My RabbitMQ installation has been running for over a year using TLS connected shovels. The shovels worked with the self-signed certificates until they expired. When I recreated new certificates, the shovels still won't work even though I placed the certs, keys, and CA certs in the same locations as the previous ones. The errors I'm getting are like these (from the rabbit@hostname-sasl.log -- long lines have been "continued" with \ ):
=SUPERVISOR REPORT==== 31-Jul-2019::15:52:59 ===
Supervisor: {<0.879.0>,rabbit_shovel_dyn_worker_sup}
Context: child_terminated
Reason: {{badmatch,{error,closed}},
Offender: [{pid,<0.14768.3>},
{name,{<<"/">>,<<"Pull Light Data">>}},
{<<"/">>,<<"Pull Light Data">>},
<<"amqps://TLS_user:MWP3wCHKMNqGbnJrwKN3@source:5673 \
?cacertfile=/etc/pki/rmqca/source_rmq_cacert.pem \
&certfile=/etc/pki/rmqclient/source_client_cert.pem \
&keyfile=/etc/pki/rmqclient/source_client_key.pem \
<<"amqps://TLS_user:MWP3wCHKMNqGbnJrwKN3@destination:5673 \
?cacertfile=/etc/pki/rmqca/destination_rmq_cacert.pem \
&certfile=/etc/pki/rmqclient/destination_client_cert.pem \
&keyfile=/etc/pki/rmqclient/destination_client_key.pem \
My RMQ status:
Status of node 'rabbit@destination' ...
[{rabbitmq_shovel_management,"Shovel Status","3.6.1"},
{rabbitmq_shovel,"Data Shovel for RabbitMQ","3.6.1"},
{rabbitmq_management,"RabbitMQ Management Console","3.6.1"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.6.1"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.6.1"},
{mochiweb,"MochiMedia Web Server","2.13.0"},
{amqp_client,"RabbitMQ AMQP Client","3.6.1"},
{xmerl,"XML parser","1.3.9"},
{compiler,"ERTS CXC 138 10","6.0.2"},
{ssl,"Erlang/OTP SSL application","7.2"},
{public_key,"Public key infrastructure","1.1"},
{os_mon,"CPO CXC 138 46","2.4"},
{mnesia,"MNESIA CXC 138 12","4.13.2"},
{ranch,"Socket acceptor pool for TCP protocols.","1.2.1"},
{asn1,"The Erlang ASN1 compiler version 4.0.1","4.0.1"},
{inets,"INETS CXC 138 49","6.1"},
{syntax_tools,"Syntax tools","1.7"},
{sasl,"SASL CXC 138 11","2.6.1"},
{stdlib,"ERTS CXC 138 10","2.7"},
{kernel,"ERTS CXC 138 10","4.1.1"}]},
"Erlang/OTP 18 [erts-7.2] [source] [64-bit] [smp:4:4] [async-threads:64] [hipe] [kernel-poll:true]\n"},
The problem turned out to be a misconfiguration of the RabbitMQ service itself. The configuration file /etc/rabbitmq/rabbitmq.config has an SSL section:
%% Configuring SSL.
%% See for full documentation.
{ssl, [{versions, ['tlsv1.2', 'tlsv1.1']}]},
{ssl_options, [{cacertfile, "/etc/pki/rmq_cacert.pem"},
{certfile, "/etc/pki/rmqserver/server_cert.pem"},
{keyfile, "/etc/pki/rmqserver/server_key.pem"},
{versions, ['tlsv1.2', 'tlsv1.1']},
{verify, verify_peer},
{fail_if_no_peer_cert, false}]}
Note the line for the cacertfile (/etc/pki/rmq_cacert.pem). This is the wrong location for my installation: I have a directory called rmqca for the CA certificates (following this convention, site-side my server certs go in rmqserver/, and my client certs go in rmqclient/ ). The new line is:
{ssl_options, [{cacertfile, "/etc/pki/rmqca/rmq_cacert.pem"},
and after a service restart all is well.
Thanks everyone for taking a look. I hope this answer helps someone else with this cryptic error message.