[rabbitmq-discuss] Problem opening an SSL connection

Chris Duncan celldee at gmail.com
Thu Sep 24 17:49:28 BST 2009


Hi Matthew,

I've now got this working :)

On 23 Sep 2009, at 16:50, Matthew Sackman wrote:

> Hi Chris,
>
> On Wed, Sep 23, 2009 at 04:32:13PM +0100, Chris Duncan wrote:
>> I wanted to get the simplest case running which is to connect without
>> using any certificates. I decided to try to follow the instructions
>> in the wiki - https://dev.rabbitmq.com/wiki/SslSupport - and so
>> created a rabbit.conf file with similar contents to the example (only
>> the paths differ).
>
> Please note that the instructions on that wiki page are not entirely
> correct and indeed we are going to remove it. The SSL instructions  
> have
> been rewritten and will appear on the main website (not on  
> dev.rabbitmq)
> when v1.7 gets released.
>
>> It contains -
>>
>> RABBITMQ_SERVER_START_ARGS="-rabbit ssl_listeners [{\"0.0.0.0\",
>> 5671}] -rabbit ssl_options
>> [{cacertfile,\"/path/to/testca/cacert.pem\"},{certfile,\"/path/to/
>> server/cert.pem\"},
>>   {keyfile,\"/path/to/server/key.pem\"},{verify,verify_peer},
>> {fail_if_no_peer_cert,false}]"
>>
>> When I try to connect I get a 'Connection reset by peer' error and
>> these entries in rabbit.log -
>>
>> =INFO REPORT==== 23-Sep-2009::09:22:24 ===
>> accepted TCP connection on 0.0.0.0:5671 from 127.0.0.1:51689
>>
>> =ERROR REPORT==== 23-Sep-2009::09:22:24 ===
>> failed to upgrade TCP connection from 127.0.0.1:51689 to SSL:
>> {eoptions,{cacertfile,[]}}
>
> I think that it's not happy with your cacert file. That line in your
> rabbit.conf file must be one single line. Also make sure there are no
> spaces anywhere between the square brackets.
>

Thanks for the pointer. I regenerated a self-signed server  
certificate and key (I think I messed up the CN bit before) then I  
put the following in my rabbit.conf file -

RABBITMQ_SERVER_START_ARGS="-rabbit ssl_listeners [{\"0.0.0.0\", 
5671}] -rabbit ssl_options [{cacertfile,\"/path/to/testca/server.crt 
\"},{certfile,\"/path/to/server/server.crt\"},{keyfile,\"/path/to/ 
server/server.key\"},{verify,verify_none},{fail_if_no_peer_cert,false}]"

I connected using openssl s_client and my Ruby code :)

> If you can't make any progress, can you send in your cacert.pem,
> cert.pem and key.pem files (obviously, fakes, not the real thing!),  
> and
> we'll see if we can make it work.
>
> Matthew
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss





More information about the rabbitmq-discuss mailing list