2

I have been trying to connect to Rabbitmq via SSL. The steps I followed are as below:

  1. Generated certificates and pem file on server using tls-gen

    Files generated were as follows:

    • server_key.pem

    • server_certificate.pem

    • client_key.pem

    • client_certificate.pem

    • ca_key.pem

    • ca_certificate.pem

  2. Following this link enabling ssl rabbitmq, I have created a file called rabbitmq.config under /etc/rabbitmq, copied a default configuration file and un-commented the lines:

    [ {rabbit, [ {tcp_listeners, [5671]}, {ssl_listeners, [5672]}, {auth_mechanisms, ['EXTERNAL','PLAIN']}, {ssl_options, [{cacertfile,"/path/to/ca_certificate.pem"}, {certfile,"/path/to/server_certificate.pem"}, {keyfile,"/path/to/server_key.pem"}, {verify,verify_peer}, {fail_if_no_peer_cert,false}]} ]} ].

  3. I have copied the client keys to the machine I am trying to connect to rabbitmq from and am using the following paramters:

    RABBITMQ_CONNECTION_PARAMETERS = {'host': 'rabbitmqHost', 'port': 5671, 'heartbeat_interval': 0, 'ssl': True, 'ssl_options': {'certfile':'client_certificate.pem', 'keyfile': 'client_key.pem', } }

as per the parameters specified in this link

Without SSL enabled and using Plain Credentials I am able to connect to rabbitmq server. However, using the above setup, I get the below error in connecting:

DEBUG:pika.callback:Added: {'callback': >, 'only': None, 'one_shot': False, 'arguments': None} 2017-03-10 16:00:23 [pika.callback] DEBUG: Added: {'callback': >, 'only': None, 'one_shot': False, 'arguments': None} DEBUG:pika.callback:Added: {'callback': >, 'only': None, 'one_shot': True, 'arguments': None, 'calls': 1} 2017-03-10 16:00:23 [pika.callback] DEBUG: Added: {'callback': >, 'only': None, 'one_shot': True, 'arguments': None, 'calls': 1} INFO:pika.adapters.base_connection:Connecting to rabbitmqSever:5672 with SSL 2017-03-10 16:00:23 [pika.adapters.base_connection] INFO: Connecting to rabbitmqSever:5672 with SSL WARNING:pika.adapters.base_connection:Connection to rabbitmqSever:5672 failed: [Errno 336265218] _ssl.c:355: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib 2017-03-10 16:00:23 [pika.adapters.base_connection] WARNING: Connection to rabbitmqSever:5672 failed: [Errno 336265218] _ssl.c:355: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib WARNING:pika.connection:Could not connect, 0 attempts left 2017-03-10 16:00:23 [pika.connection] WARNING: Could not connect, 0 attempts left DEBUG:pika.callback:Processing 0:_on_connection_error 2017-03-10 16:00:23 [pika.callback] DEBUG: Processing 0:_on_connection_error DEBUG:pika.callback:Calling > for "0:_on_connection_error" 2017-03-10 16:00:23 [pika.callback] DEBUG: Calling > for "0:_on_connection_error" Unhandled error in Deferred: CRITICAL:twisted:Unhandled error in Deferred: 2017-03-10 16:00:23 [twisted] CRITICAL: Unhandled error in Deferred:

Update:

If I use openssl to connect:

openssl s_client -connect server:5671 -cert client_certificate.pem -key client_key.pem

I get the following:

CONNECTED(00000003) 140243320723104:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:795: no peer certificate available No client certificate CA names sent SSL handshake has read 7 bytes and written 295 bytes New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE

And rabbitmq logs show a connection but from the ssl port 5672, it says connect refused.

Please note: I am connecting to rabbitmq from a scrapy spider

Vaulstein
  • 20,055
  • 8
  • 52
  • 73
  • 1
    Maybe it comes late, but we had a similar issue. Instead of {ssl_listeners, [5671]}, we wrote {ssl_listeners, [{"0.0.0.0", 5671}]} and it solved our problem. It turned out that RabbitMQ didn't open the port after all without this setting. – Letokteren May 04 '17 at 08:31

3 Answers3

2

It's scary that no one has answered this in 2 years... I got it to work over SSL on the same instance. Click here but I haven't gotten it to work outisde of the localhost because it seems like despite using SSL it still uses the "guest" user and the guest user doesn't allow connections from outside of localhost.

%% -*- mode: erlang -*-

[
 {rabbit,
  [
   {ssl_listeners, [5671]},
   {ssl_options, [{cacertfile,"/home/daudn/tls-gen/basic/result/ca_certificate.pem"},
                  {certfile,"/home/daudn/tls-gen/basic/result/server_certificate.pem"},
                  {keyfile,"/home/daudn/tls-gen/basic/result/server_key.pem"},
                  {verify,verify_none},
                  {fail_if_no_peer_cert,false}]},

   {auth_mechanisms, ['PLAIN', 'EXTERNAL']}


].
DUDANF
  • 2,618
  • 1
  • 12
  • 42
0

Use:

connectionFactory.getRabbitConnectionFactory().useSslProtocol()
mozway
  • 194,879
  • 13
  • 39
  • 75
user21887605
  • 1
  • 1
    You might want to give some extra details. What is this code doing? How does it solve the problem? – mozway May 12 '23 at 11:05
0

if you created the certificates with a password try adding the password to the rabbit config file: ssl_options.password = password123

Stas
  • 1