1

I generated a letsencrypt certificate and tried to configure the cert with my rabbitmq server. I enabled both rabbitmq_management and rabbitmq_mqtt plugins with the same ssl cert configuration. My configuration is shown below. I managed to access rabbitmq management console from browser using https. However, whenever i tried to connect rabbitmq with mqtt client, it wasnt successful. I noticed an error log as shown below. I also try the connection to port 5671 as suggested in "tls/ssl troubleshooting for rabbitmq". The connection throw an exception as well. Can anyone give me an advice what can possibly goes wrong?

Configuration : 

[
     {rabbit,
      [
        {ssl_listeners, [5671]},
        {tcp_listeners, [{"127.0.0.1", 5672}, {"::1", 5672}]},
        {ssl_options, [{cacertfile,"/ssl/s2.domain.co/chain.pem"},
                        {certfile,"/ssl/s2.domain.co/cert.pem"},
                        {keyfile,"/ssl/s2.domain.co/privkey.pem"},
                        {verify,verify_none},
                        {fail_if_no_peer_cert,false}]}, 
      ]
     },
     {kernel, []},
     {rabbitmq_management,
      [
        {listener, [
                    {port, 15672},
                    {ip, "0.0.0.0"},
                    {ssl, true},
                    {ssl_opts, [{cacertfile, "/ssl/s2.domain.co/chain.pem"},
                               {certfile,   "/ssl/s2.domain.co/cert.pem"},
                               {keyfile,    "/ssl/s2.domain.co/privkey.pem"}]}
            ]
        }
      ]
     }
     {rabbitmq_stomp, []},
     {rabbitmq_mqtt, [{ssl_listeners,[8883]},{tcp_listeners,[1883]}]},
     {rabbitmq_amqp1_0, []},
     {rabbitmq_auth_backend_ldap, []} 
    ].

mqtt connection error log:

=ERROR REPORT==== 12-Apr-2016::03:39:17 ===
SSL: certify: ssl_alert.erl:92:Fatal error: certificate unknown

command to run to connect port 5671:

openssl s_client -connect localhost:5671

exception for connecting port 5671:

  CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify error:num=19:self signed certificate in certificate chain
    verify return:0
    ---
    Certificate chain
     0 s:/CN=s2.domain.co
       i:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
     1 s:/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
     2 s:/O=Digital Signature Trust Co./CN=DST Root CA X3
       i:/O=Digital Signature Trust Co./CN=DST Root CA X3
    ---
    Server certificate
    -----BEGIN CERTIFICATE-----
    MIIFADCCA+igAwIBAgISAypMQeOTn5dLIvtJer33fdsZMA0GCSqGSIb3DQEBCwUA
   ...
    UiCsw7U66T3TDVjQrduiZueUKtr//BYO0rWGpLdUBFjjGHK/
    -----END CERTIFICATE-----
    subject=/CN=s2.domain.co
    issuer=/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
    ---
    No client certificate CA names sent
    ---
    SSL handshake has read 3871 bytes and written 477 bytes
    ---
    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
    Server public key is 2048 bit
    Secure Renegotiation IS supported
    Compression: NONE
    Expansion: NONE
    SSL-Session:
        Protocol  : TLSv1.2
        Cipher    : ECDHE-RSA-AES256-SHA384
        Session-ID: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        Session-ID-ctx: 
        Master-Key: xxxxxxxxxxxx
        Key-Arg   : None
        PSK identity: None
        PSK identity hint: None
        SRP username: None
        Start Time: 1460433641
        Timeout   : 300 (sec)
        Verify return code: 19 (self signed certificate in certificate chain)
    ---
HW Siew
  • 111
  • 2
  • Is is possible to deleting all the certificates and keys and starting again. certfile linked in rabbitmq.config is the server SSL certificate. keyfile linked in rabbitmq.config is the server SSL key. – Rajat Apr 12 '16 at 05:43
  • Hi @Rajat thank you so much for the advice. The certificate files and key seem working fine. I managed to access the https using the same cert and key on server. Any other possible cause you might think of? Thank you for the help – HW Siew Apr 12 '16 at 09:16

0 Answers0