Following rabbitmq tls support page I deployed a rabbitmq server on GCP using the following terraform script:
provider "google" {
project = var.project_id
region = var.region
}
resource "google_compute_network" "vpc_network" {
name = "rabbitmq-ssl-network"
}
resource "google_compute_address" "static_ip" {
name = "rabbitmq--ssl-static-ip"
address_type = "EXTERNAL"
}
resource "google_compute_instance" "rabbitmq_instance" {
name = "rabbitmq-vm-ssl"
machine_type = "e2-micro"
zone = "europe-west1-d"
boot_disk {
initialize_params {
image = "debian-cloud/debian-11"
}
}
network_interface {
network = google_compute_network.vpc_network.name
access_config {
nat_ip = google_compute_address.static_ip.address
}
}
metadata_startup_script = <<-EOT
#! /bin/bash
sudo su <<EOF
apt-get update
apt-get install -y docker.io
apt-get install -y git
apt-get install -y make
# Clone tls-gen repository
git clone https://github.com/rabbitmq/tls-gen tls-gen
cd tls-gen/basic
make PASSWORD=bunnies
make verify
make info
ls -l ./result
# Copy the contents of the result directory to /etc/rabbitmq/ssl
mkdir -p /etc/rabbitmq/ssl
cp -r ./result/* /etc/rabbitmq/ssl
# Give permissions so that RabbitMQ can read the files
chmod 755 /etc/rabbitmq/ssl/*
# Create RabbitMQ configuration file
mkdir -p /etc/rabbitmq/conf
cat <<EOC | tee /etc/rabbitmq/conf/rabbitmq.conf
listeners.ssl.default = 5671
mqtt.listeners.ssl.default = 8883
mqtt.listeners.tcp.default = 1883
mqtt.allow_anonymous = true
mqtt.default_user = guest
mqtt.default_pass = guest
mqtt.vhost = /
ssl_options.cacertfile = /etc/rabbitmq/ssl/ca_certificate.pem
ssl_options.certfile = /etc/rabbitmq/ssl/server_rabbitmq-vm-ssl_certificate.pem
ssl_options.keyfile = /etc/rabbitmq/ssl/server_rabbitmq-vm-ssl_key.pem
ssl_options.verify = verify_peer
ssl_options.fail_if_no_peer_cert = false
EOC
# Start RabbitMQ container with SSL
echo "Starting RabbitMQ container with SSL"
docker run -d --name rabbitmq_mqtt -p 5672:5672 -p 15672:15672 -p 8883:8883 -p 1883:1883 -p 8443:8443 \
-v /etc/rabbitmq/ssl:/etc/rabbitmq/ssl \
-v /etc/rabbitmq/conf/rabbitmq.conf:/etc/rabbitmq/rabbitmq.conf \
rabbitmq:3-management
docker exec rabbitmq_mqtt rabbitmq-plugins enable --offline rabbitmq_mqtt
docker restart rabbitmq_mqtt
EOF
EOT
}
resource "google_compute_firewall" "allow_rabbitmq" {
name = "allow-rabbitmq-sll-server"
network = google_compute_network.vpc_network.name
allow {
protocol = "tcp"
ports = ["5672", "15672", "8883", "1883", "8443"]
}
source_ranges = ["0.0.0.0/0"]
}
resource "google_compute_firewall" "allow_ssh" {
name = "allow-ssh-ssl-server"
network = google_compute_network.vpc_network.name
allow {
protocol = "tcp"
ports = ["22"]
}
source_ranges = ["0.0.0.0/0"]
}
output "rabbitmq_ip" {
value = google_compute_address.static_ip.address
}
This generated the following files:
root@rabbitmq-vm-ssl:/etc/rabbitmq/ssl# ls
ca_certificate.pem client_rabbitmq-vm-ssl_certificate.pem server_rabbitmq-vm-ssl_certificate.pem
ca_key.pem client_rabbitmq-vm-ssl_key.pem server_rabbitmq-vm-ssl_key.pem
client_rabbitmq-vm-ssl.p12 server_rabbitmq-vm-ssl.p12
I have a python paho mqtt script to publish data (I can add it if interested - it is also not able to connect), however first I want to subscribe a mosquitto client to listen on the published events, however am receiving a "Protocol error" message.
mosquitto_sub -h <public-ip-address> -t testssl/topic --cafile ca_certificate.pem
Error: Protocol error
When connecting via the TCP port (no TLS), the communication flows just fine.
Following rabbit-mq TLS troubleshooting I verified that:
# rabbitmq-diagnostics listeners
Asking node rabbit@<random-string> to report its protocol listeners ...
Interface: [::], port: 15672, protocol: http, purpose: HTTP API
Interface: [::], port: 1883, protocol: mqtt, purpose: MQTT
Interface: [::], port: 8883, protocol: mqtt/ssl, purpose: MQTT over TLS
Interface: [::], port: 15692, protocol: http/prometheus, purpose: Prometheus exporter API over HTTP
Interface: [::], port: 25672, protocol: clustering, purpose: inter-node and CLI tool communication
Interface: [::], port: 5672, protocol: amqp, purpose: AMQP 0-9-1 and AMQP 1.0
Interface: [::], port: 5671, protocol: amqp/ssl, purpose: AMQP 0-9-1 and AMQP 1.0 over TLS
Verified TLS version:
# rabbitmq-diagnostics --silent tls_versions
tlsv1.3tlsv1.2tlsv1.1tlsv1
I checked the client(my laptop)-server(provisioned rabbitmq server) connection in the following manner:
root@rabbitmq-vm-ssl:/etc/rabbitmq/ssl# openssl s_server -accept 8443 -cert server_rabbitmq-vm-ssl_certificate.pem -key server_rabbitmq-vm-ssl_key.pem -CAfile ca_certificate.pem
Enter pass phrase for server_rabbitmq-vm-ssl_key.pem:
Using default temp DH parameters
ACCEPT
and see an error that might help someone knowledgeable:
openssl s_client -connect <static-ip>:8443 -cert client_certificate.pem -key client_key.pem -CAfile ca_certificate.pem -verify 8 -verify_hostname rabbitmq-vm-ssl
verify depth is 8
Enter pass phrase for client_key.pem:
000C8AF401000000:error:8000003D:system library:BIO_connect:Connection refused:crypto/bio/bio_sock2.c:178:calling connect()
000C8AF401000000:error:10000067:BIO routines:BIO_connect:connect error:crypto/bio/bio_sock2.c:180:
connect:errno=61
Given that I dont do this everyday (and mostly dont know what I am doing) I wonder whether I am not missing something on the certificate part. Notice that the certificates are created using the tls-gen tool and I dont specify a port/ip address and expect that when connecting from my local machine to the gcp host the server will accept the connection.
The error from mosquitto_sub isn't very helpful and the error from openssl s_client seems unrelated. However, I think it fails because the CN of the certificate is incorrect.
You can verify by passing --insecure to mosquitto_sub, if that does the trick, regenerate the certificate with the CN set to the server's public IP.
Also, you can increase the verbosity by adding a -v to your mosquitto_sub command. That might produce a more useful error msg.