TLS-enabled connections with a self signed certificate fail #2440

revoorunischal · 2020-09-01T18:44:29Z

revoorunischal
Sep 1, 2020

Hi ,
I was trying to start a rabbitmq server(RabbitMQ 3.8.7, Erlang 23.0.3) in mac os using brew with TLS using self signed certificates, but I am always getting connection reset in both java(spring cloud stream rabbitmq binder) and node application.

Following are my configurations used

rabbitmq.config

[
 {rabbit, [
  {loopback_users, []},
  {collect_statistics_interval, 540000},
    {cluster_partition_handling, autoheal},
     {ssl_handshake_timeout, 50000},
     {handshake_timeout, 20000},
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/Users/nischal/Documents/keys1/cert.pem"},
                    {certfile,"/Users/nischal/Documents/keys1/cert.pem"},
                    {keyfile,"/Users/nischal/Documents/keys1/key.pem"},
                    {versions, ['tlsv1.2']},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,false}]}
     ]},
     {rabbitmq_management,  [ {http_log_dir,  "/usr/local/var/log/rabbitmq"},
        {rates_mode, none}] }
].

keys were generated using the following commands

keytool -genkeypair \
-keystore rootca.jks \
-storepass vmware \
-keyalg RSA \
-validity 365 \
-keypass vmware \
-alias rabbitmq \
-dname "CN=prat,OU=Test, O=Corp, L=Palo Alto S=CA C=US" \
-ext san=\
dns:prat,\
ip:127.0.0.1

keytool -importkeystore -srckeystore rootca.jks \
-destkeystore foo.p12 -deststoretype pkcs12 \
-srcstorepass vmware -deststorepass vmware \
-alias rabbitmq

openssl pkcs12 -in foo.p12 \
-out foo.pem -passin pass:vmware \
-passout pass:vmware

sed -n '/-----BEGIN ENCRYPTED PRIVATE KEY-----/,/-----END ENCRYPTED PRIVATE KEY-----/p' \
foo.pem > enc.pem

openssl rsa  -in enc.pem  \
-out unenc.pem  -passin pass:vmware

sed -n '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
foo.pem > cert.pem

keytool -export -alias rabbitmq -keystore rootca.jks -file rabbit-keystore.crt
keytool -import -alias rabbitmq -keystore rootca-truststore.jks -file rabbit-keystore.crt

My node application code is

var fs = require('fs');
var opts = {
  cert: fs.readFileSync('/Users/nischal/Documents/keys1/cert.pem'),
  key: fs.readFileSync('/Users/nischal/Documents/keys1/key.pem'),
  ca: [fs.readFileSync('/Users/nischal/Documents/keys1/cert.pem')]
};

var open = require('amqplib').connect('amqps://prat:5671', opts);
open.then(function(conn) {
  console.log(conn);
}).then(null, console.warn);

and the response is

OperationalError: read ECONNRESET
    at TLSWrap.onStreamRead (internal/stream_base_commons.js:205:27) {
  cause: Error: read ECONNRESET
      at TLSWrap.onStreamRead (internal/stream_base_commons.js:205:27) {
    errno: 'ECONNRESET',
    code: 'ECONNRESET',
    syscall: 'read'
  },
  isOperational: true,
  errno: 'ECONNRESET',
  code: 'ECONNRESET',
  syscall: 'read'
}

Tried with openssl connect and got error of 54

**Command Used** : openssl s_client  -cert /Users/nischal/Documents/keys1/cert.pem -key /Users/nischal/Documents/keys1/key.pem -CAfile /Users/nischal/Documents/keys1/cert.pem -connect prat:5671

**Ouput**
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 
    Session-ID-ctx: 
    Master-Key: 
    Start Time: 1598985239
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

My spring config is as follows

logging.level.root: DEBUG
spring:
  cloud:
    stream:
      bindings:
        input:
          destination: queue.log.messages
          binder: local_rabbit
        output:
          destination: queue.pretty.log.messages
          binder: local_rabbit
      binders:
        local_rabbit:
          type: rabbit
          environment:
            spring:
              rabbitmq:
                host: prat
                username: admin
                password: admin123
                virtual-host: /
                ssl:
                  enabled: true
                  key-store: file:/Users/nischal/Documents/keys1/foo.p12
                  key-store-password: vmware
                  algoritm: TLSv1.2
                  trust-store: file:/Users/nischal/Documents/keys1/rootca-truststore.jks
                  trust-store-password: vmware
                  verify-hostname: false
                  validate-server-certificate: false

And the error stack trace was

2020-09-02 00:12:23.275 DEBUG 59322 --- [W3xNHbrhwZg-297] o.s.a.r.listener.BlockingQueueConsumer   : Starting consumer Consumer@3585620e: tags=[[]], channel=null, acknowledgeMode=AUTO local queue size=0
2020-09-02 00:12:23.275  INFO 59322 --- [W3xNHbrhwZg-297] o.s.a.r.c.CachingConnectionFactory       : Attempting to connect to: [prat:5671]
2020-09-02 00:12:23.281 DEBUG 59322 --- [W3xNHbrhwZg-297] o.s.a.r.l.SimpleMessageListenerContainer : Recovering consumer in 5000 ms.
2020-09-02 00:12:28.357 DEBUG 59322 --- [W3xNHbrhwZg-297] o.s.a.r.l.SimpleMessageListenerContainer : Consumer raised exception, processing can restart if the connection factory supports it

org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLException: Connection reset
	at org.springframework.amqp.rabbit.support.RabbitExceptionTranslator.convertRabbitAccessException(RabbitExceptionTranslator.java:70) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:524) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:751) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils.createConnection(ConnectionFactoryUtils.java:214) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils$RabbitResourceFactory.createConnection(ConnectionFactoryUtils.java:293) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils.doGetTransactionalResourceHolder(ConnectionFactoryUtils.java:130) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils.getTransactionalResourceHolder(ConnectionFactoryUtils.java:92) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils.getTransactionalResourceHolder(ConnectionFactoryUtils.java:75) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.listener.BlockingQueueConsumer.start(BlockingQueueConsumer.java:560) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.initialize(SimpleMessageListenerContainer.java:1350) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.listener.SimpleMessageListenerContainer$AsyncMessageProcessingConsumer.run(SimpleMessageListenerContainer.java:1195) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at java.base/java.lang.Thread.run(Thread.java:834) ~[na:na]
Caused by: javax.net.ssl.SSLException: Connection reset
	at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:127) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:326) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:264) ~[na:na]
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:144) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:814) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1184) ~[na:na]
	at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81) ~[na:na]
	at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142) ~[na:na]
	at java.base/java.io.DataOutputStream.flush(DataOutputStream.java:123) ~[na:na]
	at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:160) ~[amqp-client-5.9.0.jar:5.9.0]
	at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:170) ~[amqp-client-5.9.0.jar:5.9.0]
	at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:314) ~[amqp-client-5.9.0.jar:5.9.0]
	at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1139) ~[amqp-client-5.9.0.jar:5.9.0]
	at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1087) ~[amqp-client-5.9.0.jar:5.9.0]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.connectAddresses(AbstractConnectionFactory.java:560) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.connect(AbstractConnectionFactory.java:533) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:487) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	... 10 common frames omitted
	Suppressed: java.net.SocketException: Broken pipe (Write failed)
		at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) ~[na:na]
		at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) ~[na:na]
		at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) ~[na:na]
		at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:81) ~[na:na]
		at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:357) ~[na:na]
		... 29 common frames omitted
Caused by: java.net.SocketException: Connection reset
	at java.base/java.net.SocketInputStream.read(SocketInputStream.java:186) ~[na:na]
	at java.base/java.net.SocketInputStream.read(SocketInputStream.java:140) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketInputRecord.read(SSLSocketInputRecord.java:467) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketInputRecord.readHeader(SSLSocketInputRecord.java:461) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketInputRecord.decode(SSLSocketInputRecord.java:160) ~[na:na]
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:110) ~[na:na]
	... 26 common frames omitted

2020-09-02 00:12:28.358  INFO 59322 --- [W3xNHbrhwZg-297] o.s.a.r.l.SimpleMessageListenerContainer : Restarting Consumer@3585620e: tags=[[]], channel=null, acknowledgeMode=AUTO local queue size=0
2020-09-02 00:12:28.358 DEBUG 59322 --- [W3xNHbrhwZg-297] o.s.a.r.listener.BlockingQueueConsumer   : Closing Rabbit Channel: null

Can I know where exactly I am going wrong ?

or is it that rabbitmq does not support self signed certificates?

Answered by michaelklishin

Sep 4, 2020

Using tls-gen's basic profile, and importing ca_certificate.pem, client_certificate.pem, server_certificate.pem into a JDK trust store like so:

ls -l
total 88
-rw-r--r--  1 antares  wheel  1887 Sep  4 12:28 ca_certificate.pem
-rw-r--r--  1 antares  wheel  3272 Sep  4 12:28 ca_key.pem
-rw-r--r--  1 antares  wheel  1850 Sep  4 12:28 client_certificate.pem
-rw-r--r--  1 antares  wheel  4077 Sep  4 12:28 client_key.p12
-rw-r--r--  1 antares  wheel  3243 Sep  4 12:28 client_key.pem
-rw-r--r--  1 antares  wheel  2033 Sep  4 12:28 server_certificate.pem
-rw-r--r--  1 antares  wheel  4213 Sep  4 12:28 server_key.p12
-rw-r--r--  1 antares  wheel  3243 Sep  4 12:28 server_key.pem
-rw-r--r--  1 anta…

View full answer

michaelklishin · 2020-09-01T18:55:50Z

michaelklishin
Sep 1, 2020
Maintainer

It's not clear from your code what port you are trying to use. You haven't posted any RabbitMQ log snippets either. The message simply says that a TCP socket was closed, it can be that the client tries to use port 5672 (which does not expect a TLS upgrade and will close any connection that does not initiate an AMQP 0-9-1 or AMQP 1.0 handshake).

It could be something else. Troubleshooting TLS provides a framework for narrowing the issue down.

0 replies

michaelklishin · 2020-09-01T19:05:11Z

michaelklishin
Sep 1, 2020
Maintainer

RabbitMQ does support self-signed certificates, as the TLS guide explains. Or rather, it does not care whether the certificates in the chain are self-signed or not, they just have to be trusted on the host.

We have a project that generates self-signed certificate chains. You can use it to compare.

We always recommend starting with the most permissive set of TLS versions enabled (same goes for cipher suites) and then narrowing them down. Your example goes straight to TLSv1.2-only. There are threads on the Internet that show that incompatible version lists or tools will lead to exactly the same "failed write" openssl s_client connection error as the sides cannot agree on a version to use.

As a side note, all TLS settings you use can be configured using rabbitmq.conf's no-longer-really-new configuration format. No need to struggle with the nesting-dependent advanced.config format if you don't use anything that really requires it.

You also configure RabbitMQ to verify clients. Consider first making things work without peer verification, then add server verification for clients, then mutual if needed. Again, the idea is to start with the most basic setup and add d restrictions after it succeeds.

