Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 5 days ago.
Improve this question
I've got some trouble with one of my clients (docker container based on Alpine) connecting a mail server with a Letsencrypt SSL certificate:
Nov 2 14:39:50 mail postfix/smtpd[878799]: warning: TLS library problem: error:14094415:SSL routines:ssl3_read_bytes:sslv3 alert certificate expired:../ssl/record/rec_layer_s3.c:1543:SSL alert number 45:
I know that Letsencrypt uses the new ISRG Root X1 since 1st Oct 2021. After Downloading the CA pem file from here https://letsencrypt.org/de/certificates/ I checked that the certificate is available.
Seems to be okay for me:
/etc/ssl/certs # grep -ri "emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=" .
./4042bcee.1:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-certificates.crt:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-certificates.crt:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-cert-isrgrootx1.pem.pem:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./4042bcee.0:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
./ca-cert-ISRG_Root_X1.pem:emyPxgcYxn/eR44/KJ4EBs+lVDR3veyJm+kXQ99b21/+jh5Xos1AnX5iItreGCc=
Additionally I installed the Certificate by hand (snippet of the Dockerfile):
COPY etc/ssl/isrgrootx1.pem /usr/local/share/ca-certificates/
RUN apk update && apk add --no-cache ca-certificates && update-ca-certificates
No luck. The SSL chain seems to be strange (domain is masked with xxx):
/etc/ssl/certs # openssl s_client -starttls smtp -connect mail.xxx.de:587
CONNECTED(00000003)
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=1 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
depth=3 O = Digital Signature Trust Co., CN = DST Root CA X3
verify error:num=10:certificate has expired
notAfter=Sep 30 14:01:15 2021 GMT
verify return:0
---
Certificate chain
0 s:/CN=mail.xxx.de
i:/C=US/O=Let's Encrypt/CN=R3
1 s:/C=US/O=Let's Encrypt/CN=R3
i:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
2 s:/C=US/O=Internet Security Research Group/CN=ISRG Root X1
i:/O=Digital Signature Trust Co./CN=DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/CN=mail.xxx.de
issuer=/C=US/O=Let's Encrypt/CN=R3
---
No client certificate CA names sent
Server Temp Key: ECDH, X25519, 253 bits
---
SSL handshake has read 4895 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: D0DA2252D5091779AA2CDF832A856F846A2AFD4C4C73CEDA24D64647FD998CB4
Session-ID-ctx:
Master-Key: BA703221FC54ADE822079229A36672AADFF4621EBEFDDA338D3E5F8025DC9668BBAFA152A1708C569B72AFF09F80AC5D
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 18 80 2d 38 6c e0 da 60-77 43 b1 62 d7 80 84 3f ..-8l..`wC.b...?
0010 - 1e 28 23 23 f7 34 ef 30-21 09 a2 34 92 b7 bf 10 .(##.4.0!..4....
0020 - ae c1 b7 50 ea 85 11 32-1c 28 f9 09 9f ff 20 7a ...P...2.(.... z
0030 - 7b e2 61 8d 8d 06 e3 66-6e 7c 93 31 95 29 e9 2d {.a....fn|.1.).-
0040 - 6a 93 bc 06 1d e2 26 58-00 32 48 67 aa f5 45 ed j.....&X.2Hg..E.
0050 - b8 5a 0d 93 84 7e c4 36-cf 06 39 4f d3 6a 45 e1 .Z...~.6..9O.jE.
0060 - a6 fc 49 31 3a 1c c4 32-d3 ae d2 2c 2e 34 e9 c2 ..I1:..2...,.4..
0070 - 8c 58 ee 98 08 48 56 d9-58 c3 3a 2c 21 6e a8 3b .X...HV.X.:,!n.;
0080 - 85 22 9b 90 6c 21 06 79-f2 e6 6c b0 dd c9 1e 2c ."..l!.y..l....,
0090 - c1 62 11 4b 7b 19 5d ac-d9 ba 69 6a 17 fb 7b ab .b.K{.]...ij..{.
