3

I have a deployment of RabbitMQ that uses it's own certificates for end-to-end encryption. It uses both AMQP and MQTT-over-WSS to connect multiple types of clients. AMQP clients are able to connect securely, so I know that the certificate set up is good.

Clients using WS going to ws://hostname:15675/ws can connect fine, but obviously are not secure. Clients attempting to connect to wss://hostname:15676/ws have the connection closed on them. 15676 is the port you will see I have bound the web-mqtt ssl listener to, as shown below. I've gone through both the networking and tls help guide by RabbitMQ, and I see the port correctly bound and can confirm it is exposed and available to the client.

The relevant rabbit.conf:

listeners.tcp.default = 5671
listeners.ssl.default = 5671

ssl_options.cacertfile = /path/to/fullchain.pem
ssl_options.certfile = /path/to/cert.pem
ssl_options.keyfile = /path/to/privkey.pem

ssl_options.verify = verify_none
ssl_options.fail_if_no_peer_cert = false

web_mqtt.ssl.port = 15676
web_mqtt.ssl.backlog = 1024
web_mqtt.ssl.cacertfile = /path/to/fullchain.pem
web_mqtt.ssl.certfile = /path/to/cert.pem
web_mqtt.ssl.keyfile = /path/to/privkey.pem

Basically, I'm wondering if I have the connection string wrong (wss://hostname:15675/ws)? Do I need to go to /wss? Is it a problem my client is a browser running on localhost -- not HTTPS? Do I have a configuration set incorrectly -- am I missing one? If there is a better source of documentation/examples of this plugin beyond the RabbitMQ website, I would also be interested.

K. Rhoda
  • 181
  • 1
  • 15

1 Answers1

0

maybe the configuration mismatch if there any password for the private file you need to add it also. refer to the following sample rabbitmq.conf

listeners.ssl.default = 5671
ssl_options.cacertfile = <path/ca-bundle (.pem/.cabundle)>
ssl_options.certfile   = <path/cert (.pem/.crt)>
ssl_options.keyfile    = <path/key (.pem/.key)>
ssl_options.password   = <your private key password>
ssl_options.versions.1 = tlsv1.3

ssl_options.verify               = verify_peer
ssl_options.fail_if_no_peer_cert = true

ssl_options.ciphers.1  = TLS_AES_256_GCM_SHA384
ssl_options.ciphers.2  = TLS_AES_128_GCM_SHA256
ssl_options.ciphers.3  = TLS_CHACHA20_POLY1305_SHA256
ssl_options.ciphers.4  = TLS_AES_128_CCM_SHA256
ssl_options.ciphers.5  = TLS_AES_128_CCM_8_SHA256

ssl_options.honor_cipher_order   = true
ssl_options.honor_ecc_order      = true

web_mqtt.ssl.port       = 15676
web_mqtt.ssl.backlog    = 1024
web_mqtt.ssl.cacertfile = <path/ca-bundle (.pem/.cabundle)>
web_mqtt.ssl.certfile   = <path/crt (.pem/.crt)>
web_mqtt.ssl.keyfile    = <path/key (.pem/.key)>
web_mqtt.ssl.password   = <your private key password>

web_mqtt.ssl.honor_cipher_order   = true
web_mqtt.ssl.honor_ecc_order      = true
web_mqtt.ssl.client_renegotiation = false
web_mqtt.ssl.secure_renegotiate   = true

web_mqtt.ssl.versions.1 = tlsv1.2
web_mqtt.ssl.versions.2 = tlsv1.1
web_mqtt.ssl.ciphers.1 = ECDHE-ECDSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.2 = ECDHE-RSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.3 = ECDHE-ECDSA-AES256-SHA384
web_mqtt.ssl.ciphers.4 = ECDHE-RSA-AES256-SHA384
web_mqtt.ssl.ciphers.5 = ECDH-ECDSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.6 = ECDH-RSA-AES256-GCM-SHA384
web_mqtt.ssl.ciphers.7 = ECDH-ECDSA-AES256-SHA384
web_mqtt.ssl.ciphers.8 = ECDH-RSA-AES256-SHA384
web_mqtt.ssl.ciphers.9 = DHE-RSA-AES256-GCM-SHA384

this is a working configuration file for the rabbitmq-server on ubuntu 20.04

  1. restart the rabbitmq-server
  2. list the listeners port (make sure that the SSL ports enabled) (rabbitmq-diagnostics listeners)
  3. test the SSL (testssl localhost:16567)
  4. also test the telnet (telnet localhost 16567)

please reffer : https://www.rabbitmq.com/ssl.html#erlang-otp-requirements and troubleshooting

this is worked for me :-)

Hariharan Kanakaraja
  • 131
  • 3
  • 7