1 reply

revoorunischal Sep 2, 2020
Author

tried with rabbitmq.conf and faced the same issue. Following is my conf

listeners.ssl.default = 5671
ssl_options.cacertfile = /Users/nischal/Documents/testApps/tls-gen-master/separate_intermediates/testca/cacert.pem
ssl_options.certfile   = /Users/nischal/Documents/testApps/tls-gen-master/separate_intermediates/server/cert.pem
ssl_options.keyfile    = /Users/nischal/Documents/testApps/tls-gen-master/separate_intermediates/server/key.pem
ssl_options.password   = bunnies
ssl_options.verify     = verify_peer
ssl_options.fail_if_no_peer_cert = false

I am still getting the same error ECONNRESET

michaelklishin · 2020-09-01T19:13:22Z

michaelklishin
Sep 1, 2020
Maintainer

no peer certificate available

makes me wonder if this config file of yours is even used at all.

Relevan doc guides:

How to Verify Expected RabbitMQ Config File Location
How to Verify Effective Configuration of a Running Node
How to Verify that TLS is Enabled
Providing Private Key Password (your code seems to use one but RabbitMQ config file does not specify any)

but these are just wild guesses because we don't have any server logs to work with. When in doubt, first see if there's anything in the server logs, e.g. can the node actually load the certificate key/pair on start? What is logged during a client connection attempt, and so on.

0 replies

revoorunischal · 2020-09-02T01:30:05Z

revoorunischal
Sep 2, 2020
Author

Hi ,
I am sure config file is being read, Because on providing wrong path/data in this fails to startup the rabbitmq. Following is my rabbitmq-env.conf

CONFIG_FILE=/usr/local/etc/rabbitmq/rabbitmq
NODE_IP_ADDRESS=127.0.0.1
NODENAME=rabbit@localhost
RABBITMQ_LOG_BASE=/usr/local/var/log/rabbitmq

Following is my rabbitmq log , and there is no log entry when a request is made.

2020-09-02 06:54:36.129 [debug] <0.288.0> Lager installed handler error_logger_lager_h into error_logger
2020-09-02 06:54:36.135 [debug] <0.291.0> Lager installed handler lager_forwarder_backend into error_logger_lager_event
2020-09-02 06:54:36.135 [debug] <0.294.0> Lager installed handler lager_forwarder_backend into rabbit_log_lager_event
2020-09-02 06:54:36.135 [debug] <0.303.0> Lager installed handler lager_forwarder_backend into rabbit_log_feature_flags_lager_event
2020-09-02 06:54:36.135 [debug] <0.297.0> Lager installed handler lager_forwarder_backend into rabbit_log_channel_lager_event
2020-09-02 06:54:36.135 [debug] <0.300.0> Lager installed handler lager_forwarder_backend into rabbit_log_connection_lager_event
2020-09-02 06:54:36.135 [debug] <0.306.0> Lager installed handler lager_forwarder_backend into rabbit_log_federation_lager_event
2020-09-02 06:54:36.135 [debug] <0.309.0> Lager installed handler lager_forwarder_backend into rabbit_log_ldap_lager_event
2020-09-02 06:54:36.136 [debug] <0.312.0> Lager installed handler lager_forwarder_backend into rabbit_log_mirroring_lager_event
2020-09-02 06:54:36.136 [debug] <0.315.0> Lager installed handler lager_forwarder_backend into rabbit_log_prelaunch_lager_event
2020-09-02 06:54:36.136 [debug] <0.318.0> Lager installed handler lager_forwarder_backend into rabbit_log_queue_lager_event
2020-09-02 06:54:36.136 [debug] <0.321.0> Lager installed handler lager_forwarder_backend into rabbit_log_ra_lager_event
2020-09-02 06:54:36.136 [debug] <0.327.0> Lager installed handler {lager_file_backend,
                            "/usr/local/var/log/rabbitmq/rabbit@localhost_upgrade.log"} into rabbit_log_upgrade_lager_event
2020-09-02 06:54:36.136 [debug] <0.324.0> Lager installed handler lager_forwarder_backend into rabbit_log_shovel_lager_event
2020-09-02 06:54:36.155 [info] <0.44.0> Application lager started on node rabbit@localhost
2020-09-02 06:54:36.162 [info] <0.272.0> Log file opened with Lager
2020-09-02 06:54:36.670 [debug] <0.283.0> Lager installed handler lager_backend_throttle into lager_event
2020-09-02 06:54:38.419 [info] <0.44.0> Application mnesia started on node rabbit@localhost
2020-09-02 06:54:38.419 [info] <0.272.0> 
 Starting RabbitMQ 3.8.7 on Erlang 23.0.3
 Copyright (c) 2007-2020 VMware, Inc. or its affiliates.
 Licensed under the MPL 2.0. Website: https://rabbitmq.com
2020-09-02 06:54:38.421 [info] <0.272.0> 
 node           : rabbit@localhost
 home dir       : /Users/nischal
 config file(s) : /usr/local/etc/rabbitmq/rabbitmq.config
 cookie hash    : fRKY+Baaqbv4SpxdiAg/8g==
 log(s)         : /usr/local/var/log/rabbitmq/[email protected]
                : /usr/local/var/log/rabbitmq/rabbit@localhost_upgrade.log
 database dir   : /usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost
2020-09-02 06:54:38.429 [info] <0.272.0> Running boot step pre_boot defined by app rabbit
2020-09-02 06:54:38.429 [info] <0.272.0> Running boot step rabbit_core_metrics defined by app rabbit
2020-09-02 06:54:38.430 [info] <0.272.0> Running boot step rabbit_alarm defined by app rabbit
2020-09-02 06:54:38.447 [info] <0.410.0> Memory high watermark set to 6553 MiB (6871947673 bytes) of 16384 MiB (17179869184 bytes) total
2020-09-02 06:54:38.467 [info] <0.421.0> Enabling free disk space monitoring
2020-09-02 06:54:38.468 [info] <0.421.0> Disk free limit set to 50MB
2020-09-02 06:54:38.474 [info] <0.272.0> Running boot step code_server_cache defined by app rabbit
2020-09-02 06:54:38.474 [info] <0.272.0> Running boot step file_handle_cache defined by app rabbit
2020-09-02 06:54:38.474 [info] <0.424.0> Limiting to approx 159 file handles (141 sockets)
2020-09-02 06:54:38.474 [info] <0.425.0> FHC read buffering:  OFF
2020-09-02 06:54:38.474 [info] <0.425.0> FHC write buffering: ON
2020-09-02 06:54:38.475 [info] <0.272.0> Running boot step worker_pool defined by app rabbit
2020-09-02 06:54:38.475 [info] <0.377.0> Will use 8 processes for default worker pool
2020-09-02 06:54:38.475 [info] <0.377.0> Starting worker pool 'worker_pool' with 8 processes in it
2020-09-02 06:54:38.476 [info] <0.272.0> Running boot step database defined by app rabbit
2020-09-02 06:54:38.477 [info] <0.272.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2020-09-02 06:54:38.486 [info] <0.272.0> Successfully synced tables from a peer
2020-09-02 06:54:38.487 [info] <0.272.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2020-09-02 06:54:38.487 [info] <0.272.0> Successfully synced tables from a peer
2020-09-02 06:54:38.530 [info] <0.272.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2020-09-02 06:54:38.530 [info] <0.272.0> Successfully synced tables from a peer
2020-09-02 06:54:38.530 [info] <0.272.0> Peer discovery backend rabbit_peer_discovery_classic_config does not support registration, skipping registration.
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step database_sync defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step feature_flags defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step codec_correctness_check defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step external_infrastructure defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step rabbit_registry defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step rabbit_auth_mechanism_cr_demo defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step rabbit_queue_location_random defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step rabbit_event defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step rabbit_auth_mechanism_amqplain defined by app rabbit
2020-09-02 06:54:38.530 [info] <0.272.0> Running boot step rabbit_auth_mechanism_plain defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_exchange_type_direct defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_exchange_type_fanout defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_exchange_type_headers defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_exchange_type_topic defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_mirror_queue_mode_all defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_mirror_queue_mode_exactly defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_mirror_queue_mode_nodes defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_priority_queue defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Priority queues enabled, real BQ is rabbit_variable_queue
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_queue_location_client_local defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_queue_location_min_masters defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step kernel_ready defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_sysmon_minder defined by app rabbit
2020-09-02 06:54:38.531 [info] <0.272.0> Running boot step rabbit_epmd_monitor defined by app rabbit
2020-09-02 06:54:38.532 [info] <0.451.0> epmd monitor knows us, inter-node communication (distribution) port: 25672
2020-09-02 06:54:38.533 [info] <0.272.0> Running boot step guid_generator defined by app rabbit
2020-09-02 06:54:38.545 [info] <0.272.0> Running boot step rabbit_node_monitor defined by app rabbit
2020-09-02 06:54:38.546 [info] <0.455.0> Starting rabbit_node_monitor
2020-09-02 06:54:38.546 [info] <0.272.0> Running boot step delegate_sup defined by app rabbit
2020-09-02 06:54:38.547 [info] <0.272.0> Running boot step rabbit_memory_monitor defined by app rabbit
2020-09-02 06:54:38.548 [info] <0.272.0> Running boot step core_initialized defined by app rabbit
2020-09-02 06:54:38.548 [info] <0.272.0> Running boot step upgrade_queues defined by app rabbit
2020-09-02 06:54:38.561 [info] <0.272.0> Running boot step rabbit_connection_tracking defined by app rabbit
2020-09-02 06:54:38.561 [info] <0.272.0> Running boot step rabbit_connection_tracking_handler defined by app rabbit
2020-09-02 06:54:38.561 [info] <0.272.0> Running boot step rabbit_exchange_parameters defined by app rabbit
2020-09-02 06:54:38.561 [info] <0.272.0> Running boot step rabbit_mirror_queue_misc defined by app rabbit
2020-09-02 06:54:38.561 [info] <0.272.0> Running boot step rabbit_policies defined by app rabbit
2020-09-02 06:54:38.562 [info] <0.272.0> Running boot step rabbit_policy defined by app rabbit
2020-09-02 06:54:38.562 [info] <0.272.0> Running boot step rabbit_queue_location_validator defined by app rabbit
2020-09-02 06:54:38.562 [info] <0.272.0> Running boot step rabbit_quorum_memory_manager defined by app rabbit
2020-09-02 06:54:38.562 [info] <0.272.0> Running boot step rabbit_vhost_limit defined by app rabbit
2020-09-02 06:54:38.562 [info] <0.272.0> Running boot step recovery defined by app rabbit
2020-09-02 06:54:38.563 [info] <0.484.0> Making sure data directory '/usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost '/' exists
2020-09-02 06:54:38.575 [info] <0.484.0> Starting message stores for vhost '/'
2020-09-02 06:54:38.575 [info] <0.488.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_transient": using rabbit_msg_store_ets_index to provide index
2020-09-02 06:54:38.580 [info] <0.484.0> Started message store of type transient for vhost '/'
2020-09-02 06:54:38.580 [info] <0.492.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": using rabbit_msg_store_ets_index to provide index
2020-09-02 06:54:38.583 [info] <0.484.0> Started message store of type persistent for vhost '/'
2020-09-02 06:54:38.595 [info] <0.272.0> Running boot step empty_db_check defined by app rabbit
2020-09-02 06:54:38.595 [info] <0.272.0> Will not seed default virtual host and user: have definitions to load...
2020-09-02 06:54:38.595 [info] <0.272.0> Running boot step rabbit_looking_glass defined by app rabbit
2020-09-02 06:54:38.595 [info] <0.272.0> Running boot step rabbit_core_metrics_gc defined by app rabbit
2020-09-02 06:54:38.595 [info] <0.272.0> Running boot step background_gc defined by app rabbit
2020-09-02 06:54:38.595 [info] <0.272.0> Running boot step connection_tracking defined by app rabbit
2020-09-02 06:54:38.596 [info] <0.272.0> Setting up a table for connection tracking on this node: tracked_connection_on_node_rabbit@localhost
2020-09-02 06:54:38.596 [info] <0.272.0> Setting up a table for per-vhost connection counting on this node: tracked_connection_per_vhost_on_node_rabbit@localhost
2020-09-02 06:54:38.596 [info] <0.272.0> Running boot step routing_ready defined by app rabbit
2020-09-02 06:54:38.596 [info] <0.272.0> Running boot step pre_flight defined by app rabbit
2020-09-02 06:54:38.596 [info] <0.272.0> Running boot step notify_cluster defined by app rabbit
2020-09-02 06:54:38.596 [info] <0.272.0> Running boot step networking defined by app rabbit
2020-09-02 06:54:38.596 [info] <0.272.0> Running boot step definition_import_worker_pool defined by app rabbit
2020-09-02 06:54:38.596 [info] <0.377.0> Starting worker pool 'definition_import_pool' with 8 processes in it
2020-09-02 06:54:38.597 [info] <0.272.0> Running boot step cluster_name defined by app rabbit
2020-09-02 06:54:38.597 [info] <0.272.0> Running boot step direct_client defined by app rabbit
2020-09-02 06:54:38.597 [info] <0.44.0> Application rabbit started on node rabbit@localhost
2020-09-02 06:54:39.248 [info] <0.536.0> Feature flags: list of feature flags found:
2020-09-02 06:54:39.249 [info] <0.536.0> Feature flags:   [ ] drop_unroutable_metric
2020-09-02 06:54:39.249 [info] <0.536.0> Feature flags:   [ ] empty_basic_get_metric
2020-09-02 06:54:39.249 [info] <0.536.0> Feature flags:   [x] implicit_default_bindings
2020-09-02 06:54:39.249 [info] <0.536.0> Feature flags:   [x] quorum_queue
2020-09-02 06:54:39.249 [info] <0.536.0> Feature flags:   [x] virtual_host_metadata
2020-09-02 06:54:39.249 [info] <0.536.0> Feature flags: feature flag states written to disk: yes
2020-09-02 06:54:39.367 [info] <0.536.0> Running boot step rabbit_mgmt_db_handler defined by app rabbitmq_management_agent
2020-09-02 06:54:39.367 [info] <0.536.0> Management plugin: using rates mode 'none'
2020-09-02 06:54:39.404 [info] <0.44.0> Application rabbitmq_management_agent started on node rabbit@localhost
2020-09-02 06:54:39.417 [info] <0.44.0> Application cowlib started on node rabbit@localhost
2020-09-02 06:54:39.430 [info] <0.44.0> Application cowboy started on node rabbit@localhost
2020-09-02 06:54:39.445 [info] <0.44.0> Application rabbitmq_web_dispatch started on node rabbit@localhost
2020-09-02 06:54:39.458 [info] <0.44.0> Application amqp_client started on node rabbit@localhost
2020-09-02 06:54:39.470 [info] <0.536.0> Running boot step rabbit_mgmt_reset_handler defined by app rabbitmq_management
2020-09-02 06:54:39.470 [info] <0.536.0> Running boot step rabbit_management_load_definitions defined by app rabbitmq_management
2020-09-02 06:54:39.499 [info] <0.602.0> Management plugin: HTTP (non-TLS) listener started on port 15672
2020-09-02 06:54:39.500 [info] <0.708.0> Statistics database started.
2020-09-02 06:54:39.500 [info] <0.707.0> Starting worker pool 'management_worker_pool' with 3 processes in it
2020-09-02 06:54:39.500 [info] <0.595.0> opening log file: "/usr/local/var/log/rabbitmq/access.log.2020_09_02_01"
2020-09-02 06:54:39.501 [info] <0.44.0> Application rabbitmq_management started on node rabbit@localhost
2020-09-02 06:54:39.515 [info] <0.44.0> Application amqp10_common started on node rabbit@localhost
2020-09-02 06:54:39.528 [info] <0.44.0> Application rabbitmq_amqp1_0 started on node rabbit@localhost
2020-09-02 06:54:39.571 [info] <0.726.0> MQTT retained message store: rabbit_mqtt_retained_msg_store_dets
2020-09-02 06:54:39.576 [info] <0.744.0> started MQTT TCP listener on [::]:1883
2020-09-02 06:54:39.578 [info] <0.44.0> Application rabbitmq_mqtt started on node rabbit@localhost
2020-09-02 06:54:39.592 [notice] <0.722.0> mqtt_node: candidate -> leader in term: 16 machine version: 0
2020-09-02 06:54:39.594 [info] <0.747.0> rabbit_stomp: default user 'guest' enabled
2020-09-02 06:54:39.595 [info] <0.763.0> started STOMP TCP listener on [::]:61613
2020-09-02 06:54:39.597 [info] <0.536.0> Ready to start client connection listeners
2020-09-02 06:54:39.598 [info] <0.44.0> Application rabbitmq_stomp started on node rabbit@localhost
2020-09-02 06:54:39.601 [info] <0.778.0> started TCP listener on 127.0.0.1:5672
2020-09-02 06:54:39.651 [info] <0.794.0> started TLS (SSL) listener on [::]:5671
2020-09-02 06:54:39.653 [notice] <0.280.0> Changed loghwm of /usr/local/var/log/rabbitmq/[email protected] to 5000
2020-09-02 06:54:39.831 [info] <0.536.0> Server startup complete; 6 plugins started.
 * rabbitmq_stomp
 * rabbitmq_mqtt
 * rabbitmq_amqp1_0
 * rabbitmq_management
 * rabbitmq_web_dispatch
 * rabbitmq_management_agent