Start Time: 1636139076
Timeout : 7200 (sec)
Verify return code: 10 (certificate has expired)
---
250 CHUNKING
Here one of my Alpine Containers with a successfully connection:
/var/www/html # openssl s_client -starttls smtp -connect mail.xxx.de:587
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = mail.xxx.de
verify return:1
---
Certificate chain
0 s:CN = mail.xxx.de
i:C = US, O = Let's Encrypt, CN = R3
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=CN = mail.xxx.de
issuer=C = US, O = Let's Encrypt, CN = R3
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 4834 bytes and written 435 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
250 CHUNKING
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: A60E19C667530A8C575213D7ECCA704F55D32294779DDA198D182909ACF72EC9
Session-ID-ctx:
Resumption PSK: F341E73946627D59D9AEAEDDDF23D0F9B5BBFF8CE5603550A30E0A17BC884174A8883D2BBF1D4335D6835470A9DBED6D
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 4e 14 1b 3c 6f 76 8f da-4c 91 b0 71 f0 95 f8 f6 N..<ov..L..q....
0010 - a2 bd 18 a8 75 00 a3 0c-dc 18 7a 95 2c 74 a4 62 ....u.....z.,t.b
0020 - 4e aa 8e d4 dc 75 6a 1e-1b 3b c1 87 9d ca ff ce N....uj..;......
0030 - 24 a4 7b fb 35 e8 c1 8e-ff a0 a4 38 db 52 7d fd $.{.5......8.R}.
0040 - 95 42 0d 8f 0b ba c4 5b-27 d5 94 2b bc f3 92 34 .B.....['..+...4
0050 - 41 e4 12 6e f7 c4 f0 33-81 bc 9d 07 12 8f b2 8b A..n...3........
0060 - f1 8d 59 2f ee 49 e6 c8-17 e6 66 64 b6 b8 8f a0 ..Y/.I....fd....
0070 - d0 40 bc 28 71 96 d1 a7-b9 e3 00 db ba 5b 85 43 .#.(q........[.C
0080 - e2 dc d0 42 21 8a d1 57-21 01 5e b9 5f e2 ec 16 ...B!..W!.^._...
0090 - fb 00 d6 5b ae b6 2b d1-42 c8 2c ae f6 2d 21 48 ...[..+.B.,..-!H
00a0 - dc d2 a9 c3 5c 75 33 21-a8 c2 ca d3 7b 86 ec 65 ....\u3!....{..e
00b0 - d2 1b 1f e5 c7 b2 45 94-96 56 48 74 e5 d5 22 18 ......E..VHt..".
00c0 - bf c4 5d f4 9e 1c 37 e2-b7 9a cc 3a e1 0e 9b ee ..]...7....:....
Start Time: 1636139616
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Any idea? Thank you very much!
I have a RabbitMQ installed on Windows 2012 server.
I need SSL\TLS support enabled - have read the following guide.
Unfortunately, SSL listener is unable to start without any errors in log file (after broker restart):
Starting RabbitMQ 3.7.7 on Erlang 21.0
Copyright (C) 2007-2018 Pivotal Software, Inc.
Licensed under the MPL. See http://www.rabbitmq.com/
2018-12-11 09:47:15.205 [info] <0.269.0>
node : rabbit#WIN-055QHB70C6Q
home dir : C:\Windows\system32\config\systemprofile
config file(s) : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/advanced.config
: c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.conf
cookie hash : r+sVz1OsZ1pBik8phgF0Ag==
log(s) : C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG
: C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/rabbit#WIN-055QHB70C6Q_upgrade.log
database dir : c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/db/RABBIT~1
2018-12-11 09:47:16.363 [info] <0.277.0> Memory high watermark set to 1638 MiB (1717772288 bytes) of 4095 MiB (4294430720 bytes) total
2018-12-11 09:47:16.367 [info] <0.279.0> Enabling free disk space monitoring
2018-12-11 09:47:16.367 [info] <0.279.0> Disk free limit set to 50MB
2018-12-11 09:47:16.371 [info] <0.281.0> Limiting to approx 8092 file handles (7280 sockets)
2018-12-11 09:47:16.371 [info] <0.282.0> FHC read buffering: OFF
2018-12-11 09:47:16.371 [info] <0.282.0> FHC write buffering: ON
2018-12-11 09:47:16.372 [info] <0.269.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2018-12-11 09:47:16.398 [info] <0.269.0> Waiting for Mnesia tables for 30000 ms, 9 retries left
2018-12-11 09:47:16.398 [info] <0.269.0> Peer discovery backend rabbit_peer_discovery_classic_config does not support registration, skipping registration.
