Cannot connect to RabbitMq Broker using pkcs12 file

Question

I posted a previous question last week here.

On the machine I was using, I was able to get this up and running correctly. Now, doing the setup on another machine, I've gotten past everything, however, when connecting to the RabbitMq broker using a .NET client application, it fails on the pkcs12 file, saying it's badly formatted.

I've regenerated this file a few times now, making sure I was using the client and server .pem files, respectively, still to no avail.

In the troubleshooting link here all tests pass completely.

Environment:

Erlang 19.1

RabbitMq 3.6.6

Windows Server 2012 R2

My RabbitMq config file:

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"C:\\rabbitcerts\\testca\\cacert.pem"},
                    {certfile,"C:\\rabbitcerts\\server\\cert.pem"},
                    {keyfile,"C:\\rabbitcerts\\server\\key.pem"},
                    {depth, 2},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]}
   ]}
].

Running this command:

openssl s_client -connect mitvs-atm01:5671 -tls1 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem

Results in success:

CONNECTED(00000130)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = mitvs-atm01, O = server
verify return:1
---
Certificate chain
 0 s:/CN=mitvs-atm01/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC5DCCAcygAwIBAgIBATANBgkqhkiG9w0BAQsFADATMREwDwYDVQQDDAhNeVRl
c3RDQTAeFw0xNzAxMjUwMjIxMTZaFw0xODAxMjUwMjIxMTZaMCcxFDASBgNVBAMM
C21pdHZzLWF0bTAxMQ8wDQYDVQQKDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEBAQUA
A4IBDwAwggEKAoIBAQC7bqHNpdY1OUstv1EU361/tvsCZigsBy9+xAAkzmEVbUrl
ISOdyvA+oC5oKx2e7otENEAZ6I7D6AqhUsWltqCD5cE8pFipE1VDYchPMSLYH+xT
dYbuGBrEbMw4FYsgpL9WGHFQKkeoNDyJR9McUSmtBi5uQcxmIt+RFs2O6qxwS8pG
32VFwZEncxD4SfPF05pGBaAtV0IHGcw+mRlqHBEwK2qFr1b2FQacCGyv+JFea6ok
TFjKYByZrQCT3l3mlbmZjt+qFNMg4BhA4TWx8zhO5XzG3tiV86G+x8RJUllisKkK
A+dcaMpZ7wr3sz8WrP++UtE1rjDzX6Va3kP6O2YdAgMBAAGjLzAtMAkGA1UdEwQC
MAAwCwYDVR0PBAQDAgUgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEB
CwUAA4IBAQBlfQcXWrd+7f9DVx2BIyVcGHouWDFirwSU5IvvgIYyZFbivgosW9Wd
E7fueBUTkZihWG2KxXesVPIlaNy3851KV+r0/zZ+Frp7VX4FEcP900t+Bgy/w3fZ
9YHiZhGHQriA8YmQOkg/YweHU1GsT8APk3JbuqtyI+RRn5iltbDNGF2ch6me/w9E
0Jv0UJvQVuPqSr0mONCyM6JeDLAkaOHTkNEy++uEar/DWQB6D2hJGj7DxavcA/bL
GPbP0LDU3Vv6pn7i7WNHeye2E2Vq2WEAaacYjiluBpCEnvlCFZXX96jbmnzScJZ2
ZlIo27YDOfze6nuNQ1aqGT1wccIoVnhZ
-----END CERTIFICATE-----
subject=/CN=mitvs-atm01/O=server
issuer=/CN=MyTestCA
---
Acceptable client certificate CA names
/CN=MyTestCA
Client Certificate Types: RSA sign
---
SSL handshake has read 1672 bytes and written 2269 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: BD57EFDA3213AA48076CDB95E4EB60A79224B604F3C491CD0BB3D15700A3AC50

    Session-ID-ctx:
    Master-Key: 08F6E2B22EC7EB1FCBAB99A730F6301732FA56CB83F4E9DB4546DC27591E271A
67C115510EBECFBFDA1BCFE47DF49627
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1485370174
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)

After successful connection, I created the keycert.p12 files in each the client and server directories based on the appropriate .pem files.

My client code:

_busControl = Bus.Factory.CreateUsingRabbitMq(x =>
{
    var host = x.Host(new Uri(_rabbitHost), h =>
    {
        h.Username(UserName);
        h.Password(Password);
        h.UseSsl(s =>
        {
            s.ServerName = SslHostName;
            s.CertificatePath = @"client\keycert.p12";
            s.CertificatePassphrase = SslPassphrase;
            s.Protocol = SslProtocols.Tls;
        });
    });

    x.ReceiveEndpoint(host, _imageExamEndpoint,
        e => { e.Consumer<UploadImageExamRequestConsumer>(); });

    x.ReceiveEndpoint(host, _worklistEndpoint,
        e => { e.Consumer<WorklistRequestConsumer>(); });
});

This works fine on the other machine, but on the new machine that we setup, we get the following error:

RabbitMQ.Client.Exceptions.BrokerUnreachableException: None of the specified endpoints were reachable ---> System.Security.Authentication.AuthenticationException: A call to SSPI failed, see inner exception. ---> System.ComponentModel.Win32Exception: The message received was unexpected or badly formatted
   --- End of inner exception stack trace ---
   at RabbitMQ.Client.EndpointResolverExtensions.SelectOne[T](IEndpointResolver resolver, Func`2 selector)
   at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
   --- End of inner exception stack trace ---
   at RabbitMQ.Client.ConnectionFactory.CreateConnection(IEndpointResolver endpointResolver, String clientProvidedName)
   at RabbitMQ.Client.ConnectionFactory.CreateConnection(IList`1 hostnames, String clientProvidedName)
   at MassTransit.RabbitMqTransport.Integration.RabbitMqConnectionCache.SendUsingNewConnection(IPipe`1 connectionPipe, ConnectionScope scope, CancellationToken cancellationToken)

Connect failed: admin@mitvs-atm01:5671/

Answer 1

Looking between my working version and my non-working version, the only thing that was different was my version of Erlang.

I upgraded my Windows Server 2012 R2 from Erlang 19.1 to Erlang 19.2 and it successfully started and listened securely.