0 replies

revoorunischal · 2020-09-02T01:34:08Z

revoorunischal
Sep 2, 2020
Author

My rabbitmq status is here

Status of node rabbit@localhost ...
Runtime

OS PID: 67219
OS: macOS
Uptime (seconds): 493
RabbitMQ version: 3.8.7
Node name: rabbit@localhost
Erlang configuration: Erlang/OTP 23 [erts-11.0.3] [source] [64-bit] [smp:8:8] [ds:8:8:10] [async-threads:128] [hipe] [dtrace]
Erlang processes: 514 used, 1048576 limit
Scheduler run queue: 1
Cluster heartbeat timeout (net_ticktime): 60

Plugins

Enabled plugin file: /usr/local/etc/rabbitmq/enabled_plugins
Enabled plugins:

 * rabbitmq_stomp
 * rabbitmq_mqtt
 * rabbitmq_amqp1_0
 * amqp10_common
 * rabbitmq_management
 * amqp_client
 * rabbitmq_web_dispatch
 * cowboy
 * cowlib
 * rabbitmq_management_agent

Data directory

Node data directory: /usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost
Raft data directory: /usr/local/var/lib/rabbitmq/mnesia/rabbit@localhost/quorum/rabbit@localhost

Config files

 * /usr/local/etc/rabbitmq/rabbitmq.config

Log file(s)

 * /usr/local/var/log/rabbitmq/[email protected]
 * /usr/local/var/log/rabbitmq/rabbit@localhost_upgrade.log

Alarms

(none)

Memory

Total memory used: 0.0962 gb
Calculation strategy: rss
Memory high watermark setting: 0.4 of available memory, computed to: 6.8719 gb

code: 0.0284 gb (26.52 %)
other_proc: 0.0242 gb (22.58 %)
allocated_unused: 0.0217 gb (20.24 %)
other_system: 0.0202 gb (18.81 %)
plugins: 0.0063 gb (5.85 %)
other_ets: 0.0036 gb (3.31 %)
atom: 0.0015 gb (1.36 %)
binary: 0.0007 gb (0.67 %)
metrics: 0.0002 gb (0.2 %)
mgmt_db: 0.0002 gb (0.15 %)
quorum_queue_procs: 0.0001 gb (0.09 %)
mnesia: 0.0001 gb (0.08 %)
quorum_ets: 0.0001 gb (0.05 %)
queue_procs: 0.0 gb (0.04 %)
msg_index: 0.0 gb (0.03 %)
connection_other: 0.0 gb (0.0 %)
connection_channels: 0.0 gb (0.0 %)
connection_readers: 0.0 gb (0.0 %)
connection_writers: 0.0 gb (0.0 %)
queue_slave_procs: 0.0 gb (0.0 %)
reserved_unallocated: 0.0 gb (0.0 %)

File Descriptors

Total: 2, limit: 159
Sockets: 0, limit: 141

Free Disk Space

Low free disk space watermark: 0.05 gb
Free disk space: 382.0385 gb

Totals

Connection count: 0
Queue count: 2
Virtual host count: 1

Listeners

Interface: [::], port: 15672, protocol: http, purpose: HTTP API
Interface: [::], port: 1883, protocol: mqtt, purpose: MQTT
Interface: [::], port: 61613, protocol: stomp, purpose: STOMP
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: 127.0.0.1, port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS

0 replies

revoorunischal · 2020-09-02T02:03:27Z

revoorunischal
Sep 2, 2020
Author

tried using the keys generated by tls-gen, and i am getting the same error of ECONNRESET in node js and write:errno=54 with openssl s_client.

Is there any place we can enable specific logs for these ?

1 reply

michaelklishin Sep 2, 2020
Maintainer

@revoorunischal ECONNREST is a TCP-level "connection refused" message. A TLS connection upgrade happens after a successful TCP connection.

If no requests are logged, your issue is elsewhere (could be a MacOS firewall, for example). Wireshark is the best source of information on what is really going on with a connection.

revoorunischal · 2020-09-04T07:59:45Z

revoorunischal
Sep 4, 2020
Author

Hi ,
On Further trials, I found that starting the application as a service using brew (brew services start rabbitmq) was causing the issue. Now i started the application using "rabbitmq-server" command.

Now the issue what is occurring is peer verification is not happening from rabbitmq. Client is able to verify the server but server fails to verify the client and getting an error in readhandshake (Caused by: javax.net.ssl.SSLException: readHandshakeRecord).

By removing verify_peer config (ssl_options.verify = verify_peer) makes the connection working but now 2 way ssl is not complete, right ??.

Else if fail_if_no_peer_cert is set to false( ssl_options.fail_if_no_peer_cert = false) and i provide a key which is not truststore connection completes, but again 2 way ssl is not complete.