2018-12-11 09:47:16.399 [info] <0.269.0> Priority queues enabled, real BQ is rabbit_variable_queue
2018-12-11 09:47:16.411 [info] <0.302.0> Starting rabbit_node_monitor
2018-12-11 09:47:16.435 [info] <0.269.0> Management plugin: using rates mode 'basic'
2018-12-11 09:47:16.435 [info] <0.334.0> Making sure data directory 'c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/db/RABBIT~1/msg_stores/vhosts/628WB79CIFDYO9LJI6DKMI09L' for vhost '/' exists
2018-12-11 09:47:16.438 [info] <0.334.0> Starting message stores for vhost '/'
2018-12-11 09:47:16.438 [info] <0.338.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_transient": using rabbit_msg_store_ets_index to provide index
2018-12-11 09:47:16.440 [info] <0.334.0> Started message store of type transient for vhost '/'
2018-12-11 09:47:16.440 [info] <0.341.0> Message store "628WB79CIFDYO9LJI6DKMI09L/msg_store_persistent": using rabbit_msg_store_ets_index to provide index
2018-12-11 09:47:16.441 [info] <0.334.0> Started message store of type persistent for vhost '/'
2018-12-11 09:47:16.446 [info] <0.376.0> started TCP Listener on [::]:5672
2018-12-11 09:47:16.447 [info] <0.391.0> started TCP Listener on 0.0.0.0:5672
2018-12-11 09:47:16.447 [info] <0.269.0> Setting up a table for connection tracking on this node: 'tracked_connection_on_node_rabbit#WIN-055QHB70C6Q'
2018-12-11 09:47:16.447 [info] <0.269.0> Setting up a table for per-vhost connection counting on this node: 'tracked_connection_per_vhost_on_node_rabbit#WIN-055QHB70C6Q'
2018-12-11 09:47:16.452 [warning] <0.408.0> Could not find handle.exe, please install from sysinternals
2018-12-11 09:47:16.480 [info] <0.451.0> Management plugin started. Port: 15672
2018-12-11 09:47:16.480 [info] <0.557.0> Statistics database started.
2018-12-11 09:47:16.481 [notice] <0.111.0> Changed loghwm of C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/log/RABBIT~1.LOG to 50
2018-12-11 09:47:16.566 [info] <0.7.0> Server startup complete; 3 plugins started.
* rabbitmq_management
* rabbitmq_web_dispatch
* rabbitmq_management_agent
Environment:
Win Server 2012R2, Erlang, RabbitMQ
Erlang: esl-erlang_21.0_windows_amd64.exe
1> erlang:system_info(otp_release).
"21"
Rabbit MQ: rabbitmq-server-3.7.7.exe
rabbitmqctl status
{rabbit,"RabbitMQ","3.7.7"},
Modified config file according to this guide:
c:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.conf
[
{rabbit, [
{ssl_listeners, [5671]},
{tcp_listeners, [{"localhost",5672}]},
{tcp_listen_options, [binary,
{packet, raw},
{reuseaddr, true},
{backlog, 128},
{nodelay, true},
{exit_on_close, false},
{keepalive, true}]},
{ssl_options, [{cacertfile,"C:\\temp\\cacert1.pem"},
{certfile,"C:\\temp\\cert.pem"},
{keyfile,"C:\\temp\\key.pem"},
{verify,verify_none},
{fail_if_no_peer_cert,false}]}
]}
].
