Cannot established ssl connection with rabbitmq

Question

I am trying to establish ssl connection with rabbitmq broker. I follow this page to help me and I find my bug, but I don't know who to resolve it. I am stuck at the test connection with the broker :

openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol  : TLSv1.2
Cipher    : 0000
Session-ID: 
Session-ID-ctx: 
Master-Key: 
Key-Arg   : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1470206187
Timeout   : 300 (sec)
Verify return code: 0 (ok)
---

And I have no log but I need accepting AMQP connection.

#Rabbimq.conf
[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,".../testca/cacert.pem"},
                    {certfile,".../server/cert.pem"},
                    {keyfile,".../server/key.pem"},
                    {ciphers,  [{rsa,aes_256_cbc,sha256}]},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]}
   ]}
].

The certificates that I use are validated, verified and created with the doc.

I think is this issue that does not allow me to perform a ssl connection.

Thanks

Edit: I created the certificates at /var/lib/rabbitmq with the user rabbitmq and like this permissions goes right and the server can access to the certs.

check if the rabbitmq group has the grants to the directories `".../testca"` and ,`".../server/` — Gabriele Santomaggio, Aug 03 '16 at 07:46
Please post the exact URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Do so by adding it to your question by clicking *Edit* (and don't post it as a comment). Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it. — jww, Aug 03 '16 at 18:39
I'm *guessing*, and its purely a guess, that the certificate does ***not*** include `localhost` as a *Subject Alternate Name (SAN)*. If that's the case, then you need to edit `/etc/hosts` and add an entry that says `www.example.com` is `127.0.0.1`. Then, you can connect with `openssl s_client -connect www.example.com:5671 ...` and the hostnames will match. — jww, Aug 03 '16 at 18:42
Also see [How do you sign Certificate Signing Request with your Certification Authority](http://stackoverflow.com/a/21340898/608639) and [How to create a self-signed certificate with openssl?](http://stackoverflow.com/q/10175812/608639) It provides a lot of background information on X.509 server certificates, and where the various rules come from. — jww, Aug 03 '16 at 18:44
Thanks jww, I learn a lot on ssl. But the problem was stupid ... permission. — blQn, Aug 04 '16 at 12:23

score 1 · Answer 1 · answered Nov 03 '19 at 17:44

1

Everything worked for me after I replaced in rabbitmq.config

{certfile,".../server/cert.pem"},

to full file path.

{certfile,"/data/server/cert.pem"}

The rabbitmq says nothing when it can't find or can't read certificate file.

Check permissions for certificate files!

answered Nov 03 '19 at 17:44

ArkadiBernov

570
8
13

On my local docker rabbitmq configuration I've needed to change all cert/key files to 644 permissions. There was no information about that in logs. – graczun Feb 05 '21 at 14:31

Cannot established ssl connection with rabbitmq

1 Answers1