I have added all my keys, commands used , sample java project and rabbitmq.conf in a github project for you to reproduce in github
https://github.com/revoorunischal/rabbitmqssltest
Here hostname is prat which is pointing 127.0.0.1 in /etc/hosts

Following are the error logs

in [email protected]

2020-09-04 13:20:53.987 [debug] <0.1192.0> Supervisor {<0.1192.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.1193.0>
2020-09-04 13:20:53.988 [debug] <0.1192.0> Supervisor {<0.1192.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.1193.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.1194.0>
2020-09-04 13:20:54.108 [debug] <0.1198.0> Supervisor {<0.1198.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.1199.0>
2020-09-04 13:20:54.109 [debug] <0.1198.0> Supervisor {<0.1198.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.1199.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.1200.0>
2020-09-04 13:20:54.122 [debug] <0.1204.0> Supervisor {<0.1204.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.1205.0>
2020-09-04 13:20:54.122 [debug] <0.1204.0> Supervisor {<0.1204.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.1205.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.1206.0>
2020-09-04 13:20:54.136 [debug] <0.1210.0> Supervisor {<0.1210.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.1211.0>
2020-09-04 13:20:54.136 [debug] <0.1210.0> Supervisor {<0.1210.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.1211.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.1212.0>
2020-09-04 13:20:54.162 [debug] <0.1216.0> Supervisor {<0.1216.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.1217.0>
2020-09-04 13:20:54.162 [debug] <0.1216.0> Supervisor {<0.1216.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.1217.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.1218.0>
2020-09-04 13:20:54.179 [debug] <0.1222.0> Supervisor {<0.1222.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.1223.0>
2020-09-04 13:20:54.179 [debug] <0.1222.0> Supervisor {<0.1222.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.1223.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.1224.0>
2020-09-04 13:20:59.276 [debug] <0.1233.0> Supervisor {<0.1233.0>,rabbit_connection_sup} started rabbit_connection_helper_sup:start_link() at pid <0.1234.0>
2020-09-04 13:20:59.276 [debug] <0.1233.0> Supervisor {<0.1233.0>,rabbit_connection_sup} started rabbit_reader:start_link(<0.1234.0>, {acceptor,{0,0,0,0,0,0,0,0},5671}) at pid <0.1235.0>

And following is the stacktrace in java

2020-09-04 13:20:53.975  INFO 33991 --- [           main] o.s.a.r.c.CachingConnectionFactory       : Attempting to connect to: [prat:5671]
2020-09-04 13:20:54.076 DEBUG 33991 --- [           main] c.s.b.r.p.RabbitExchangeQueueProvisioner : Declaration of exchange: queue.pretty.log.messages deferred

org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLException: readHandshakeRecord
	at org.springframework.amqp.rabbit.support.RabbitExceptionTranslator.convertRabbitAccessException(RabbitExceptionTranslator.java:70) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:524) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:751) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils.createConnection(ConnectionFactoryUtils.java:214) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.core.RabbitTemplate.doExecute(RabbitTemplate.java:2089) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:2062) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:2042) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.core.RabbitAdmin.declareExchange(RabbitAdmin.java:221) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.cloud.stream.binder.rabbit.provisioning.RabbitExchangeQueueProvisioner.declareExchange(RabbitExchangeQueueProvisioner.java:605) ~[spring-cloud-stream-binder-rabbit-core-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binder.rabbit.provisioning.RabbitExchangeQueueProvisioner.provisionProducerDestination(RabbitExchangeQueueProvisioner.java:118) ~[spring-cloud-stream-binder-rabbit-core-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binder.rabbit.provisioning.RabbitExchangeQueueProvisioner.provisionProducerDestination(RabbitExchangeQueueProvisioner.java:74) ~[spring-cloud-stream-binder-rabbit-core-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindProducer(AbstractMessageChannelBinder.java:222) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binder.AbstractMessageChannelBinder.doBindProducer(AbstractMessageChannelBinder.java:90) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binder.AbstractBinder.bindProducer(AbstractBinder.java:152) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binding.BindingService.doBindProducer(BindingService.java:313) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binding.BindingService.bindProducer(BindingService.java:282) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binding.BindingService.bindProducer(BindingService.java:291) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binding.AbstractBindableProxyFactory.createAndBindOutputs(AbstractBindableProxyFactory.java:136) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binding.OutputBindingLifecycle.doStartWithBindable(OutputBindingLifecycle.java:58) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at java.base/java.util.LinkedHashMap$LinkedValues.forEach(LinkedHashMap.java:608) ~[na:na]
	at org.springframework.cloud.stream.binding.AbstractBindingLifecycle.start(AbstractBindingLifecycle.java:57) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.cloud.stream.binding.OutputBindingLifecycle.start(OutputBindingLifecycle.java:34) ~[spring-cloud-stream-3.0.8.RELEASE.jar:3.0.8.RELEASE]
	at org.springframework.context.support.DefaultLifecycleProcessor.doStart(DefaultLifecycleProcessor.java:182) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.context.support.DefaultLifecycleProcessor.access$200(DefaultLifecycleProcessor.java:53) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.context.support.DefaultLifecycleProcessor$LifecycleGroup.start(DefaultLifecycleProcessor.java:360) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.context.support.DefaultLifecycleProcessor.startBeans(DefaultLifecycleProcessor.java:158) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.context.support.DefaultLifecycleProcessor.onRefresh(DefaultLifecycleProcessor.java:122) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.finishRefresh(AbstractApplicationContext.java:895) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:554) ~[spring-context-5.2.8.RELEASE.jar:5.2.8.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:758) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:750) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1237) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) ~[spring-boot-2.3.3.RELEASE.jar:2.3.3.RELEASE]
	at com.test.amqp.AmqpApplication.main(AmqpApplication.java:16) ~[classes/:na]
Caused by: javax.net.ssl.SSLException: readHandshakeRecord
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1320) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.ensureNegotiated(SSLSocketImpl.java:814) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl$AppOutputStream.write(SSLSocketImpl.java:1184) ~[na:na]
	at java.base/java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:81) ~[na:na]
	at java.base/java.io.BufferedOutputStream.flush(BufferedOutputStream.java:142) ~[na:na]
	at java.base/java.io.DataOutputStream.flush(DataOutputStream.java:123) ~[na:na]
	at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:160) ~[amqp-client-5.9.0.jar:5.9.0]
	at com.rabbitmq.client.impl.SocketFrameHandler.sendHeader(SocketFrameHandler.java:170) ~[amqp-client-5.9.0.jar:5.9.0]
	at com.rabbitmq.client.impl.AMQConnection.start(AMQConnection.java:314) ~[amqp-client-5.9.0.jar:5.9.0]
	at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1139) ~[amqp-client-5.9.0.jar:5.9.0]
	at com.rabbitmq.client.ConnectionFactory.newConnection(ConnectionFactory.java:1087) ~[amqp-client-5.9.0.jar:5.9.0]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.connectAddresses(AbstractConnectionFactory.java:560) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.connect(AbstractConnectionFactory.java:533) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:487) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	... 34 common frames omitted
	Suppressed: java.net.SocketException: Broken pipe (Write failed)
		at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) ~[na:na]
		at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) ~[na:na]
		at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) ~[na:na]
		at java.base/sun.security.ssl.SSLSocketOutputRecord.encodeAlert(SSLSocketOutputRecord.java:81) ~[na:na]
		at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:357) ~[na:na]
		at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:269) ~[na:na]
		at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:450) ~[na:na]
		... 47 common frames omitted
Caused by: java.net.SocketException: Broken pipe (Write failed)
	at java.base/java.net.SocketOutputStream.socketWrite0(Native Method) ~[na:na]
	at java.base/java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:110) ~[na:na]
	at java.base/java.net.SocketOutputStream.write(SocketOutputStream.java:150) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketOutputRecord.flush(SSLSocketOutputRecord.java:251) ~[na:na]
	at java.base/sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:89) ~[na:na]
	at java.base/sun.security.ssl.ECDHClientKeyExchange$ECDHEClientKeyExchangeProducer.produce(ECDHClientKeyExchange.java:402) ~[na:na]
	at java.base/sun.security.ssl.ClientKeyExchange$ClientKeyExchangeProducer.produce(ClientKeyExchange.java:65) ~[na:na]
	at java.base/sun.security.ssl.SSLHandshake.produce(SSLHandshake.java:436) ~[na:na]
	at java.base/sun.security.ssl.ServerHelloDone$ServerHelloDoneConsumer.consume(ServerHelloDone.java:182) ~[na:na]
	at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:392) ~[na:na]
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:444) ~[na:na]
	at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:422) ~[na:na]
	at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:183) ~[na:na]
	at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1403) ~[na:na]
	at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1309) ~[na:na]
	... 48 common frames omitted

2020-09-04 13:20:54.082  INFO 33991 --- [           main] o.s.c.s.m.DirectWithAttributesChannel    : Channel 'application.output' has 1 subscriber(s).
2020-09-04 13:20:54.084 DEBUG 33991 --- [           main] o.s.c.support.DefaultLifecycleProcessor  : Successfully started bean 'outputBindingLifecycle'
2020-09-04 13:20:54.084 DEBUG 33991 --- [           main] o.s.c.support.DefaultLifecycleProcessor  : Starting beans in phase 2147482647
2020-09-04 13:20:54.084 DEBUG 33991 --- [           main] o.s.c.s.b.AbstractBindableProxyFactory   : Binding inputs for :interface org.springframework.cloud.stream.messaging.Processor
2020-09-04 13:20:54.084 DEBUG 33991 --- [           main] o.s.c.s.b.AbstractBindableProxyFactory   : Binding :interface org.springframework.cloud.stream.messaging.Processor:input
2020-09-04 13:20:54.084  INFO 33991 --- [           main] o.s.c.s.binder.DefaultBinderFactory      : Retrieving cached binder: local_rabbit
2020-09-04 13:20:54.107  INFO 33991 --- [           main] c.s.b.r.p.RabbitExchangeQueueProvisioner : declaring queue for inbound: queue.log.messages.anonymous.zVFamJ6qS4Cy8ezITSKCfQ, bound to: queue.log.messages
2020-09-04 13:20:54.107  INFO 33991 --- [           main] o.s.a.r.c.CachingConnectionFactory       : Attempting to connect to: [prat:5671]
2020-09-04 13:20:54.119 DEBUG 33991 --- [           main] c.s.b.r.p.RabbitExchangeQueueProvisioner : Declaration of exchange: queue.log.messages deferred

0 replies

michaelklishin · 2020-09-04T08:58:11Z

michaelklishin
Sep 4, 2020
Maintainer

@revoorunischal according to some findings, this is due to a TLS version mismatch. The stack trace mentions ECDHClientKeyExchange so I assume this uses a modern version an attempts to use an elliptic curve-based cipher suite.

For ECC suites, the latest Erlang release and a reasonably recent JDK are always recommended. There are explicit and implicit limitations in order TLS implementations of various ECC suites.