Certificates were previously created using openssl and checked on Ubuntu - the same service is running without errors (with SSL enabled).
I have verified the SSL configuration according to this guide:
werl.exe
ssl:versions().
Erlang/OTP 21 [erts-10.0] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:1]
Eshell V10.0 (abort with ^G)
1> ssl:versions().
[{ssl_app,"9.0"},
{supported,['tlsv1.2','tlsv1.1',tlsv1]},
{supported_dtls,['dtlsv1.2',dtlsv1]},
{available,['tlsv1.2','tlsv1.1',tlsv1,sslv3]},
{available_dtls,['dtlsv1.2',dtlsv1]}]
2>
and this guide:
PS C:\temp> & '..\Program Files\OpenSSL-Win64\bin\openssl.exe' s_server -accept 8443 -cert "C:\temp\cert.pem" -key "C:\t
emp\key.pem" -CAfile "C:\temp\cacert1.pem"
Using default temp DH parameters
ACCEPT
-----BEGIN SSL SESSION PARAMETERS-----
MH0CAQECAgMEBAITAgQgvBHCGaTQPFgF9V3OLCgGudWcTNUPj+VUaYVjoeX32ZYE
MHsxeVDcMSw4Fl5y12GDWlDqdhmomdlS2hOgeXDr21jRcP7kabTg92GvP08hnIIz
1aEGAgRcD80YogQCAhwgpAYEBAEAAACuBgIEeKP8gQ==
-----END SSL SESSION PARAMETERS-----
Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:
ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-
CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256
-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-S
HA256:ECDHE-ECDSA-AES256-SHA
Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:
RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA
1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+
SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:
RSA+SHA1
Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384
Shared Elliptic groups: X25519:P-256:X448:P-521:P-384
---
No server certificate CA names sent
CIPHER is TLS_AES_256_GCM_SHA384
Secure Renegotiation IS supported
PS C:\temp> & '..\Program Files\OpenSSL-Win64\bin\openssl.exe' s_client -connect localhost:8443 -cert "C:\temp\cert.pem"
-key "C:\temp\key.pem" -CAfile "C:\temp\cacert1.pem"
CONNECTED(00000108)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
verify return:1
---
Certificate chain
0 s:CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
i:CN = MyTestCA
1 s:CN = MyTestCA
i:CN = MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIBAzANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDDAhNeVRl
c3RDQTAeFw0xODEyMTAxNTI2MjRaFw0xOTEyMTAxNTI2MjRaMFAxFjAUBgNVBAMM
DTE5Mi4xNjguMS4xMTIxCzAJBgNVBAgMAlJVMQswCQYDVQQGEwJSVTENMAsGA1UE
CgwERVBBTTENMAsGA1UECwwERVBBTTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALwy/2dxLMj4JjK8ggj/a9VG8beD5aBwjGu4+uXnQ5Liesfx1HE4seG2
Fr5j0aBz+vf0Km1Vf6S6yln/Z3BhI0nPKlGJvHjtwzof15pNH6Qh1WDlXRqOhoLR
GWtAb/U56ZC3PAG78nmdkS2DUCEFnERwcTWqW/XxpgYnGX0rPBtUGdKQB5rVaSCk
wM4UwEr9hq90BfeUuUZREzrZT7l+zxvgBPOR3H+Z2bS1TIqHjiH6jnC41M/S9KEb
