RabbitMQ+TLS: ssl_upgrade_error - ssl

Following the directions stated here, I have set up a certificate authority and created the rabbitmq.config with the appropriate fields. However, when I try to connect to the RabbitMQ server with
openssl s_client -connect 127.0.0.1:5671 -tls1
I get the following in standard output:
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1449612785
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
and I see the following error in the logs:
=ERROR REPORT==== 8-Dec-2015::16:13:10 ===
Error on AMQP connection <0.257.0>:
{ssl_upgrade_error,
{options,
{cacertfile,"/home/nthompson/learn_celery/testca/cacert.pem",
{error,eacces}}}}
What could be the problem?
I have tried the following, with no success:
Open up the permissions of cacert.pem, i.e., I ran chmod 444 cacert.pem as well as some more hopeless permissions, no dice.
Validated that all intermediate directories have permissions of 775.
Validated that the RabbitMQ server was indeed listening on port 5671, and it was:
$ sudo rabbitmq status
{listeners,[{clustering,25672,"::"},{amqp,5672,"::"},{'amqp/ssl',5671,"::"}]},
Checked all paths in rabbitmq.config, and loosened up the certificate exchange policy by setting {verify,verify_none} and {fail_if_no_peer_cert,false}.
Enabled the use of the rabbitmq_auth_mechanism_ssl plugin via
$ sudo rabbitmq-plugins enable rabbitmq_auth_mechanism_ssl
and verified that it was picked up by rabbitmq-server. In addition, I added {auth_mechanisms, ['PLAIN', 'AMQPLAIN', 'EXTERNAL']} to the rabbitmq.config.
RabbitMQ version is 3.5.4 (default apt-get), but I also upgraded to 3.5.6 (latest) to see if this would go away.

After a lot of messing around and searching I FINALLY got it!
In my case, the issue was caused by the certification files ownership and permissions.
I edited my /etc/rabbitmq/rabbitmq.config so that the certificate, key and CAfile pointed to /etc/rabbitmq/conf/<file>.pem, copied the original .pem files in /etc/rabbitmq/conf/ then I chown -R rabbitmq:rabbitmq /etc/rabbitmq/conf and restarted the service service rabbitmq-server restart and it worked.

Related

How to set up TLS on verneMQ Broker on AKS

I'm baffled by this one. I followed instructions setting up mqtts port and server certs -
enable the port
create a k8s secret with my ca cert and intermediate cert file as well as .key ( I tried with both .crt/.key and pem files, neither option worked).
set up mount
set up docker environment variables as below -
- name: DOCKER_VERNEMQ_LISTENER__SSL__CAFILE
value: "/etc/ssl/vernemq/vernemq_ca.crt"
- name: DOCKER_VERNEMQ_LISTENER__SSL__CERTFILE
value: "/etc/ssl/vernemq/vernemq.crt"
- name: DOCKER_VERNEMQ_LISTENER__SSL__KEYFILE
value: "/etc/ssl/vernemq/vernemq.key"
- name: DOCKER_VERNEMQ_LISTENER__SSL__REQUIRE_CERTIFICATE
value: "on"
- name: DOCKER_VERNEMQ_LISTENER__SSL__DEFAULT
value: "0.0.0.0:8883"
- name: DOCKER_VERNEMQ_LISTENER__TCP__DEFAULT
value: "0.0.0.0:1883"
However, when I tried running test with mosquitto_pub by passing in --cafile, I'm getting "protocol error". Did anyone set up VerneMQ TLS to work?
mosquitto_pub -h <hostIP> -t test -m ‘test’ --cafile ca.crt -i testClient -d
Client testClient sending CONNECT
Error: Protocol error
I used openssl s-client connect to test the connection, I'm getting write: error(54) with some other output. How can I get around that? Thanks!
CONNECTED(00000003)
write:errno=54
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 287 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.3
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Start Time: 1670975815
Timeout : 7200 (sec)
Verify return code: 0 (ok)
I tried using self generated certs, it didn't work either. I also tested try setting up chained CA files, using different format...etc. To no avail

Cannot established ssl connection with rabbitmq

I am trying to establish ssl connection with rabbitmq broker.
I follow this page to help me and I find my bug, but I don't know who to resolve it. I am stuck at the test connection with the broker :
openssl s_client -connect localhost:5671 -cert client/cert.pem -key client/key.pem -CAfile testca/cacert.pem
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 289 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1470206187
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
And I have no log but I need accepting AMQP connection.
#Rabbimq.conf
[
{rabbit, [
{ssl_listeners, [5671]},
{ssl_options, [{cacertfile,".../testca/cacert.pem"},
{certfile,".../server/cert.pem"},
{keyfile,".../server/key.pem"},
{ciphers, [{rsa,aes_256_cbc,sha256}]},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]}
]}
].
The certificates that I use are validated, verified and created with the doc.
I think is this issue that does not allow me to perform a ssl connection.
Thanks
Edit: I created the certificates at /var/lib/rabbitmq with the user rabbitmq and like this permissions goes right and the server can access to the certs.
Everything worked for me after I replaced in rabbitmq.config
{certfile,".../server/cert.pem"},
to full file path.
{certfile,"/data/server/cert.pem"}
The rabbitmq says nothing when it can't find or can't read certificate file.
Check permissions for certificate files!

openssl connection on a self-cerficated server

I'm performing this command in order to check whether I'm able to create a SSL connection:
openssl s_client -connect private-server:5000
private-server is a server I've set up with a self-generated certificate.
The output is:
CONNECTED(00000003)
140180300502672:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1467812448
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
What I need to get the connection right?
Thanks.
SSL handshake has read 0 bytes and written 308 bytes
The client has started with the SSL handshake but the server has closed the connection without sending anything back. There might be a lot of reasons for this like a firewall blocking the connection, various configuration errors on the server, server not expecting TLS at all, server expecting SNI ...
Unfortunately it can not be said from the information you provide which exactly is the cause of the problem. You might try with different clients (browser) to find out, if the problem is more at the server or middlebox site (i.e. none of the clients work) or if it is more a problem which can maybe fixed on the client site (some clients work, others not).