0 replies

michaelklishin · 2020-09-04T09:15:26Z

michaelklishin
Sep 4, 2020
Maintainer

There are several things about this example that make reproducing the issue more time consuming. I can successfully connect with openssl s_client when peer verification is disabled (I explained why it works above) with some modifications

This rabbitmq.conf file does not specify a private key password
Your example produces two distinct certificate chains with two different root certificates as far as I can tell, which means they have to be bundled for RabbitMQ's cacertfile and added to the trusted list on the host

Once I concatenated the CA files into one:

and add a password to the config file:

log.file.level = debug
listeners.ssl.default = 5671

ssl_options.cacertfile = /tmp/rabbitmqssltest/keys2/ca_bundle.pem
ssl_options.certfile   = /tmp/rabbitmqssltest/keys2/rabbit-public.pem
ssl_options.keyfile    = /tmp/rabbitmqssltest/keys2/rabbit-private.pem
ssl_options.password   = prat123

# ssl_options.verify = verify_peer
# ssl_options.fail_if_no_peer_cert = true

I was able to connect (note the server certificate information; RabbitMQ also logged a AMQP 0-9-1/1.0 handshake timeout, which means TLS upgrade has succeeded):

openssl s_client -tls1_2 -connect prat:5671 -cert ./iot-public.pem -key ./iot-private.pem -CAfile ./ca_bundle.pem -pass "pass:prat123"                                       130 ↵
CONNECTED(00000005)
Can't use SSL_get_servername
depth=0 C = IN, ST = Karntaka, L = Bangalore, O = Pratishthan, OU = Finacle, CN = prat
verify return:1
---
Certificate chain
 0 s:C = IN, ST = Karntaka, L = Bangalore, O = Pratishthan, OU = Finacle, CN = prat
   i:C = IN, ST = Karntaka, L = Bangalore, O = Pratishthan, OU = Finacle, CN = prat
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDdTCCAl2gAwIBAgIESD/DZDANBgkqhkiG9w0BAQsFADBrMQswCQYDVQQGEwJJ
TjERMA8GA1UECBMIS2FybnRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEUMBIGA1UE
ChMLUHJhdGlzaHRoYW4xEDAOBgNVBAsTB0ZpbmFjbGUxDTALBgNVBAMTBHByYXQw
HhcNMjAwOTA0MDczODAzWhcNMjAxMjAzMDczODAzWjBrMQswCQYDVQQGEwJJTjER
MA8GA1UECBMIS2FybnRha2ExEjAQBgNVBAcTCUJhbmdhbG9yZTEUMBIGA1UEChML
UHJhdGlzaHRoYW4xEDAOBgNVBAsTB0ZpbmFjbGUxDTALBgNVBAMTBHByYXQwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCR7GFi7vYIoly5pb9ghg/e+E5P
orNUG1S4kkCBkCH4RNJ8UyCq8Xh1wpxNqSxkNmn+yYH8Mo4H6iGHGJ5PwEFexxqV
GAm4yHHy+4rCEDF+o4sMvY15XhborBa/K7e9a91FIUbh3tYZ1HhoPWhRKo5GHTWC
E7Aa43IlrodWdVcrC8YioGv+aQfqr21qGD31ABveBlhV2OpRrtZIi5Ymx0Oo0Cq1
jRIZLatfTzX9txVoIHFj4rsuApeupr6qacy1QC/dG+9LZ/a/Mg5qrA/HpgTHlRK3
2TRJ/0JfHUXB6H/YEA583dNMuEtUe4hsmvmb1pvap6UjKm+h4zF+EJjc+KrTAgMB
AAGjITAfMB0GA1UdDgQWBBS2MUHNnuYQd6nbN6iRqsz1H6GkHDANBgkqhkiG9w0B
AQsFAAOCAQEAD56vi2tn0F5+SrdhRg/zzLKqmsdTA99QPn1tVN6E7uVDZ5wpkrz1
obR6upFNzajgUrFfJQp3sOEvgQ71SddfPcHd8IiZJCdKGClDp6SLvvbDr2k0uRyd
RArLdvWgxeAVboscTUkgqyIj8ityuusvF2x/cupFA0kLNuB5Mm7D98ng5AJk/vu0
kKqp1kzYOZpYv4JRICMKM8dZyB9I0asOvAimaWI+bEhKAw4FREtf59YcJjka90mU
S3Vtqo3O0ziJmmcTejRFlNlPxtYX7vqhfrN3fhLiAkxXcXZ93lPLQY7Z1SlwBOQ+
q26IAr+O8ILeDihQU8SP/ptYDjpg+I6k7g==
-----END CERTIFICATE-----
subject=C = IN, ST = Karntaka, L = Bangalore, O = Pratishthan, OU = Finacle, CN = prat

issuer=C = IN, ST = Karntaka, L = Bangalore, O = Pratishthan, OU = Finacle, CN = prat

---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1394 bytes and written 320 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: E595342E99BB385AEAE68ADA562BB49A213FAAF7AEA7E3242CD5CC25C4F8F394
    Session-ID-ctx:
    Master-Key: DC19FC36B1F26B79C8750515AE4071E5AE269B82F5043B0F2B532DEA13867221BB673D1BE622101C455700AC1BBF3A9B
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1599210732
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---
closed

0 replies

michaelklishin · 2020-09-04T09:22:47Z

michaelklishin
Sep 4, 2020
Maintainer

With enabled peer verification, openssl s_client reports

verify return:1
4648287680:error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:ssl/record/rec_layer_s3.c:1544:SSL alert number 42

I don't have much recent experience with keytool but openssl/tls-gen-produced certificates work as expected.

I'd recommend taking the tls-gen's basic profile, producing a PKCS#12 certificate from the client certificate/key pair, importing them into a JDK key store and using that as your starting point. keytool is an industry standard when it comes to JDK projects but it's not really an industry standard when it comes to producing certificate/key chains for arbitrary tools (including RabbitMQ).
For better or worse, OpenSSL is.

Dropping private key passwords initially is also a good idea.

1 reply

michaelklishin Sep 4, 2020
Maintainer

"alert 42" or "bad certificate" can mean a broad range of problems but in general, it means that a peer certificate did not satisfy some conditions.

I could reproduce the exception from ./mvnw spring-boot:run:

2020-09-04 12:26:20.036  INFO 69872 --- [           main] o.s.a.r.c.CachingConnectionFactory       : Attempting to connect to: [prat:5671]
2020-09-04 12:26:20.047 DEBUG 69872 --- [           main] c.s.b.r.p.RabbitExchangeQueueProvisioner : Declaration of queue: queue.log.messages.anonymous.JLdvnj87R0aiF0O92_404A deferred

org.springframework.amqp.AmqpIOException: javax.net.ssl.SSLException: readHandshakeRecord
	at org.springframework.amqp.rabbit.support.RabbitExceptionTranslator.convertRabbitAccessException(RabbitExceptionTranslator.java:70) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.AbstractConnectionFactory.createBareConnection(AbstractConnectionFactory.java:524) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.CachingConnectionFactory.createConnection(CachingConnectionFactory.java:751) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.connection.ConnectionFactoryUtils.createConnection(ConnectionFactoryUtils.java:214) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.core.RabbitTemplate.doExecute(RabbitTemplate.java:2089) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:2062) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.core.RabbitTemplate.execute(RabbitTemplate.java:2042) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]
	at org.springframework.amqp.rabbit.core.RabbitAdmin.declareQueue(RabbitAdmin.java:267) ~[spring-rabbit-2.2.10.RELEASE.jar:2.2.10.RELEASE]

michaelklishin · 2020-09-04T09:39:06Z

michaelklishin
Sep 4, 2020
Maintainer

Using tls-gen's basic profile, and importing ca_certificate.pem, client_certificate.pem, server_certificate.pem into a JDK trust store like so:

ls -l
total 88
-rw-r--r--  1 antares  wheel  1887 Sep  4 12:28 ca_certificate.pem
-rw-r--r--  1 antares  wheel  3272 Sep  4 12:28 ca_key.pem
-rw-r--r--  1 antares  wheel  1850 Sep  4 12:28 client_certificate.pem
-rw-r--r--  1 antares  wheel  4077 Sep  4 12:28 client_key.p12
-rw-r--r--  1 antares  wheel  3243 Sep  4 12:28 client_key.pem
-rw-r--r--  1 antares  wheel  2033 Sep  4 12:28 server_certificate.pem
-rw-r--r--  1 antares  wheel  4213 Sep  4 12:28 server_key.p12
-rw-r--r--  1 antares  wheel  3243 Sep  4 12:28 server_key.pem
-rw-r--r--  1 antares  wheel  4666 Sep  4 12:34 truststore.jks

I'll skip the steps where I created an empty trust store file with keytool but the password used was bunnies.

keytool -import -v -trustcacerts -alias warp10-ca -file ca_certificate.pem -keystore truststore.jks
keytool -import -v -trustcacerts -alias warp10-server -file server_certificate.pem -keystore truststore.jks
keytool -import -v -trustcacerts -alias warp10-client -file client_certificate.pem -keystore truststore.jks

keytool -list -v -keystore truststore.jks

# [entered "bunnies" for password]

Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 3 entries

Alias name: warp10-ca
Creation date: Sep 4, 2020
Entry type: trustedCertEntry

Owner: L=$$$$, CN=TLSGenSelfSignedtRootCA
Issuer: L=$$$$, CN=TLSGenSelfSignedtRootCA
Serial number: b50f5cd6fb78b3ce
Valid from: Mon Apr 08 12:28:02 MSK 2019 until: Thu Apr 05 12:28:02 MSK 2029
Certificate fingerprints:
	 SHA1: 47:02:54:B2:3B:B0:1D:2B:D2:0C:21:75:DE:9C:66:68:DD:13:20:DB
	 SHA256: C0:DB:4A:F0:7E:2F:F9:27:32:18:C1:EF:0A:18:74:E2:6B:0F:40:CB:31:1F:EB:08:E2:9A:12:C4:5D:24:E7:55
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BB C2 05 BD BC 9B BB 84   EB C0 82 E1 D6 A1 7F 70  ...............p
0010: E3 8B 0D 1E                                        ....
]
]

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
  CA:true
  PathLen:2147483647
]

#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  Key_CertSign
  Crl_Sign
]

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BB C2 05 BD BC 9B BB 84   EB C0 82 E1 D6 A1 7F 70  ...............p
0010: E3 8B 0D 1E                                        ....
]
]



*******************************************
*******************************************


Alias name: warp10-client
Creation date: Sep 4, 2020
Entry type: trustedCertEntry

Owner: O=client, CN=warp10
Issuer: L=$$$$, CN=TLSGenSelfSignedtRootCA
Serial number: 2
Valid from: Mon Apr 08 12:28:03 MSK 2019 until: Thu Apr 05 12:28:03 MSK 2029
Certificate fingerprints:
	 SHA1: DD:F3:9C:16:40:DF:0B:3C:B3:7B:8B:3E:78:96:AA:44:8D:3F:F4:0F
	 SHA256: 84:7B:3B:E5:E6:E7:56:25:07:64:4F:8E:82:71:1A:63:06:F1:F8:3E:CF:80:FD:A5:79:58:B3:D5:40:CB:27:BB
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#2: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  clientAuth
]

#3: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#4: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: warp10
  DNSName: warp10.local
  DNSName: localhost
]



*******************************************
*******************************************


Alias name: warp10-server
Creation date: Sep 4, 2020
Entry type: trustedCertEntry

Owner: O=server, CN=warp10
Issuer: L=$$$$, CN=TLSGenSelfSignedtRootCA
Serial number: 1
Valid from: Mon Apr 08 12:28:02 MSK 2019 until: Thu Apr 05 12:28:02 MSK 2029
Certificate fingerprints:
	 SHA1: 2A:ED:05:B7:86:67:B5:22:30:7E:0B:32:3C:F6:17:F1:81:01:EC:B0
	 SHA256: 0B:7F:ED:70:05:2C:43:27:EA:39:D7:97:09:BB:2F:46:A0:25:0E:FC:4A:0C:42:A4:55:43:3C:E4:05:BF:4E:A0
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3