8jn+2JjeR1NrIPdSy++hXc5UoWJMqCWu5PLOhheHHqDTS2MU8nHXL3KctH8qTzaz
+FQwbPNZgQKRTIdaRpxB1y3EUFC2B1cCAwEAAaMvMC0wCQYDVR0TBAIwADALBgNV
HQ8EBAMCBSAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcNAQEFBQADggEB
ABVn9/RUDWW+QaD97uFiMrdWXlaSSbg/YJuKYg+HXX2SO4ZsLRgU+ycyiTrq1E8W
vqP3BSyQ+Ao7tMzmAUWltcmKtETnO9jX6XN6pktCDfV2NPfq6zc/txH+6QDgrP/I
qwF6Csqch7TcVBzLJ2nI4k/6bNVttzgDNK0B7KTvtQIOBu53WQlPHQSyELwBocAS
NZrdy4FrJ0lMtno3WIcQEmy6XcRDULBWuWVjr0THQ+DstIXkX/qvkI08eRaIjaur
hc2enws5KjuXYX6ernqsOMWwOspUwETiGtKEl4sRApnwQz7vlOpU5W7bF7lpRycL
mDbOMf+6KxHOktQF4LJRyYE=
-----END CERTIFICATE-----
subject=CN = 192.168.1.112, ST = RU, C = RU, O = EPAM, OU = EPAM
issuer=CN = MyTestCA
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2060 bytes and written 391 bytes
Verification: OK
---
New, TLSv1.3, Cipher is TLS_AES_256_GCM_SHA384
Server public key is 2048 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 1FB4C4A756AF733EA4819D8350B4B66E5568DCB1C598D08D4B7C657C13F4EC78
Session-ID-ctx:
Resumption PSK: 55578B334D92C9CDBE66FA20C7D0A9BF55F0E50F37F026BD08BC69908EA1826DE75ACD1E6F3C365777DB890967420469
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 61 05 4b aa 0d dc 90 74-b6 ed a0 af ef bd cf 9e a.K....t........
0010 - d7 13 91 f5 d2 9e 30 e7-57 61 a3 4a 50 8f ac fc ......0.Wa.JP...
0020 - 9b b1 17 5f 45 4b 79 fa-57 62 5c 41 eb 17 26 a1 ..._EKy.Wb\A..&.
0030 - 90 3f 3e b0 65 fa a3 ff-3b d2 da 3c 4b 38 d4 ef .?>.e...;..<K8..
0040 - 11 d5 a9 59 69 37 97 f4-2e 84 2c ec 28 aa 7b 92 ...Yi7....,.(.{.
0050 - a5 50 91 40 8d 9e 83 90-a0 5d f7 41 5c d6 ba 8b .P.#.....].A\...
0060 - 32 b9 47 cf 58 dc 72 26-6a ca ea 71 2f ee c6 5b 2.G.X.r&j..q/..[
0070 - e7 ee bf 0d 68 0e 0c 32-4d 24 8e 91 73 5e 1d 9f ....h..2M$..s^..
0080 - ed 5a 6f 51 6e bc 7f ba-5e e7 25 3f a9 ad 91 0b .ZoQn...^.%?....
0090 - b7 26 17 1c 6b 89 11 e3-40 77 5f 38 59 98 64 dc .&..k...#w_8Y.d.
00a0 - d9 3b d3 ff 1d ca 6f c6-df e5 e6 8c db 1e 25 4c .;....o.......%L
00b0 - 50 b6 d5 e5 82 26 04 6e-b3 ca 11 95 d0 92 05 8e P....&.n........
00c0 - 60 a6 a8 a7 fe 3a 18 93-0f 8d 17 4d 2e a2 ce 69 `....:.....M...i
Start Time: 1544539416
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
---
Post-Handshake New Session Ticket arrived:
SSL-Session:
Protocol : TLSv1.3
Cipher : TLS_AES_256_GCM_SHA384
Session-ID: 658363DA6FF899DD69009F26444543E1E839BBF0ACAE5288FD0BA019084F141A
Session-ID-ctx:
Resumption PSK: 7B317950DC312C38165E72D761835A50EA7619A899D952DA13A07970EBDB58D170FEE469B4E0F761AF3F4F219C8233D5
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 61 05 4b aa 0d dc 90 74-b6 ed a0 af ef bd cf 9e a.K....t........
0010 - 20 3b a8 d4 62 e7 56 9a-42 36 02 81 2a 48 d2 94 ;..b.V.B6..*H..
