Search code examples
opensslrabbitmqrhel7

RabbitMQ server on RHEL7 resets SSL connection

I've been trying to connect to RabbitMQ server on RHEL7 which listens to 5671 port for SSL connections.

RabbitMQ server's SSL listener has been configured like this:
[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/etc/pki/tls/certs/samqp.dcu.ie.chain"},
                {certfile,"/etc/pki/tls/certs/samqp.dcu.ie.crt"},
                {keyfile,"/etc/pki/tls/private/samqp.dcu.ie.key"},
                {verify,verify_peer},
                {fail_if_no_peer_cert,false}]}
   ]}
]

On a client side I get this exception message:

The client machine is Ubuntu 14.04 LTS.

The client is a Moodle custom plugin using 'videlalvaro/php-amqplib' library to communicate with server.

Here are actual paths and file names for my self signed certificates created according to docs on: https://www.rabbitmq.com/ssl.html

$sslOptions = array(
            'cafile' => '/home/duro/testca/cacert.pem',
            'local_cert' => '/home/duro/client/key-cert.pem',
            'peer_name'=>'samqp.dcu.ie',
            'verify_peer_name' => true
            );

PHP apparently has a requirement to use certificate and key concatenated to one file, hence the 'key-cert.pem'.

This is how I connect from client, including actual url:

$connection = new AMQPSSLConnection('samqp.dcu.ie.crt', 5671, 'rMQUsername', 'rMQPasswd', '/', $sslOptions)

On the client side I get this exception message:

"stream_socket_client(): SSL operation failed with code 1. OpenSSL Error messages: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"

On the server side, looking to /var/log/rabbitmq/rabbit@sphinx.log, I see this error:

=ERROR REPORT==== 3-Mar-2016::14:08:26 ===
SSL: certify: ssl_alert.erl:93:Fatal error: unknown ca

So, how to make this connection work?

Solution

  • ... error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed"

    You are connecting to the server with the name sphinx.dcu.ie:

    $connection = new AMQPSSLConnection('sphinx.dcu.ie', 5671, ...)

    However, the hostname in the certificate is samqp.dcu.ie:

    X509v3 Subject Alternative Name: 
    DNS:samqp.dcu.ie

    You need to do one of two things. First, make the RabbitMQ request against the server named in the certificate. Or second, get a new certificate issued with the DNS name you want to use.

    You can place as many DNS names as you like in the Subject Alternate Name (SAN). I often fill them up with debug and testing names, like localhost, localhost.localdomain and 127.0.0.1.

    EDIT: For this issue:

    ... and server's log now says:

    =ERROR REPORT==== 3-Mar-2016::09:52:41 ===
SSL: certify: ssl_handshake.erl:1490:Fatal error: unknown ca

    You need to go back to the information for Revision 9 or so of your question and this information:

    depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert  High Assurance EV Root CA
verify return:1
depth=1 C = NL, ST = Noord-Holland, L = Amsterdam, O = TERENA, CN =   TERENA SSL High Assurance CA 3
verify return:1
depth=0 businessCategory = Government Entity, jurisdictionC = IE,   serialNumber = Government Entity, street = Glasnevin, street = Dublin City   University, postalCode = IE, C = IE, ST = Ireland, L = Dublin, O = Dublin  City University, OU = ISS, CN = samqp.dcu.ie
verify return:1

    You don't need the ca-cert.pem file which includes hundred of CAs and most of which are wrong. You only need the one CA that's right, and its the once called DigiCert High Assurance EV Root CA. You also need the intermediate one called TERENA SSL High Assurance CA 3

    DigiCert High Assurance EV Root CA certificate

    You can download DigiCert High Assurance EV Root CA from DigiCert Trusted Root Authority Certificates. It has the following attributes:

    • Serial number: 02:AC:5C:26:6A:0B:40:9B:8F:0B:79:F2:AE:46:25:77
    • Thumbprint: 5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25

    When you download it, its in DER format. You need to convert it to PEM format with:

    $ openssl x509 -inform der -in DigiCertHighAssuranceEVRootCA.crt \
    -outform PEM -out DigiCertHighAssuranceEVRootCA.pem

    Then:

    $ cat DigiCertHighAssuranceEVRootCA.pem 
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
...
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----

    TERENA SSL High Assurance CA 3 certificate

    Now you need to do the same thing with TERENA SSL High Assurance CA 3. I believe you can find it at TERENA SSL High Assurance CA Root Certificates. Its the one with the attributes:

    • Serial number 0b:5c:34:35:67:5b:24:67:c0:d7:32:37:f9:0d:5f:94
    • Fingerprint SHA1 A7:8A:AB:DE:7F:5B:77:15:40:D3:33:B5:05:87:4C:82:04:AA:D2:06

    MY-CACERT.pem

    Now that you have the CAs you need for pathbuilding, perform the following:

    $ cat DigiCertHighAssuranceEVRootCA.pem > my-cacert.pem
$ cat TERENA_SSL_High_Assurance_CA_3.pem >> my-cacert.pem
$ echo "" >> my-cacert.pem

    Then:

    $ cat my-cacert.pem 
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
...
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIE4DCCA8igAwIBAgIQC1w0NWdbJGfA1zI3+Q1flDANBgkqhkiG9w0BAQsFADBs
...
dnnqz5SeAs6cbSm551qG7Dj8+6f/8e33oqLC5Ldnbt0Ou6PjtZ4O02dN9cnicemR
1B0/YQ==
-----END CERTIFICATE-----

    Finally, use my-cacert.pem.

    You should be able to test things using OpenSSL's s_client. But I can't seem to connect from the outside world:

    $ openssl s_client -connect sphinx.dcu.ie:5671 -tls1 \
    -servername sphinx.dcu.ie -CAfile my-cacert.pem

    If you can connect, then you should get a Verify Ok (0) (if I recall correctly).