RabbitMQ Mutual authentication using self signed certificates

2
votes

I have religiously followed the instructions given at the RabbitMQ site to set up mutual authentication between a RabbitMQ server and a .Net client (using the official RabbitMQ client available at RabbitMQ.com)

https://www.rabbitmq.com/ssl.html

However, The instructions are missing a key point. For the peer certificate to be validated in the RabbitMQ server, A user needs to be mapped (for impersonation) to the peer certificate as described below

https://weblogs.asp.net/jeffreyabecker/Using-SSL-client-certificates-for-authentication-with-RabbitMQ

But, When the certificates are exchanged during a handshake, RabbitMQ server is looking for a username called 'O=client,CN=MyServer.com' instead of 'CN=MyServer.com'

If I create this user with the required privileges, everything succeeds as expected.

I would like to know what is the reason for the unexpected 'O=client' part in the username. It is not documented anywhere in the RabbitMQ site.

Has anyone come across this? What is the name of the user you have created for impersonating the peer/client?

Both RabbitMQ server and client versions are 3.6.5

Erlang version: 18

OS: Windows 10 Enterprise

1
.netsslrabbitmqdigital-certificatemutual-authentication

1 Answers

0
votes

I have been looking at this recently and it is configurable on start up in docker by providing additional config as below

[
{rabbit, [
    {auth_mechanisms, ['EXTERNAL']},
    {loopback_users, []},
    {ssl_listeners, [5671]},
    {ssl_options, [{cacertfile, "etc/docker/certs.d/ca_certificate.pem"},
                {certfile,   "etc/docker/certs.d/server_certificate.pem"},
                {keyfile,    "etc/docker/certs.d/private_key.pem"},
                {verify,     verify_peer},
                {password,  ""},
                {fail_if_no_peer_cert, false}],
                {ssl_cert_login_from, common_name}}         
]}
].

The key here being the ssl_cert_login_from option allows you to use only the CN of the certificate

Removing this option enables the use of the DN