0020 - a8 0b 21 aa ca 0a b1 60-a5 17 c7 4f a5 44 0e b7 ..!....`...O.D..
0030 - 42 bf 1d 7e b5 f2 a9 8e-f4 5d ff 5c 9b c8 b8 c0 B..~.....].\....
0040 - 19 d2 4e 5a f8 df 1b 96-bb f6 52 a4 eb 35 d5 fa ..NZ......R..5..
0050 - a5 c6 16 f2 ae a7 49 9d-f5 fd da 52 8e 9e a4 b3 ......I....R....
0060 - 14 93 cd 71 dc f6 66 ea-f6 69 d8 19 05 ce c0 61 ...q..f..i.....a
0070 - 39 83 7f d1 5f d9 ed 1d-92 f7 92 2d 59 5d 8d 7e 9..._......-Y].~
0080 - 77 43 30 67 aa f4 78 5e-02 20 a2 59 f4 b4 04 40 wC0g..x^. .Y...#
0090 - a8 6b 11 40 0c 03 4d 36-26 36 d2 a7 13 20 f2 3b .k.#..M6&6... .;
00a0 - e8 43 00 ca 65 30 6b 6b-1c 58 b9 7d 0d 89 b3 dc .C..e0kk.X.}....
00b0 - 2a 07 77 3a 7e 99 a3 e1-7e 35 09 fd e3 7a 7a a7 *.w:~...~5...zz.
Start Time: 1544539416
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
Max Early Data: 0
---
read R BLOCK
Broker restarted via *.bat files:
RabbitMQ Service - start
RabbitMQ Service - stop
Service status:
C:\Program Files\RabbitMQ Server\rabbitmq_server-3.7.7\sbin>rabbitmqctl status
Status of node rabbit#WIN-055QHB70C6Q ...
[{pid,2192},
{running_applications,
[{rabbitmq_management,"RabbitMQ Management Console","3.7.7"},
{rabbitmq_web_dispatch,"RabbitMQ Web Dispatcher","3.7.7"},
{cowboy,"Small, fast, modern HTTP server.","2.2.2"},
{amqp_client,"RabbitMQ AMQP Client","3.7.7"},
{rabbitmq_management_agent,"RabbitMQ Management Agent","3.7.7"},
{rabbit,"RabbitMQ","3.7.7"},
{rabbit_common,
"Modules shared by rabbitmq-server and rabbitmq-erlang-client",
"3.7.7"},
{recon,"Diagnostic tools for production use","2.3.2"},
{ranch_proxy_protocol,"Ranch Proxy Protocol Transport","1.5.0"},
{ranch,"Socket acceptor pool for TCP protocols.","1.5.0"},
{ssl,"Erlang/OTP SSL application","9.0"},
{public_key,"Public key infrastructure","1.6"},
{mnesia,"MNESIA CXC 138 12","4.15.4"},
{asn1,"The Erlang ASN1 compiler version 5.0.6","5.0.6"},
{os_mon,"CPO CXC 138 46","2.4.5"},
{cowlib,"Support library for manipulating Web protocols.","2.1.0"},
{inets,"INETS CXC 138 49","7.0"},
{jsx,"a streaming, evented json parsing toolkit","2.8.2"},
{xmerl,"XML parser","1.3.17"},
{crypto,"CRYPTO","4.3"},
{lager,"Erlang logging framework","3.6.3"},
{goldrush,"Erlang event stream processor","0.1.9"},
{compiler,"ERTS CXC 138 10","7.2"},
{syntax_tools,"Syntax tools","2.1.5"},
{syslog,"An RFC 3164 and RFC 5424 compliant logging framework.","3.4.2"},
{sasl,"SASL CXC 138 11","3.2"},
{stdlib,"ERTS CXC 138 10","3.5"},
{kernel,"ERTS CXC 138 10","6.0"}]},
{os,{win32,nt}},
{erlang_version,
"Erlang/OTP 21 [erts-10.0] [64-bit] [smp:2:2] [ds:2:2:10] [async-threads:64
]\n"},
{memory,
[{connection_readers,0},
{connection_writers,0},
{connection_channels,0},
{connection_other,31988},
{queue_procs,0},
{queue_slave_procs,0},
{plugins,465588},
{other_proc,29769468},
{metrics,195780},
{mgmt_db,150248},
{mnesia,74600},
{other_ets,2872488},
{binary,169712},
{msg_index,30080},
{code,27499185},
{atom,1131721},
{other_system,9895974},
