6

Following the directions stated here, I have set up a certificate authority and created the rabbitmq.config with the appropriate fields. However, when I try to connect to the RabbitMQ server with 

openssl s_client -connect 127.0.0.1:5671 -tls1

I get the following in standard output:

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1449612785
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

and I see the following error in the logs:

=ERROR REPORT==== 8-Dec-2015::16:13:10 ===
Error on AMQP connection <0.257.0>:
{ssl_upgrade_error,
    {options,
        {cacertfile,"/home/nthompson/learn_celery/testca/cacert.pem",
            {error,eacces}}}}

What could be the problem?

I have tried the following, with no success:

  • Open up the permissions of cacert.pem, i.e., I ran chmod 444 cacert.pem as well as some more hopeless permissions, no dice.

  • Validated that all intermediate directories have permissions of 775.

  • Validated that the RabbitMQ server was indeed listening on port 5671, and it was:

    $ sudo rabbitmq status
{listeners,[{clustering,25672,"::"},{amqp,5672,"::"},{'amqp/ssl',5671,"::"}]},

  • Checked all paths in rabbitmq.config, and loosened up the certificate exchange policy by setting {verify,verify_none} and {fail_if_no_peer_cert,false}.

  • Enabled the use of the rabbitmq_auth_mechanism_ssl plugin via

    $ sudo rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl

    and verified that it was picked up by rabbitmq-server. In addition, I added {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']} to the rabbitmq.config.

  • RabbitMQ version is 3.5.4 (default apt-get), but I also upgraded to 3.5.6 (latest) to see if this would go away.

user14717
  • 4,757
  • 2
  • 44
  • 68
  • Have you tried the things listed here? https://www.rabbitmq.com/troubleshooting-ssl.html – xkcd149 Dec 18 '15 at 18:56
  • 1
    Did you manage to solve the problem? I have the exact same one and the troubleshooting page from rabbitMQ is completely useless. – Sebastien Feb 01 '18 at 22:45

1 Answers1

0

After a lot of messing around and searching I FINALLY got it!

In my case, the issue was caused by the certification files ownership and permissions.

I edited my /etc/rabbitmq/rabbitmq.config so that the certificate, key and CAfile pointed to /etc/rabbitmq/conf/<file>.pem, copied the original .pem files in /etc/rabbitmq/conf/ then I chown -R rabbitmq:rabbitmq /etc/rabbitmq/conf and restarted the service service rabbitmq-server restart and it worked.

Sebastien
  • 1,439
  • 14
  • 27