Extensions:

#1: ObjectId: 2.16.840.1.113730.1.13 Criticality=false
0000: 16 2A 2E 28 50 75 70 70   65 74 20 52 75 62 79 2F  .*.(Puppet Ruby/
0010: 4F 70 65 6E 53 53 4C 20   49 6E 74 65 72 6E 61 6C  OpenSSL Internal
0020: 20 43 65 72 74 69 66 69   63 61 74 65               Certificate


#2: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BB C2 05 BD BC 9B BB 84   EB C0 82 E1 D6 A1 7F 70  ...............p
0010: E3 8B 0D 1E                                        ....
]
]

#3: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
  CA:false
  PathLen: undefined
]

#4: ObjectId: 2.5.29.37 Criticality=false
ExtendedKeyUsages [
  serverAuth
  clientAuth
]

#5: ObjectId: 2.5.29.15 Criticality=false
KeyUsage [
  DigitalSignature
  Key_Encipherment
]

#6: ObjectId: 2.5.29.17 Criticality=false
SubjectAlternativeName [
  DNSName: warp10
  DNSName: warp10.local
  DNSName: localhost
]

#7: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 1E 9B 15 FF 09 97 2F 5A   33 89 28 8B 12 CA 61 A0  ....../Z3.(...a.
0010: 56 1A FA FB                                        V...
]
]



*******************************************
*******************************************

and updating the Boot config file to match:

logging.level.root: DEBUG
spring:
  cloud:
    stream:
      bindings:
        input:
          destination: queue.log.messages
          binder: local_rabbit
        output:
          destination: queue.pretty.log.messages
          binder: local_rabbit
      binders:
        local_rabbit:
          type: rabbit
          environment:
            spring:
              rabbitmq:
                addresses:  amqps://guest:guest@localhost:5671
                virtual-host: /
                ssl:
                  enabled: true
                  key-store: file:/tmp/rabbitmqssltest/keys3/client_key.p12
                  key-store-password: bunnies
                  trust-store: file:/tmp/rabbitmqssltest/keys3/truststore.jks
                  trust-store-password: bunnies
                  verify-hostname: true
                  validate-server-certificate: true

I managed to successfully connect:

rabbitmqctl list_connections user peer_host peer_port state ssl --formatter=pretty_table
# => Listing connections ...
# => ┌───────┬───────────────────────────┬───────────┬─────────┬──────┐
# => │ user  │ peer_host                 │ peer_port │ state   │ ssl  │
# => ├───────┼───────────────────────────┼───────────┼─────────┼──────┤
# => │ guest │ {0,0,0,0,0,65535,32512,1} │ 63094     │ running │ true │
# => └───────┴───────────────────────────┴───────────┴─────────┴──────┘

1 reply

michaelklishin Sep 4, 2020
Maintainer

This connection uses TLSv1.2 with an ECC suite:

I am running this Boot app on JDK 13.

michaelklishin · 2020-09-04T09:58:52Z

michaelklishin
Sep 4, 2020
Maintainer

If you compare your "iot" (client) certificate with that produced by tls-gen like so:

openssl x509 -in ./iot-public.pem -text -nameopt RFC2253 -subject -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1133615950 (0x43919b4e)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=prat,OU=Finacle,O=Pratishthan,L=Karantaka,ST=Ka,C=IN
        Validity
            Not Before: Sep  4 07:39:07 2020 GMT
            Not After : Dec  3 07:39:07 2020 GMT
        Subject: CN=prat,OU=Finacle,O=Pratishthan,L=Karantaka,ST=Ka,C=IN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:9f:a8:85:fd:d1:6d:d8:37:6e:6b:25:2a:32:98:
                    dd:45:ca:fe:4b:b6:0b:7d:a4:7c:81:78:ed:73:f7:
                    7a:8d:83:58:8a:02:81:3b:75:c2:47:b8:05:7c:8b:
                    4c:28:e0:09:20:e0:66:c5:b3:30:06:bc:61:42:37:
                    d6:ea:6d:5c:f9:43:b9:3c:b0:b5:95:2d:2e:62:bb:
                    2b:f4:bd:2b:65:a7:02:e9:67:63:33:8e:e5:e8:59:
                    8e:92:52:96:ac:18:2f:60:6e:8f:b0:fa:0c:65:47:
                    b9:68:cb:6e:26:73:77:65:b1:8f:3b:f3:27:00:1e:
                    e5:5c:87:50:14:9d:0d:f6:ff:f4:87:54:82:87:a9:
                    25:9c:f3:36:11:9a:a1:02:26:da:6e:80:1a:6d:8e:
                    36:ce:f4:c0:e3:0c:6d:fd:ef:37:a7:5c:4e:d7:d9:
                    5d:c2:c1:39:86:8b:e7:f1:50:c9:fa:d7:38:62:5c:
                    aa:2b:69:48:75:34:33:39:c2:14:5c:b4:42:7d:7b:
                    11:eb:6a:d1:cd:a6:ac:0c:5e:ea:6e:9f:94:ce:3f:
                    ac:3d:90:87:18:e4:27:41:cd:81:ec:59:dd:36:1a:
                    5b:ca:b7:f1:04:b5:fc:63:32:96:97:d4:2c:62:38:
                    41:61:9c:13:f1:28:1d:99:bc:7a:74:d2:c1:8b:21:
                    40:b9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                2E:08:04:EA:CF:46:04:5D:D7:14:D7:F5:AD:E6:51:1E:07:6C:DC:D2
    Signature Algorithm: sha256WithRSAEncryption
         2d:99:89:35:61:15:31:26:21:b2:e5:5a:9b:a9:76:d8:7f:db:
         f2:3f:c2:e9:96:15:fb:22:4c:cc:fa:24:13:69:c1:ef:02:29:
         c3:8f:6f:fe:be:da:8a:42:31:6d:75:16:97:63:b2:85:44:9e:
         85:81:53:5e:dc:64:55:5e:67:c7:82:2f:f4:88:31:52:f7:a0:
         3a:4e:ba:9d:f3:66:7c:48:ac:40:08:2b:1b:57:d3:78:1c:90:
         b6:99:4c:18:c5:8d:2a:c9:cf:42:fd:df:1d:42:d0:d9:f0:a0:
         65:f2:8e:60:f1:95:c9:d1:37:38:3e:1c:33:94:20:bd:00:4d:
         f2:ee:da:42:08:7f:50:f1:b1:49:c7:c9:ae:41:25:86:3b:03:
         8c:db:e0:b0:77:a7:ef:ce:4f:67:e8:e6:a6:b0:76:b3:ee:7e:
         2c:58:c4:b5:18:11:71:1b:65:41:52:01:52:a7:3f:2b:20:21:
         54:6f:83:ea:19:5f:72:a0:5a:89:e7:eb:d2:cc:89:b9:f8:0c:
         a9:ea:19:9f:21:4c:89:34:1b:2e:04:f5:1c:87:f9:d5:cf:bf:
         2e:67:13:a1:f5:57:c5:14:d2:5a:72:e0:28:6e:d5:0d:c2:eb:
         b9:97:bd:55:74:82:f3:37:4f:34:24:3a:40:2e:60:69:f8:4c:
         b1:6b:69:c2
subject=CN=prat,OU=Finacle,O=Pratishthan,L=Karantaka,ST=Ka,C=IN

openssl x509 -in ../keys3/client_certificate.pem -text -nameopt RFC2253 -subject -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: L=$$$$,CN=TLSGenSelfSignedtRootCA
        Validity
            Not Before: Apr  8 09:28:03 2019 GMT
            Not After : Apr  5 09:28:03 2029 GMT
        Subject: O=client,CN=warp10
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:dc:0c:4a:d5:e1:0c:08:0e:aa:f1:ab:b2:80:28:
                    3e:cb:49:ee:b8:bc:c2:0f:0c:82:bd:f7:61:08:a2:
                    b2:3f:b3:23:c9:57:88:57:21:34:62:7a:65:74:67:
                    a4:d0:83:48:32:5e:d5:10:5d:27:66:3a:1c:63:f7:
                    5a:96:fa:e6:cb:5c:0a:d7:e4:59:2e:21:c6:81:69:
                    db:41:c4:dc:8d:46:f7:db:c4:0b:1d:0a:2d:1c:e9:
                    7f:c0:94:1e:16:a4:08:0e:e2:27:74:18:39:e7:9c:
                    cb:e9:d9:28:1e:3a:14:52:4f:6a:a3:2d:e6:0d:4b:
                    75:2e:14:5b:c1:45:b9:f4:02:6e:a1:f0:04:23:38:
                    2f:1f:9b:38:ca:b8:d8:a2:63:5c:7d:9b:e4:c7:1b:
                    7f:e8:7c:79:fc:1e:9b:14:fe:54:4d:b0:69:9f:ce:
                    91:95:cb:b0:5e:88:59:e1:72:3f:4a:8b:d5:63:2d:
                    c4:dd:10:1e:cf:fa:93:d1:28:bb:a9:35:d0:8f:0a:
                    7e:48:50:35:a3:6b:d0:f5:2c:ee:17:e7:89:6f:83:
                    22:5e:1a:b7:cf:f1:ed:a2:01:96:d3:67:68:dd:08:
                    bb:9b:eb:c3:2a:da:f1:b1:f8:64:0f:f6:86:2c:03:
                    93:41:d9:b3:0b:0d:16:7f:58:84:cd:6a:b1:48:a1:
                    bc:d0:3b:4b:e9:80:d2:36:9e:02:15:79:6f:2a:be:
                    9b:de:1c:40:30:4f:47:03:bb:fd:cd:6e:44:7f:4c:
                    20:74:21:9e:ae:67:65:a8:25:21:8b:cc:f9:76:bf:
                    e9:a5:a3:cb:8e:f1:8a:e2:d8:ff:e2:43:eb:87:13:
                    f2:ee:af:ae:30:d8:5e:81:50:93:4e:11:72:b2:fb:
                    f0:63:1b:c8:dc:8c:a2:b4:75:0d:94:55:6c:3b:75:
                    b1:d9:67:ec:be:d6:a1:fd:ea:b5:60:ae:e4:99:61:
                    59:29:31:e5:6e:0e:47:1c:ca:20:f0:7b:92:e4:5b:
                    fe:59:6c:5d:90:97:64:e3:b2:52:4c:4b:e8:fe:53:
                    3e:e6:db:1a:68:38:9c:c6:3d:a6:24:9f:66:a0:50:
                    ca:bb:72:88:a2:20:1e:e0:9c:d5:3b:5a:1e:48:71:
                    b7:39:99:7a:53:4b:c9:b8:e2:75:35:98:d2:56:1f:
                    03:f5:39:f5:72:19:93:27:c4:a2:eb:c9:64:88:04:
                    b1:7d:46:51:69:ed:e0:df:ec:7c:87:d9:c5:f2:29:
                    84:67:ee:5c:e2:db:b7:45:e2:8f:17:fd:90:86:6b:
                    41:ae:99:46:47:58:30:cb:a4:80:f7:7a:10:de:46:
                    aa:70:2b:cb:71:c6:98:1e:88:37:a2:d5:ff:85:33:
                    06:8e:b1
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:warp10, DNS:warp10.local, DNS:localhost
    Signature Algorithm: sha256WithRSAEncryption
         31:15:13:1d:8c:e7:3a:09:3e:5d:2f:50:58:b8:38:74:fa:25:
         be:55:d6:96:37:ed:8c:9b:d7:c0:85:52:65:09:62:43:42:f1:
         83:5d:7a:e3:fc:0e:93:5d:77:cd:9e:9b:25:cb:8e:33:f4:2b:
         d8:f6:36:d5:97:1d:3f:6b:46:16:3b:bd:10:1a:bd:b5:9e:74:
         18:df:c1:e2:65:26:a7:0b:13:e7:8a:d8:e7:b3:81:8d:a6:a8:
         2a:d7:45:44:ca:80:98:1f:e4:aa:fa:9d:60:71:44:51:5f:2f:
         d3:3b:0f:b2:ba:32:db:24:4b:e4:94:76:ed:bb:fc:55:6b:48:
         60:cb:72:16:d1:bc:37:1e:e6:62:db:d2:8c:45:0a:32:dc:a5:
         b5:25:78:f3:6b:5f:cf:03:e2:b2:c6:48:80:ea:93:4f:be:b1:
         48:ab:0d:b4:6a:64:1a:86:4e:e8:2c:9f:de:b5:a8:5b:54:90:
         e2:1d:81:a1:19:68:67:83:e6:f3:94:a5:44:67:60:9b:eb:a1:
         43:a0:c6:80:2c:5d:f9:a2:37:2f:8f:7b:a9:42:46:29:59:8d:
         5a:78:47:0c:e3:22:2a:74:9b:2e:ed:3a:e5:51:88:0a:70:24:
         03:4d:3c:d9:bc:c4:7d:f7:0c:84:d9:d3:79:df:b4:e2:2c:bf:
         2d:a1:19:6b:30:8c:3f:ac:10:f2:c1:f8:cd:be:67:1b:93:4b:
         e8:95:db:0e:fe:1f:ea:88:94:73:d5:ef:42:48:32:6b:38:d1:
         d3:3c:d7:48:b2:c8:b1:fa:98:c1:c5:ec:34:e7:a4:80:fe:8e:
         37:6d:97:07:9f:70:69:b0:8b:25:de:7b:1e:e4:69:f3:dd:09:
         6a:04:9a:f0:ff:1e:2b:7a:69:10:d2:3b:72:f5:da:2a:5f:76:
         85:db:2e:af:89:04:90:8b:2d:6f:03:60:ac:54:ea:b6:79:fd:
         5e:bf:1b:8e:6f:49:e3:84:ab:ea:1e:f7:5f:9f:b8:da:1f:c3:
         10:0e:3e:1f:0b:99:3b:77:74:a1:74:df:ba:6d:a9:95:c1:f0:
         3b:af:e7:9c:0d:0f:c6:4e:ac:99:7d:ad:54:26:92:96:30:18:
         de:17:61:9b:ba:f9:49:0f:b0:30:88:86:9e:70:72:86:31:39:
         06:52:54:c4:e9:78:f4:39:8c:5b:9f:f8:22:79:0b:e8:66:28:
         d4:ef:c3:a8:d2:4c:c6:60:58:ec:c4:32:31:25:8b:44:fa:7d:
         51:84:78:a5:6d:93:9e:73:4f:4d:07:74:82:eb:6a:c9:8f:fa:
         5e:24:5e:f6:c2:a9:b4:9a:52:44:68:d3:20:ea:28:df:dd:5d:
         23:97:42:81:38:e7:f7:c6
subject=O=client,CN=warp10