{allocated_unused,9764240},
{reserved_unallocated,0},
{strategy,rss},
{total,[{erlang,72286832},{rss,82051072},{allocated,82051072}]}]},
{alarms,[]},
{listeners,
[{clustering,25672,"::"},
{amqp,5672,"::"},
{amqp,5672,"0.0.0.0"},
{http,15672,"::"},
{http,15672,"0.0.0.0"}]},
{vm_memory_calculation_strategy,rss},
{vm_memory_high_watermark,0.4},
{vm_memory_limit,1717772288},
{disk_free_limit,50000000},
{disk_free,74446868480},
{file_descriptors,
[{total_limit,8092},
{total_used,2},
{sockets_limit,7280},
{sockets_used,0}]},
{processes,[{limit,1048576},{used,398}]},
{run_queue,1},
{uptime,82},
{kernel,{net_ticktime,60}}]
Your configuration file is named rabbitmq.conf, but is in the wrong format for that file extension. You should rename the file to have a .config extension, then restart the RabbitMQ service:
C:/Users/ADMINI~1.WIN/AppData/Roaming/RabbitMQ/rabbitmq.config
If you want to use the rabbitmq.conf file, you must use the ini-style format that is documented here: https://www.rabbitmq.com/configure.html#config-file-formats.
NOTE: the RabbitMQ team monitors the rabbitmq-users mailing list and only sometimes answers questions on StackOverflow.
In my case (in the same OS RabbitMQ 3.8.11, Erlang 22.3), I had to replace:
"C:\\temp\\cacert1.pem"
with:
C:/temp/cacert1.pem
Not sure what would happen if the path included whitespaces.
I have been struggling with the configuration of WSO2 ESB for a few days now when trying to access an https web service. I have followed numerous pieces of advice and what I have done so far is to
import the web service client certificate into client-truststore.jks in repostory/resources/security
added proxy access parameters to repository/conf/axis2/axis2.xml (because the ESB is behind corporate firewall)
added AllowAll parameter to transportSender https in axis2.xml
restarted esb and still get the exception
http-nio-9443-exec-50, SEND TLSv1 ALERT: fatal, description = certificate_unknown
http-nio-9443-exec-50, WRITE: TLSv1 Alert, length = 2
http-nio-9443-exec-50, called closeSocket()
http-nio-9443-exec-50, handling exception: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching my.domain.com found
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-50, WRITE: TLSv1 Application Data, length = 154
I am using jdk1.6_34 and tried with WSO2 ESB 4.5.1 and 4.6 with the same results.
The logging is showing the ssl handshake being started but then ends with the error above. All the googling suggests that the hostnameverifier parameter should do the trick but clearly doesn't. Is there somewhere else I should be configuring this or if this parameter is being overridden somewhere else? I have run out of options and places to look with this.
Edit:
I have had another attempt at this and by setting the host name in my hosts file to the CN specified in the client certificate I can now get a bit further but I am now getting another error which I can't seem to fathom out.
