: Will use peer verification mode 3
D, [2019-04-08T13:40:12.251443 #82967] DEBUG -- #<Bunny::Session:0x7f871fa36468 guest@localhost:5671, vhost=/, addresses=[localhost:5671]>: Peer's leaf certificate subject: /CN=warp10/O=server, subject alternative names: warp10, DNS:warp10.local, DNS:localhost, issuer: /CN=TLSGenSelfSignedtRootCA/L=$$$$, not valid after: 2029-04-05 09:28:02 UTC, X.509 usage extensions: CA:FALSE, Digital Signature, Key Encipherment, TLS Web Server Authentication, TLS Web Client Authentication, DNS:warp10, DNS:warp10.local, DNS:localhost, 1E:9B:15:FF:09:97:2F:5A:33:89:28:8B:12:CA:61:A0:56:1A:FA:FB, keyid:BB:C2:05:BD:BC:9B:BB:84:EB:C0:82:E1:D6:A1:7F:70:E3:8B:0D:1E
, .(Puppet Ruby/OpenSSL Internal Certificate
D, [2019-04-08T13:40:12.251773 #82967] DEBUG -- #<Bunny::Session:0x7f871fa36468 guest@localhost:5671, vhost=/, addresses=[localhost:5671]>: Peer's certificate chain entry subject: /CN=warp10/O=server, subject alternative names: warp10, DNS:warp10.local, DNS:localhost, issuer: /CN=TLSGenSelfSignedtRootCA/L=$$$$, not valid after: 2029-04-05 09:28:02 UTC, X.509 usage extensions: CA:FALSE, Digital Signature, Key Encipherment, TLS Web Server Authentication, TLS Web Client Authentication, DNS:warp10, DNS:warp10.local, DNS:localhost, 1E:9B:15:FF:09:97:2F:5A:33:89:28:8B:12:CA:61:A0:56:1A:FA:FB, keyid:BB:C2:05:BD:BC:9B:BB:84:EB:C0:82:E1:D6:A1:7F:70:E3:8B:0D:1E
, .(Puppet Ruby/OpenSSL Internal Certificate
D, [2019-04-08T13:40:12.252466 #82967] DEBUG -- #<Bunny::Session:0x7f871fa36468 guest@localhost:5671, vhost=/, addresses=[localhost:5671]>: Peer's certificate chain entry subject: /CN=TLSGenSelfSignedtRootCA/L=$$$$, subject alternative names: , issuer: /CN=TLSGenSelfSignedtRootCA/L=$$$$, not valid after: 2029-04-05 09:28:02 UTC, X.509 usage extensions: Certificate Sign, CRL Sign, BB:C2:05:BD:BC:9B:BB:84:EB:C0:82:E1:D6:A1:7F:70:E3:8B:0D:1E, keyid:BB:C2:05:BD:BC:9B:BB:84:EB:C0:82:E1:D6:A1:7F:70:E3:8B:0D:1E
, CA:TRUE
So unless someone has more steps to recommend or can provide a traffic capture that demonstrates the issue, this one will
have to remain a mystery worked around by bunny#578.