Problems getting a site's https certificates

I have an Android app that has some trouble with a site's certificate when connecting via https. As I'm experiencing trouble even when using a custom keystore with the certificates ("No peer certificate") I'm trying to get more information about the connection, handshake and certificates actually given by the server.
The version of openssl is follows:
$ openssl version
OpenSSL 1.0.1e 11 Feb 2013
When I just try to get info about the certificates I get this response:
$ openssl s_client -showcerts -connect [hostname]:443 </dev/null
CONNECTED(00000003)
3069977808:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 308 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
---
This is how Chrome describes the connection (sorry for the Norwegian text, but you get an idea of the connection and encryption type:
Based on the info from Chrome I've tried different commands to get the certificates, but they all seem to fail. My top candidate was this one:
$ openssl s_client -showcerts -connect [hostname]:443 -tls1_2 -cipher RC4-MD5
CONNECTED(00000003)
3069396176:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1258:SSL alert number 40
3069396176:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1414399499
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---
Anyone got any hints based on the info given?
This might be an SNI issue, where the server has no default certificate defined for non-SNI clients. Android included a version of Apaches httpclient which is known to not support SNI and your openssl s_client command also does not use SNI.
Please try openssl s_client -servername hostname -connect ... to use SNI and see if this helps.

OpenSSL error using Active Merchant for Moneris

My production app uses ActiveMerchant and is unable to process credit cards over https with a single gateway, Moneris. All other gateways Authorize.net, Paypal, Beanstream, etc) experience no errors. The error I receive is:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed):
The people at Moneris have told me that they have updated their SSL certificate
to 2048bit SSL encryption (from the current 1024 SSL encryption) and that the upgraded certificate will be issued by VeriSign. Our wildcard SSL uses 2432--more than the Moneris 2047 requirement.
So, they suggested that in addition to the files I normally upload for my SSL bundle, I have to add their Verisign certs. My Heroku command looks like this:
$ heroku certs:upgrade --app myapp AddTrustExternalCARoot.crt ComodoUTNSGCCA.crt EssentialSSLCA_2.crt STAR_myapp_com.crt UTNAddTrustSGCCA.crt Verisign_chain_Gr.cer Verisign_G5.cer server.key
I have tried virtually everything including the fix_ssl.rb suggestion here (OpenSSL::SSL::SSLError on Heroku) where I call the ca-certificates.crt from my /usr/lib/ssl/certs directory from Heroku.
require 'open-uri'
require 'net/https'
module Net
class HTTP
alias_method :original_use_ssl=, :use_ssl=
def use_ssl=(flag)
self.ca_path = Rails.root.join('/usr/lib/ssl/certs/ca-certificates.crt').to_s
self.verify_mode = OpenSSL::SSL::VERIFY_PEER
self.original_use_ssl = flag
end
end
end
I've tried everything: placing the Heroku bundle in my /lib directory, adding the 'certified' gem, etc, etc. and spent hours on the phone with Moneris to no avail. Does anyone know what more I can do to allow this one gateway to process credit cards?
My guess is that the trusted list of CA certificates that openssl is using to verify Moneris' server certificate is out-dated. So try getting the cacert.pem extracted from Mozilla's ca-bundle (http://curl.haxx.se/docs/caextract.html does this for you). This is more necessary these days as far as openssl is concerned as openssl is no longer bundled with CA certs which is why I'm suspecting whatever ca-certs you're using might be out of date.
First I tried to reproduce your problem with the command:
openssl s_client -connect www3.moneris.com:443
and got ...
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-MD5
Session-ID: 73178D4019035AE86399D0E6D2FFB904A1412D0F5D3F83370E52F50E9E26B73C
Session-ID-ctx:
Master-Key: 0BB841912F11185B7CBAFA524571765DD7372990819EBC44E311DE4EF0C70E480501D6F87C8AA439C4F827B0908123F7
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1380816775
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
Then I used the cacert.pem extracted from Mozilla thanks to http://curl.haxx.se/docs/caextract.html
and re-issued the openssl command like so:
openssl s_client -connect www3.moneris.com:443 -CAfile cacert.pem
and got ...
New, TLSv1/SSLv3, Cipher is RC4-MD5
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : RC4-MD5
Session-ID: 73178D401902F7EB6399D0E6D2FFB804CE0F7219344405EA0E52F50E9E26B4DB
Session-ID-ctx:
Master-Key: C0B32810FB7E0158A156E7D05DBB35F3CE8935284F165C3FB636700EEEC8BCE991BCE8850D39020E298F337B6E58132A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1380816992
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
So in your code snippet, above, try replacing:
self.ca_path = Rails.root.join('/usr/lib/ssl/certs/ca-certificates.crt').to_s
with:
self.ca_file = <full path name>/cacert.pem
where cacert.pem is extracted from the Mozilla ca-bundle