RabbitMQ server on RHEL7 resets SSL connection

3
votes

I've been trying to connect to RabbitMQ server on RHEL7 which listens to 5671 port for SSL connections.

RabbitMQ server's SSL listener has been configured like this:
[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/etc/pki/tls/certs/samqp.dcu.ie.chain"},
                {certfile,"/etc/pki/tls/certs/samqp.dcu.ie.crt"},
                {keyfile,"/etc/pki/tls/private/samqp.dcu.ie.key"},
                {verify,verify_peer},
                {fail_if_no_peer_cert,false}]}
   ]}
]

On a client side I get this exception message:

The client machine is Ubuntu 14.04 LTS.

The client is a Moodle custom plugin using 'videlalvaro/php-amqplib' library to communicate with server.

Here are actual paths and file names for my self signed certificates created according to docs on: https://www.rabbitmq.com/ssl.html

$sslOptions = array(
            'cafile' => '/home/duro/testca/cacert.pem',
            'local_cert' => '/home/duro/client/key-cert.pem',
            'peer_name'=>'samqp.dcu.ie',
            'verify_peer_name' => true
            );

PHP apparently has a requirement to use certificate and key concatenated to one file, hence the 'key-cert.pem'.

This is how I connect from client, including actual url:

$connection = new AMQPSSLConnection('samqp.dcu.ie.crt', 5671, 'rMQUsername', 'rMQPasswd', '/', $sslOptions)

On the client side I get this exception message:

"stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"

On the server side, looking to /var/log/rabbitmq/[email protected], I see this error:

=ERROR REPORT==== 3-Mar-2016::14:08:26 ===
SSL: certify: ssl_alert.erl:93:Fatal error: unknown ca

So, how to make this connection work?

2
opensslrabbitmqrhel7
Please post the exact URL you are using to connect to the server, and post the output of openssl s_client -connect <hostname>:<port> -tls1 -servername <hostname> | openssl x509 -text -noout. Do so by adding it to your question by clicking Edit (and don't post it as a comment). Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it.jww
I supplied the actual URL in $connection instantiation code. I also posted the command output, and updated the file names and paths to real ones.Đuro Mandinić
Thanks @Djuro. It was easy to diagnose with the information. I wish everyone provided it.jww

2 Answers

1
votes

... error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"

You are connecting to the server with the name sphinx.dcu.ie:

$connection = new AMQPSSLConnection('sphinx.dcu.ie', 5671, ...)

However, the hostname in the certificate is samqp.dcu.ie:

X509v3 Subject Alternative Name: 
    DNS:samqp.dcu.ie

You need to do one of two things. First, make the RabbitMQ request against the server named in the certificate. Or second, get a new certificate issued with the DNS name you want to use.

You can place as many DNS names as you like in the Subject Alternate Name (SAN). I often fill them up with debug and testing names, like localhost, localhost.localdomain and 127.0.0.1.

EDIT: For this issue:

... and server's log now says:

=ERROR REPORT==== 3-Mar-2016::09:52:41 ===
SSL: certify: ssl_handshake.erl:1490:Fatal error: unknown ca

You need to go back to the information for Revision 9 or so of your question and this information:

depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert  High Assurance EV Root CA
verify return:1
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN =   TERENA SSL High Assurance CA 3
verify return:1
depth=0 businessCategory = Government Entity, jurisdictionC = IE,   serialNumber = Government Entity, street = Glasnevin, street = Dublin City   University, postalCode = IE, C = IE, ST = Ireland, L = Dublin, O = Dublin  City University, OU = ISS, CN = samqp.dcu.ie
verify return:1

You don't need the ca-cert.pem file which includes hundred of CAs and most of which are wrong. You only need the one CA that's right, and its the once called DigiCert High Assurance EV Root CA. You also need the intermediate one called TERENA SSL High Assurance CA 3

DigiCert High Assurance EV Root CA certificate

You can download DigiCert High Assurance EV Root CA from DigiCert Trusted Root Authority Certificates. It has the following attributes:

  • Serial number: 02:AC:5C:26:6A:0B:40:9B:8F:0B:79:F2:AE:46:25:77
  • Thumbprint: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

When you download it, its in DER format. You need to convert it to PEM format with:

$ openssl x509 -inform der -in DigiCertHighAssuranceEVRootCA.crt \
    -outform PEM -out DigiCertHighAssuranceEVRootCA.pem

Then:

$ cat DigiCertHighAssuranceEVRootCA.pem 
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
...
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----

TERENA SSL High Assurance CA 3 certificate

Now you need to do the same thing with TERENA SSL High Assurance CA 3. I believe you can find it at TERENA SSL High Assurance CA Root Certificates. Its the one with the attributes:

  • Serial number 0b:5c:34:35:67:5b:24:67:c0:d7:32:37:f9:0d:5f:94
  • Fingerprint SHA1 A7:8A:AB:DE:7F:5B:77:15:40:D3:33:B5:05:87:4C:82:04:AA:D2:06

MY-CACERT.pem

Now that you have the CAs you need for pathbuilding, perform the following:

$ cat DigiCertHighAssuranceEVRootCA.pem > my-cacert.pem
$ cat TERENA_SSL_High_Assurance_CA_3.pem >> my-cacert.pem
$ echo "" >> my-cacert.pem

Then:

$ cat my-cacert.pem 
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
...
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE4DCCA8igAwIBAgIQC1w0NWdbJGfA1zI3+Q1flDANBgkqhkiG9w0BAQsFADBs
...
dnnqz5SeAs6cbSm551qG7Dj8+6f/8e33oqLC5Ldnbt0Ou6PjtZ4O02dN9cnicemR
1B0/YQ==
-----END CERTIFICATE-----

Finally, use my-cacert.pem.

You should be able to test things using OpenSSL's s_client. But I can't seem to connect from the outside world:

$ openssl s_client -connect sphinx.dcu.ie:5671 -tls1 \
    -servername sphinx.dcu.ie -CAfile my-cacert.pem

If you can connect, then you should get a Verify Ok (0) (if I recall correctly).

0
votes

I had have the same problem while connecting to RabbitMQ server from PHP client. Error was

"stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"

I debugged it by following below series of steps

Making sure client and server are handshaking using the provided certificate files.

In one terminal run below command to start server on 8443 port.

openssl s_server -accept 8443 -cert /etc/rabbitmq/server/cert.pem -key /etc/rabbitmq/server/key.pem -CAfile  /etc/rabbitmq/testca/cacert.pem

And, in another terminal run below command to make connection.

openssl s_client -connect YOUR_SERVER:8443 -key /rabbitmq/client/key.pem -CAfile /rabbitmq/client/key-cert.pem

If the client is able to connect and doesn't return back to prompt due to timeout, your connection is successful. Try using your certificates/keys until you make the connection successfully.

Note: It is assumed the key-cert is concatenated file.

# cd /etc/rabbitmq/client
# cat key.pem cert.pem > key-cert.pem

SSL Options in PHP client

I passed below PHP array as $ssl_options parameter.

$ssl_options =  [
                        'cafile' => '/rabbitmq/testca/cacert.pem',
                        'local_cert' => '/rabbitmq/client/key-cert.pem',
                        'verify_peer' => false,
                        'verify_peer_name' => false,
            ];

My RabbitMQ configurations are according to the docs of VMWare.