Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unable to establish a SSL connection #435

Closed
bentcoder opened this issue Aug 25, 2020 · 1 comment
Closed

Unable to establish a SSL connection #435

bentcoder opened this issue Aug 25, 2020 · 1 comment
Labels
question Usability question, not directly related to an error with the image

Comments

@bentcoder
Copy link

Hi,

I cannot establish a connection to RabbitMQ server with the configuration below. I wonder if this is to do with some kind of bug or am I doing something wrong. Not even sure if it is more relevant to https://github.com/openssl/openssl

Thanks for the help

docker-compose.yaml

version: "3.4"
services:
  rabbit:
    image: "rabbitmq:3.8.3-management"
    ports:
      - "5671:5671"
      - "5672:5672"
      - "15671:15671"
      - "15672:15672"
    environment:
      RABBITMQ_DEFAULT_VHOST: "sport"
      RABBITMQ_DEFAULT_USER: "user"
      RABBITMQ_DEFAULT_PASS: "pass"
      RABBITMQ_SSL_CACERTFILE: "/cert/ca.crt"
      RABBITMQ_SSL_CERTFILE: "/cert/server.crt"
      RABBITMQ_SSL_KEYFILE: "/cert/server.key"
    volumes:
      - "./cert:/cert"
$ docker-compose ps
     Name                    Command               State                                                          Ports                                                        
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
rabbit_rabbit_1   docker-entrypoint.sh rabbi ...   Up      0.0.0.0:15671->15671/tcp, 0.0.0.0:15672->15672/tcp, 25672/tcp, 4369/tcp, 0.0.0.0:5671->5671/tcp,                    
                                                           0.0.0.0:5672->5672/tcp

This is how I generate my own SSL files

$ /usr/local/opt/openssl/bin/openssl version -a
OpenSSL 1.1.1f  31 Mar 2020
built on: Mon Apr  6 15:55:37 2020 UTC
platform: darwin64-x86_64-cc

$ /usr/local/opt/openssl/bin/openssl genrsa -out cert/ca.key 4096
$ /usr/local/opt/openssl/bin/openssl req -new -x509 -days 365 -key cert/ca.key -out cert/ca.crt
$ /usr/local/opt/openssl/bin/openssl genrsa -out cert/server.key 1024
$ /usr/local/opt/openssl/bin/openssl req -new -key cert/server.key -out cert/server.csr
$ /usr/local/opt/openssl/bin/openssl x509 -req -days 365 -in cert/server.csr -CA cert/ca.crt -CAkey cert/ca.key -set_serial 01 -out cert/server.crt

Run (trimmed a bit)

rabbit_rabbit_1 |  Starting RabbitMQ 3.8.3 on Erlang 22.3.4.1
rabbit_rabbit_1 |  Copyright (c) 2007-2020 Pivotal Software, Inc.
rabbit_rabbit_1 |  Licensed under the MPL 1.1. Website: https://rabbitmq.com
rabbit_rabbit_1 | 
rabbit_rabbit_1 |   ##  ##      RabbitMQ 3.8.3
rabbit_rabbit_1 |   Config file(s): /etc/rabbitmq/rabbitmq.conf
rabbit_rabbit_1 | 
rabbit_rabbit_1 |   Starting broker...2020-08-25 23:05:20.527 [info] <0.285.0> 
rabbit_rabbit_1 |  node           : rabbit@285574d677e6
rabbit_rabbit_1 |  home dir       : /var/lib/rabbitmq
rabbit_rabbit_1 |  config file(s) : /etc/rabbitmq/rabbitmq.conf
rabbit_rabbit_1 |  cookie hash    : oQWHZpih1rT5bgZq+3NiyQ==
rabbit_rabbit_1 |  log(s)         : <stdout>
rabbit_rabbit_1 |  database dir   : /var/lib/rabbitmq/mnesia/rabbit@285574d677e6
rabbit_rabbit_1 | 2020-08-25 23:05:21.441 [info] <0.625.0> started TCP listener on [::]:5672
rabbit_rabbit_1 | 2020-08-25 23:05:21.444 [info] <0.641.0> started TLS (SSL) listener on [::]:5671
rabbit_rabbit_1 | 2020-08-25 23:05:21.445 [info] <0.285.0> Running boot step cluster_name defined by app rabbit
rabbit_rabbit_1 | 2020-08-25 23:05:21.500 [info] <0.694.0> Management plugin: HTTPS listener started on port 15671
rabbit_rabbit_1 | 2020-08-25 23:05:21.746 [info] <0.9.0> Server startup complete; 3 plugins started.
rabbit_rabbit_1 |  * rabbitmq_management
rabbit_rabbit_1 |  * rabbitmq_management_agent
rabbit_rabbit_1 |  * rabbitmq_web_dispatch
rabbit_rabbit_1 |  completed with 3 plugins.