you will notice that they have different x509v3 extensions. Those extensions are critically important as they can prevent certificates from being used for certain purposes. tls-gen produces a certificate that can be used for client authentication (that is, presenting a client's identity), digital signature and key encipherment but not as a CA certificate:

        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Subject Alternative Name:
                DNS:warp10, DNS:warp10.local, DNS:localhost

These are highly relevant for data service clients, including RabbitMQ

Your certificate only has a subject key identifier extension:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
                2E:08:04:EA:CF:46:04:5D:D7:14:D7:F5:AD:E6:51:1E:07:6C:DC:D2

The same goes for the server certificate:

openssl x509 -in ./rabbit-public.pem -text -nameopt RFC2253 -subject -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 1212138340 (0x483fc364)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=prat,OU=Finacle,O=Pratishthan,L=Bangalore,ST=Karntaka,C=IN
        Validity
            Not Before: Sep  4 07:38:03 2020 GMT
            Not After : Dec  3 07:38:03 2020 GMT
        Subject: CN=prat,OU=Finacle,O=Pratishthan,L=Bangalore,ST=Karntaka,C=IN
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:91:ec:61:62:ee:f6:08:a2:5c:b9:a5:bf:60:86:
                    0f:de:f8:4e:4f:a2:b3:54:1b:54:b8:92:40:81:90:
                    21:f8:44:d2:7c:53:20:aa:f1:78:75:c2:9c:4d:a9:
                    2c:64:36:69:fe:c9:81:fc:32:8e:07:ea:21:87:18:
                    9e:4f:c0:41:5e:c7:1a:95:18:09:b8:c8:71:f2:fb:
                    8a:c2:10:31:7e:a3:8b:0c:bd:8d:79:5e:16:e8:ac:
                    16:bf:2b:b7:bd:6b:dd:45:21:46:e1:de:d6:19:d4:
                    78:68:3d:68:51:2a:8e:46:1d:35:82:13:b0:1a:e3:
                    72:25:ae:87:56:75:57:2b:0b:c6:22:a0:6b:fe:69:
                    07:ea:af:6d:6a:18:3d:f5:00:1b:de:06:58:55:d8:
                    ea:51:ae:d6:48:8b:96:26:c7:43:a8:d0:2a:b5:8d:
                    12:19:2d:ab:5f:4f:35:fd:b7:15:68:20:71:63:e2:
                    bb:2e:02:97:ae:a6:be:aa:69:cc:b5:40:2f:dd:1b:
                    ef:4b:67:f6:bf:32:0e:6a:ac:0f:c7:a6:04:c7:95:
                    12:b7:d9:34:49:ff:42:5f:1d:45:c1:e8:7f:d8:10:
                    0e:7c:dd:d3:4c:b8:4b:54:7b:88:6c:9a:f9:9b:d6:
                    9b:da:a7:a5:23:2a:6f:a1:e3:31:7e:10:98:dc:f8:
                    aa:d3
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                B6:31:41:CD:9E:E6:10:77:A9:DB:37:A8:91:AA:CC:F5:1F:A1:A4:1C
    Signature Algorithm: sha256WithRSAEncryption
         0f:9e:af:8b:6b:67:d0:5e:7e:4a:b7:61:46:0f:f3:cc:b2:aa:
         9a:c7:53:03:df:50:3e:7d:6d:54:de:84:ee:e5:43:67:9c:29:
         92:bc:f5:a1:b4:7a:ba:91:4d:cd:a8:e0:52:b1:5f:25:0a:77:
         b0:e1:2f:81:0e:f5:49:d7:5f:3d:c1:dd:f0:88:99:24:27:4a:
         18:29:43:a7:a4:8b:be:f6:c3:af:69:34:b9:1c:9d:44:0a:cb:
         76:f5:a0:c5:e0:15:6e:8b:1c:4d:49:20:ab:22:23:f2:2b:72:
         ba:eb:2f:17:6c:7f:72:ea:45:03:49:0b:36:e0:79:32:6e:c3:
         f7:c9:e0:e4:02:64:fe:fb:b4:90:aa:a9:d6:4c:d8:39:9a:58:
         bf:82:51:20:23:0a:33:c7:59:c8:1f:48:d1:ab:0e:bc:08:a6:
         69:62:3e:6c:48:4a:03:0e:05:44:4b:5f:e7:d6:1c:26:39:1a:
         f7:49:94:4b:75:6d:aa:8d:ce:d3:38:89:9a:67:13:7a:34:45:
         94:d9:4f:c6:d6:17:ee:fa:a1:7e:b3:77:7e:12:e2:02:4c:57:
         71:76:7d:de:53:cb:41:8e:d9:d5:29:70:04:e4:3e:ab:6e:88:
         02:bf:8e:f0:82:de:0e:28:50:53:c4:8f:fe:9b:58:0e:3a:60:
         f8:8e:a4:ee
subject=CN=prat,OU=Finacle,O=Pratishthan,L=Bangalore,ST=Karntaka,C=IN

So indeed the certificate generation process with keytool leaves important attributes out. I recommend using tls-gen as an example as it's just a tiny Python 3 tool that drives openssl.

2 replies

michaelklishin Sep 4, 2020
Maintainer

keytool supports optional x509 extensions according to the docs.

revoorunischal Sep 4, 2020
Author

oh i could work with these keys itself using truststore.

revoorunischal · 2020-09-04T11:24:49Z

revoorunischal
Sep 4, 2020
Author

Hi ,
The issue got resolved. I was using the truststore in ssl_options.cacertfile which is wrong.

After seeing the issue raised here #2405. I realised even I have to do the same so I also added a empty.pem in cacerts and then added truststore directory and added truststore plugin, after doing these it started working fine.

Also as he mentions in his google thread the order matters truststore should come after cacerts else it doesn't work.

But the other issue is after adding truststore plugin I am not able to start rabbitmq using brew services. Its crashing with erlang exceptions. I have attached here the entire log folder zip tar (https://drive.google.com/file/d/1J4rIuyb08KvB1c7hikhOfnWBctTf6wYQ/view?usp=sharing)