The specific error is "... no IV used for this cipher", but with the debug trace being
Found trusted certificate:
[
[
Version: V1
Subject: CN=mydomain.com, O=my o, ST=INTERFACES, C=GB
Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
Key: Sun RSA public key, 1024 bits
modulus:#### loads of numbers here ####
public exponent: 65537
Validity: [From: Mon Apr 22 14:26:25 BST 2013,
To: Tue Apr 22 14:26:25 BST 2014]
Issuer: CN=ath-st2-API-a, O=Northgate IS, ST=INTERFACES, C=GB
SerialNumber: [ a4cf31a6 9c0d920d]
]
Algorithm: [SHA1withRSA]
Signature:
### signature here ###
]
http-nio-9443-exec-13, READ: SSLv3 Handshake, length = 98
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=mydomain.com, O=my o, ST=INTERFACES, C=GB>
*** ServerHelloDone
http-nio-9443-exec-13, SEND SSLv3 ALERT: warning, description = no_certificate
http-nio-9443-exec-13, WRITE: SSLv3 Alert, length = 2
*** ClientKeyExchange, RSA PreMasterSecret, SSLv3
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 132
SESSION KEYGEN:
PreMaster Secret:
###master secret here ####
CONNECTION KEYGEN:
Client Nonce:
0000: 52 45 86 22 10 B0 E2 EF 19 10 B1 04 ED C9 6F B0 RE."..........o.
0010: C3 8E BC D6 2C C9 5E D0 CA 8E 88 6B 22 53 1D B0 ....,.^....k"S..
Server Nonce:
0000: 52 45 86 23 B0 56 30 EC 84 F0 48 C1 F7 31 0C 5C RE.#.V0...H..1.\
0010: 43 B3 CB 25 DA 19 4C 0E B1 71 CB 17 8E 0C 62 04 C..%..L..q....b.
Master Secret:
0000: C3 F4 6B 9B EB 50 67 BD 6C A8 F0 63 88 A1 5A C7 ..k..Pg.l..c..Z.
0010: E5 CD A4 9A 46 95 3F B3 13 2D 4E BF 77 2C 64 86 ....F.?..-N.w,d.
0020: 44 D2 89 B5 09 EE 96 E5 8B 8D E2 30 04 09 F2 D3 D..........0....
Client MAC write Secret:
0000: F7 76 83 C9 16 F5 CB 33 E3 43 3F 7B 68 2E 8A 6F .v.....3.C?.h..o
Server MAC write Secret:
0000: CC FB 14 CE 21 AD C8 BC 20 C1 A5 2B 0B 2B 83 35 ....!... ..+.+.5
Client write key:
0000: 9C 9E FA A5 68 6E 27 2C E0 6E 80 9D ED C9 1C 01 ....hn',.n......
Server write key:
0000: B7 5A 24 DD 6F 65 5A 7E C8 AD 4A 29 E4 09 08 6D .Z$.oeZ...J)...m
... no IV used for this cipher
http-nio-9443-exec-13, WRITE: SSLv3 Change Cipher Spec, length = 1
*** Finished
verify_data: { 174, 247, 182, 190, 5, 104, 242, 127, 216, 79, 94, 15, 215, 236, 236, 211, 30, 51, 116, 56, 138, 144, 19, 125, 0, 54, 52, 114, 173, 138, 170, 166, 24, 67, 108, 102 }
***
http-nio-9443-exec-13, WRITE: SSLv3 Handshake, length = 56
http-nio-9443-exec-13, READ: SSLv3 Alert, length = 2
http-nio-9443-exec-13, RECV SSLv3 ALERT: fatal, handshake_failure
http-nio-9443-exec-13, called closeSocket()
http-nio-9443-exec-13, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert
: handshake_failure
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 1
http-nio-9443-exec-13, WRITE: TLSv1 Application Data, length = 154
http-nio-9443-ClientPoller-0, called closeOutbound()
http-nio-9443-ClientPoller-0, closeOutboundInternal()
http-nio-9443-ClientPoller-0, SEND TLSv1 ALERT: warning, description = close_notify
http-nio-9443-ClientPoller-0, WRITE: TLSv1 Alert, length = 32
Finalizer, called close()
Finalizer, called closeInternal(true)
I have tried passing https.protocols=SSLv3,SSLv2Hello or https.protocols=SSLv3 in the axis2 config file as a to the https sender transport but this doesn't help either.
Suggestions welcome.
thanks
Conrad