[rabbitmq-discuss] Using rabbitmq_auth_mechanism_ssl with the .NET client

John Ruiz jruiz at johnruiz.com
Fri Dec 30 16:48:41 GMT 2011


I have a certificate with the following Subject:
"CN=John Ruiz, CN=Users, DC=devexample, DC=com"

When you look at rabbit_ssl.erl's find_by_type function, (this is my
first time seeing erlang code, btw) I notice that there's a "<-
lists:flatten(RDNs)" line.  I don't know what the result of
lists:flatten will be.  This is probably why the connection suddenly
ends... the user I've created for rabbit isn't matching what the cert
says.

Can anyone help me?

On Dec 30, 11:19 am, John Ruiz <jr... at johnruiz.com> wrote:
> Now that I have all of this working, I need to switch over from an
> openssl-based CA to our production CA, which is Active Directory
> Certificate Services.  All certificates are issued by the subordinate
> enterprise CA --> ISSUE01.devexample.com.
>
> I have a certificate for myself in my personal store on
> DC01.devexample.com (Windows Server).
>
> The RabbitMQ Service runs as Local System on APP01.devexample.com
> (Windows Server) so there's a certificate for APP01.devexample.com in
> the Local Computer's Personal store.
>
> The Root CA certificate is already in Trusted Root Certs on all
> machines in the domain devexample.com.  The ISSUE01 CA cert is in the
> Intermediate Certification Authority store everywhere as well.
>
> I have exported the Root CA cert to a DER file and then moved it to a
> linux machine where I used openssl to convert it to PEM.  I then moved
> it back to APP01.  Next, I exported APP01's cert (with private key) to
> a PFX file, moved it to a linux machine and extracted the signed
> public key cert and the private key cert.
>
> # extract the private key (still password protected)
> openssl.exe pkcs12 -in publicAndprivate.pfx -nocerts -out
> privateKey.pem
>
> # extract the public cert
> openssl.exe pkcs12 -in publicAndprivate.pfx -clcerts -nokeys -out
> app01.pem
>
> # remove the password protection
> openssl.exe rsa -in privateKey.pem -out app01-private.pem
>
> I moved all of these PEMs back to APP01 -- the CA's public cert,
> APP01's public cert, and APP01's private key.  Here is my
> rabbitmq.config
>
> [
>   {rabbit, [
>      {auth_mechanisms,['EXTERNAL']},
>      {ssl_listeners, [5671]},
>      {ssl_options, [{cacertfile,"C:/Keys/pki-root-ca.pem"},
>                     {certfile,"C:/Keys/app01.pem"},
>                     {keyfile,"C:/Keys/app01-private.pem"},
>                     {verify,verify_peer},
>                     {fail_if_no_peer_cert,true}]}
>    ]}
> ].
>
> When I run the code that I've already listed in my blog post, I get
> this exception:http://pastebin.com/9USFHWzf
>
> In the rabbit log, I see this:http://pastebin.com/GsWsxLGV
>
> As far as I can tell, I've done everything correctly.  I've ensured
> that my code references APP01.devexample.com, exactly as it appears on
> the certificate (Subject: CN = APP01.devexample.com).
>
> What should I do/try?
>
> Please help!
>
> On Dec 27, 4:22 pm, John Ruiz <jr... at johnruiz.com> wrote:
>
>
>
>
>
>
>
> > I have figured it out.  There were two issues.
>
> > 1. Add the external mechanism factory to your connection factory's
> > auth mechanisms
> >     i.e. -- cf.AuthMechanisms = new AuthMechanismFactory[] { new
> > ExternalMechanismFactory() };
>
> > 2. Configure the server's auth_mechanisms variable in your
> > rabbitmq.config.
> >     Here is my complete rabbitmq.config:
>
> > [
> >   {rabbit, [
> >      {auth_mechanisms,['EXTERNAL']},
> >      {ssl_listeners, [5671]},
> >      {ssl_options, [{cacertfile,"C:/Path/To/Your/cacert.pem"},
> >                     {certfile,"C:/Path/To/Your/cert.pem"},
> >                     {keyfile,"C:/Path/To/Your/key.pem"},
> >                     {verify,verify_peer},
> >                     {fail_if_no_peer_cert,true}]}
> >    ]}
> > ].
>
> > On Dec 27, 1:16 pm, John Ruiz <jr... at johnruiz.com> wrote:
>
> > > Hi All,
>
> > > I've successfully followed the SSL tutorial and gotten my .NET client
> > > to connect, send, and receive messages over SSL.  See my blog for the
> > > code:http://blog.johnruiz.com/2011/12/establishing-ssl-connection-to-rabbi....
>
> > > As the next step, I enabled the plugin "rabbitmq_auth_mechanism_ssl"
> > > and then re-installed the Windows Service.  Then I re-ran the code I
> > > have listed in my blog -- with the addition of a Console.ReadLine() at
> > > the end of my using statements so I can see the connection details in
> > > the management web app.
>
> > > I am still connecting as guest.  What do I need to do in order to
> > > connect as the CN of the Subject on my certificate?
>
> > > Thanks!
> > > ~ jR
> > > _______________________________________________
> > > rabbitmq-discuss mailing list
> > > rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> > _______________________________________________
> > rabbitmq-discuss mailing list
> > rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-disc... at lists.rabbitmq.comhttps://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss


More information about the rabbitmq-discuss mailing list