CONNECTION ERRORS

$ /usr/local/opt/openssl/bin/openssl s_client -connect localhost:5671 -cert cert/server.crt -key cert/server.key -CAfile cert/ca.crt

CONNECTED(00000005)
Can't use SSL_get_servername
depth=0 C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
verify return:1
140736131359680:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42
---
Certificate chain
 0 s:C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
   i:C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID4jCCAcoCAQEwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCVUsxEDAOBgNV
........... TRIMMED ......
tZyNPGiWLXy1Rnk7UqLaKwv8PdmdGnsC+D5wlXTO6kzejbcdeP7Vw/YVGM7eiEMU
CA2xhmjtd6oDi4okWDAXflJZjD1iX1XbXq635t2q6aETnk+fSKc=
-----END CERTIFICATE-----
subject=C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com

issuer=C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com

---
Acceptable client certificate CA names
C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Shared Requested Signature Algorithms: ECDSA+SHA512:RSA+SHA512:ECDSA+SHA384:RSA+SHA384:ECDSA+SHA256:RSA+SHA256:ECDSA+SHA224:RSA+SHA224:ECDSA+SHA1:RSA+SHA1:DSA+SHA1
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1495 bytes and written 1573 bytes
Verification error: self signed certificate
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: CE0398E501F1A4F7FC6666D7A7A9F159A3E3D314515743DDF060A03E90992CBD
    Session-ID-ctx: 
    Master-Key: 1126D33B704871376B96F06879C97A2697733615118E694A920E2F73AE78B61EB0B43976F4AE303EE2B7462EC1841C67
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1598397586
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
$ /usr/local/opt/openssl/bin/openssl s_client -connect localhost:5671 | grep Cipher

Can't use SSL_get_servername
depth=0 C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
verify return:1
140736131359680:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl/record/rec_layer_s3.c:1544:SSL alert number 40
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
$ /usr/local/opt/openssl/bin/openssl s_client -tls1 -connect localhost:5671 -cert cert/server.crt -key cert/server.key -CAfile cert/ca.crt

CONNECTED(00000005)
Can't use SSL_get_servername
depth=0 C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
verify error:num=18:self signed certificate
verify return:1
depth=0 C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
verify return:1
140736131359680:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42
---
Certificate chain
 0 s:C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
   i:C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
---
Server certificate
-----BEGIN CERTIFICATE-----
MIID4jCCAcoCAQEwDQYJKoZIhvcNAQELBQAweTELMAkGA1UEBhMCVUsxEDAOBgNV
........... TRIMMED ......
tZyNPGiWLXy1Rnk7UqLaKwv8PdmdGnsC+D5wlXTO6kzejbcdeP7Vw/YVGM7eiEMU
CA2xhmjtd6oDi4okWDAXflJZjD1iX1XbXq635t2q6aETnk+fSKc=
-----END CERTIFICATE-----
subject=C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com

issuer=C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com

---
Acceptable client certificate CA names
C = UK, ST = England, L = London, O = MyOrg, OU = IT, CN = localhost, emailAddress = i@i.com
Client Certificate Types: ECDSA sign, RSA sign, DSA sign
Peer signing digest: MD5-SHA1
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1469 bytes and written 1390 bytes
Verification error: self signed certificate
---
New, TLSv1.0, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 03698A39CE88A2353010ADA83D6AF625209196D533B6AF8CC81BC9721813AA2C
    Session-ID-ctx: 
    Master-Key: 0E186902D5F21D5344FB9304B37B4039BA05E841BFEACF13870E82CEC3618674EF7106EB2A00556F359F4B3D664C75A6
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1598397719
    Timeout   : 7200 (sec)
    Verify return code: 18 (self signed certificate)
    Extended master secret: no
---
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Aug 26, 2020
@wglambert
Copy link

Looks like it's an issue with you self-signed cert, following this example https://www.rabbitmq.com/ssl.html#automated-certificate-generation-transcript I was able to get ssl working just fine #376 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bentcoder @wglambert