[rabbitmq-discuss] error loading some CA certificates

Warren Smith wsmith at tacc.utexas.edu
Wed Aug 1 14:39:47 BST 2012 

I'm getting errors when I try to use some CA certificates with RabbitMQ 2.8.4 and Erlang R15B01. The message in the var/log/rabbit/rabbit at HOST.log file is:

SSL WARNING: Ignoring a CA cert as it could not be correctly decoded.

And then I get quite long error messages after this warning in the log file when the client is connecting using a certificate from one of the ignored CAs. The relevant part of the error message seems to be:

** Reason for termination =
** {{badmatch,
        {error,
            {asn1,
                {{case_clause,22},
                 [{'OTP-PUB-KEY',check_and_convert_restricted_string,5,
                      [{file,"OTP-PUB-KEY.erl"},{line,14128}]},
                  {'OTP-PUB-KEY',decode,2,
                      [{file,"OTP-PUB-KEY.erl"},{line,499}]},
                  {pubkey_cert_records,transform,2,
                      [{file,"pubkey_cert_records.erl"},{line,60}]},
                  {lists,map,2,[{file,"lists.erl"},{line,1173}]},
                  {pubkey_cert_records,transform,2,
                      [{file,"pubkey_cert_records.erl"},{line,72}]},
                  {pubkey_cert_records,decode_tbs,1,
                      [{file,"pubkey_cert_records.erl"},{line,189}]},
                  {pubkey_cert_records,decode_cert,1,
                      [{file,"pubkey_cert_records.erl"},{line,40}]},
                  {public_key,pkix_decode_cert,2,
                      [{file,"public_key.erl"},{line,211}]}]}}}},
    [{public_key,pkix_decode_cert,2,[{file,"public_key.erl"},{line,215}]},
     {ssl_certificate,trusted_cert_and_path,3,
         [{file,"ssl_certificate.erl"},{line,58}]},
     {ssl_handshake,certify,7,[{file,"ssl_handshake.erl"},{line,216}]},
     {ssl_connection,certify,2,[{file,"ssl_connection.erl"},{line,514}]},
     {ssl_connection,next_state,4,[{file,"ssl_connection.erl"},{line,1929}]},
     {gen_fsm,handle_msg,7,[{file,"gen_fsm.erl"},{line,494}]},
     {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,227}]}]}


These are CA certificates that work fine with OpenSSL and I believe they work fine in Java, too. Example certificates that get ignored are the Root and Classic ones from http://www.tacc.utexas.edu/CA/.
 
The above error seems to indicate that the cause is in the code/asn.1 specs that erlang is using to decode certificates. Before I dig more into the erlang code and take this to the erlang list, I thought I'd record this problem on the RabbitMQ list and see if anyone here has any thoughts or a fix.

Thanks,


Warren

More information about the rabbitmq-discuss mailing list