[rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client

John Ruiz jruiz at johnruiz.com
Fri Dec 30 16:19:27 GMT 2011

Now that I have all of this working, I need to switch over from an
openssl-based CA to our production CA, which is Active Directory
Certificate Services.  All certificates are issued by the subordinate
enterprise CA --> ISSUE01.devexample.com.

I have a certificate for myself in my personal store on
DC01.devexample.com (Windows Server).

The RabbitMQ Service runs as Local System on APP01.devexample.com
(Windows Server) so there's a certificate for APP01.devexample.com in
the Local Computer's Personal store.

The Root CA certificate is already in Trusted Root Certs on all
machines in the domain devexample.com.  The ISSUE01 CA cert is in the
Intermediate Certification Authority store everywhere as well.

I have exported the Root CA cert to a DER file and then moved it to a
linux machine where I used openssl to convert it to PEM.  I then moved
it back to APP01.  Next, I exported APP01's cert (with private key) to
a PFX file, moved it to a linux machine and extracted the signed
public key cert and the private key cert.

# extract the private key (still password protected)
openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out

# extract the public cert
openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out

# remove the password protection
openssl.exe rsa -in privateKey.pem -out app01-private.pem

I moved all of these PEMs back to APP01 -- the CA's public cert,
APP01's public cert, and APP01's private key.  Here is my

  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"C:/Keys/pki-root-ca.pem"},

When I run the code that I've already listed in my blog post, I get
this exception: http://pastebin.com/9USFHWzf

In the rabbit log, I see this: http://pastebin.com/GsWsxLGV

As far as I can tell, I've done everything correctly.  I've ensured
that my code references APP01.devexample.com, exactly as it appears on
the certificate (Subject: CN = APP01.devexample.com).

What should I do/try?

Please help!

On Dec 27, 4:22 pm, John Ruiz <jr... at johnruiz.com> wrote:
> I have figured it out.  There were two issues.
> 1. Add the external mechanism factory to your connection factory's
> auth mechanisms
>     i.e. -- cf.AuthMechanisms = new AuthMechanismFactory[] { new
> ExternalMechanismFactory() };
> 2. Configure the server's auth_mechanisms variable in your
> rabbitmq.config.
>     Here is my complete rabbitmq.config:
> [
>   {rabbit, [
>      {auth_mechanisms,['EXTERNAL']},
>      {ssl_listeners, [5671]},
>      {ssl_options, [{cacertfile,"C:/Path/To/Your/cacert.pem"},
>                     {certfile,"C:/Path/To/Your/cert.pem"},
>                     {keyfile,"C:/Path/To/Your/key.pem"},
>                     {verify,verify_peer},
>                     {fail_if_no_peer_cert,true}]}
>    ]}
> ].
> On Dec 27, 1:16 pm, John Ruiz <jr... at johnruiz.com> wrote:
> > Hi All,
> > I've successfully followed the SSL tutorial and gotten my .NET client
> > to connect, send, and receive messages over SSL.  See my blog for the
> > code:http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbi....
> > As the next step, I enabled the plugin "rabbitmq_auth_mechanism_ssl"
> > and then re-installed the Windows Service.  Then I re-ran the code I
> > have listed in my blog -- with the addition of a Console.ReadLine() at
> > the end of my using statements so I can see the connection details in
> > the management web app.
> > I am still connecting as guest.  What do I need to do in order to
> > connect as the CN of the Subject on my certificate?
> > Thanks!
> > ~ jR