and error snippet is

2020-09-04 14:11:44.262 [info] <0.718.0> supervisor: {local,rabbit_trust_store_sup}, errorContext: start_error, reason: {{badmatch,{error,eperm}},[{rabbit_trust_store_file_provider,list_certs_0,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,48}]},{rabbit_trust_store_file_provider,list_certs,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,20}]},{rabbit_trust_store,refresh_provider_certs,3,[{file,"src/rabbit_trust_store.erl"},{line,228}]},{rabbit_trust_store,'-refresh_certs/2-fun-0-',4,[{file,"src/rabbit_trust_store.erl"},{line,217}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},{rabbit_trust_store,init,1,[{file,"src/rabbit_trust_store.erl"},{line,133}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,417}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,385}]}]}, offender: [{pid,undefined},{id,trust_store},{mfargs,{rabbit_trust_store,start_link,[]}},{restart_type,permanent},{shutdown,15000},{child_type,worker}]
2020-09-04 14:11:44.262 [error] <0.718.0> Supervisor rabbit_trust_store_sup had child trust_store started with rabbit_trust_store:start_link() at undefined exit with reason no match of right hand value {error,eperm} in rabbit_trust_store_file_provider:list_certs_0/1 line 48 in context start_error
2020-09-04 14:11:44.263 [info] <0.719.0> [{initial_call,{rabbit_trust_store,init,['Argument__1']}},{pid,<0.719.0>},{registered_name,[]},{error_info,{error,{badmatch,{error,eperm}},[{rabbit_trust_store_file_provider,list_certs_0,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,48}]},{rabbit_trust_store_file_provider,list_certs,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,20}]},{rabbit_trust_store,refresh_provider_certs,3,[{file,"src/rabbit_trust_store.erl"},{line,228}]},{rabbit_trust_store,'-refresh_certs/2-fun-0-',4,[{file,"src/rabbit_trust_store.erl"},{line,217}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},{rabbit_trust_store,init,1,[{file,"src/rabbit_trust_store.erl"},{line,133}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,417}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,385}]}]}},{ancestors,[rabbit_trust_store_sup,<0.717.0>]},{message_queue_len,1},{messages,[{'EXIT',<0.718.0>,{shutdown,{failed_to_start_child,trust_store,{{badmatch,{error,eperm}},[{rabbit_trust_store_file_provider,list_certs_0,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,48}]},{rabbit_trust_store_file_provider,list_certs,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,20}]},{rabbit_trust_store,refresh_provider_certs,3,[{file,"src/rabbit_trust_store.erl"},{line,228}]},{rabbit_trust_store,'-refresh_certs/2-fun-0-',4,[{file,"src/rabbit_trust_store.erl"},{line,217}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},{rabbit_trust_store,init,1,[{file,"src/rabbit_trust_store.erl"},{line,133}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,417}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,385}]}]}}}}]},{links,[]},{dictionary,[]},{trap_exit,true},{status,running},{heap_size,2586},{stack_size,28},{reductions,1851}], []
2020-09-04 14:11:44.263 [error] <0.534.0> 
2020-09-04 14:11:44.263 [error] <0.534.0> BOOT FAILED
2020-09-04 14:11:44.263 [error] <0.719.0> CRASH REPORT Process <0.719.0> with 0 neighbours crashed with reason: no match of right hand value {error,eperm} in rabbit_trust_store_file_provider:list_certs_0/1 line 48
2020-09-04 14:11:44.263 [error] <0.534.0> ===========
2020-09-04 14:11:44.263 [error] <0.534.0> Error during startup: {error,
2020-09-04 14:11:44.263 [error] <0.534.0>                        {rabbitmq_trust_store,
2020-09-04 14:11:44.263 [error] <0.534.0>                         {{shutdown,
2020-09-04 14:11:44.263 [error] <0.534.0>                           {failed_to_start_child,trust_store,
2020-09-04 14:11:44.264 [error] <0.534.0>                            {{badmatch,{error,eperm}},
2020-09-04 14:11:44.264 [info] <0.716.0> [{initial_call,{application_master,init,['Argument__1','Argument__2','Argument__3','Argument__4']}},{pid,<0.716.0>},{registered_name,[]},{error_info,{exit,{{shutdown,{failed_to_start_child,trust_store,{{badmatch,{error,eperm}},[{rabbit_trust_store_file_provider,list_certs_0,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,48}]},{rabbit_trust_store_file_provider,list_certs,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,20}]},{rabbit_trust_store,refresh_provider_certs,3,[{file,"src/rabbit_trust_store.erl"},{line,228}]},{rabbit_trust_store,'-refresh_certs/2-fun-0-',4,[{file,"src/rabbit_trust_store.erl"},{line,217}]},{lists,foldl,3,[{file,"lists.erl"},{line,1263}]},{rabbit_trust_store,init,1,[{file,"src/rabbit_trust_store.erl"},{line,133}]},{gen_server,init_it,2,[{file,"gen_server.erl"},{line,417}]},{gen_server,init_it,6,[{file,"gen_server.erl"},{line,385}]}]}}},{rabbit_trust_store_app,start,[normal,[]]}},[{application_master,init,4,[{file,"application_master.erl"},{line,138}]},{proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,226}]}]}},{ancestors,[<0.715.0>]},{message_queue_len,1},{messages,[{'EXIT',<0.717.0>,normal}]},{links,[<0.715.0>,<0.44.0>]},{dictionary,[]},{trap_exit,true},{status,running},{heap_size,987},{stack_size,28},{reductions,183}], []
2020-09-04 14:11:44.264 [error] <0.534.0>                             [{rabbit_trust_store_file_provider,list_certs_0,
2020-09-04 14:11:44.264 [error] <0.716.0> CRASH REPORT Process <0.716.0> with 0 neighbours exited with reason: {{shutdown,{failed_to_start_child,trust_store,{{badmatch,{error,eperm}},[{rabbit_trust_store_file_provider,list_certs_0,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,48}]},{rabbit_trust_store_file_provider,list_certs,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,20}]},{rabbit_trust_store,refresh_provider_certs,3,[{file,"src/rabbit_trust_store.erl"},{line,228}]},{rabbit_trust_store,'-refresh_certs/2-fun-0-',4,[{file,"src/rabbit_trust_store.erl"},{line,217}]},{lists,...},...]}}},...} in application_master:init/4 line 138
2020-09-04 14:11:44.264 [error] <0.534.0>                               1,
2020-09-04 14:11:44.264 [error] <0.534.0>                               [{file,
2020-09-04 14:11:44.264 [error] <0.534.0>                                 "src/rabbit_trust_store_file_provider.erl"},
2020-09-04 14:11:44.264 [info] <0.44.0> Application rabbitmq_trust_store exited with reason: {{shutdown,{failed_to_start_child,trust_store,{{badmatch,{error,eperm}},[{rabbit_trust_store_file_provider,list_certs_0,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,48}]},{rabbit_trust_store_file_provider,list_certs,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,20}]},{rabbit_trust_store,refresh_provider_certs,3,[{file,"src/rabbit_trust_store.erl"},{line,228}]},{rabbit_trust_store,'-refresh_certs/2-fun-0-',4,[{file,"src/rabbit_trust_store.erl"},{line,217}]},{lists,...},...]}}},...}
2020-09-04 14:11:44.264 [error] <0.534.0>                                {line,48}]},
2020-09-04 14:11:44.264 [error] <0.534.0>                              {rabbit_trust_store_file_provider,list_certs,1,
2020-09-04 14:11:44.264 [error] <0.534.0>                               [{file,
2020-09-04 14:11:44.264 [error] <0.534.0>                                 "src/rabbit_trust_store_file_provider.erl"},
2020-09-04 14:11:44.264 [info] <0.44.0> Application rabbitmq_trust_store exited with reason: {{shutdown,{failed_to_start_child,trust_store,{{badmatch,{error,eperm}},[{rabbit_trust_store_file_provider,list_certs_0,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,48}]},{rabbit_trust_store_file_provider,list_certs,1,[{file,"src/rabbit_trust_store_file_provider.erl"},{line,20}]},{rabbit_trust_store,refresh_provider_certs,3,[{file,"src/rabbit_trust_store.erl"},{line,228}]},{rabbit_trust_store,'-refresh_certs/2-fun-0-',4,[{file,"src/rabbit_trust_store.erl"},{line,217}]},{lists,...},...]}}},...}
2020-09-04 14:11:44.264 [error] <0.534.0>                                {line,20}]},
2020-09-04 14:11:44.264 [error] <0.534.0>                              {rabbit_trust_store,refresh_provider_certs,3,
2020-09-04 14:11:44.264 [error] <0.534.0>                               [{file,"src/rabbit_trust_store.erl"},
2020-09-04 14:11:44.265 [error] <0.534.0>                                {line,228}]},
2020-09-04 14:11:44.265 [error] <0.534.0>                              {rabbit_trust_store,'-refresh_certs/2-fun-0-',4,
2020-09-04 14:11:44.265 [error] <0.534.0>                               [{file,"src/rabbit_trust_store.erl"},
2020-09-04 14:11:44.265 [error] <0.534.0>                                {line,217}]},
2020-09-04 14:11:44.265 [error] <0.534.0>                              {lists,foldl,3,[{file,"lists.erl"},{line,1263}]},
2020-09-04 14:11:44.265 [error] <0.534.0>                              {rabbit_trust_store,init,1,
2020-09-04 14:11:44.265 [error] <0.534.0>                               [{file,"src/rabbit_trust_store.erl"},
2020-09-04 14:11:44.265 [error] <0.534.0>                                {line,133}]},
2020-09-04 14:11:44.265 [error] <0.534.0>                              {gen_server,init_it,2,
2020-09-04 14:11:44.265 [error] <0.534.0>                               [{file,"gen_server.erl"},{line,417}]},
2020-09-04 14:11:44.265 [error] <0.534.0>                              {gen_server,init_it,6,
2020-09-04 14:11:44.265 [error] <0.534.0>                               [{file,"gen_server.erl"},{line,385}]}]}}},
2020-09-04 14:11:44.265 [error] <0.534.0>                          {rabbit_trust_store_app,start,[normal,[]]}}}}

1 reply

michaelklishin Sep 4, 2020
Maintainer

@revoorunischal you should mention the exact configuration you use since we had no idea that the trust store plugin was involved.

We strongly prefer to have one question per discussion in this community. eperm is the line you are looking for. The plugin tries to list certificates and that operation fails with an eperm which is UNIX speak for "insufficient permissions".

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TLS-enabled connections with a self signed certificate fail #2440

{{title}}

Replies: 13 comments 7 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

TLS-enabled connections with a self signed certificate fail #2440

revoorunischal Sep 1, 2020

Replies: 13 comments · 7 replies

michaelklishin Sep 1, 2020 Maintainer

michaelklishin Sep 1, 2020 Maintainer

revoorunischal Sep 2, 2020 Author

michaelklishin Sep 1, 2020 Maintainer

revoorunischal Sep 2, 2020 Author

revoorunischal Sep 2, 2020 Author

revoorunischal Sep 2, 2020 Author

michaelklishin Sep 2, 2020 Maintainer

revoorunischal Sep 4, 2020 Author

michaelklishin Sep 4, 2020 Maintainer

michaelklishin Sep 4, 2020 Maintainer

michaelklishin Sep 4, 2020 Maintainer

michaelklishin Sep 4, 2020 Maintainer

michaelklishin Sep 4, 2020 Maintainer

michaelklishin Sep 4, 2020 Maintainer

michaelklishin Sep 4, 2020 Maintainer

michaelklishin Sep 4, 2020 Maintainer

revoorunischal Sep 4, 2020 Author

revoorunischal Sep 4, 2020 Author

michaelklishin Sep 4, 2020 Maintainer

revoorunischal
Sep 1, 2020

Replies: 13 comments 7 replies

michaelklishin
Sep 1, 2020
Maintainer

michaelklishin
Sep 1, 2020
Maintainer

revoorunischal Sep 2, 2020
Author

michaelklishin
Sep 1, 2020
Maintainer

revoorunischal
Sep 2, 2020
Author

revoorunischal
Sep 2, 2020
Author

revoorunischal
Sep 2, 2020
Author

michaelklishin Sep 2, 2020
Maintainer

revoorunischal
Sep 4, 2020
Author

michaelklishin
Sep 4, 2020
Maintainer

michaelklishin
Sep 4, 2020
Maintainer

michaelklishin
Sep 4, 2020
Maintainer

michaelklishin Sep 4, 2020
Maintainer

michaelklishin
Sep 4, 2020
Maintainer

michaelklishin Sep 4, 2020
Maintainer

michaelklishin
Sep 4, 2020
Maintainer

michaelklishin Sep 4, 2020
Maintainer

revoorunischal Sep 4, 2020
Author

revoorunischal
Sep 4, 2020
Author

michaelklishin Sep 4, 2020
Maintainer