[rabbitmq-discuss] SSL Certificate Verfitcation failures

Daniel Mitchell daniel.mitchell at gmail.com
Mon Oct 28 12:59:14 GMT 2013 

Hello,

I've been trying to get mosquitto_sub to connect to RabbitMQ, when I 
perform a test using test.mosquitto.org and their certificate it works fine 
and when I connect to my RabbitMQ using OpenSSL s_client and I supply the 
CAfile it performs the handshake correctly. However this fails when sending 
the CAfile via mosquitto_sub

vagrant at precise32:/opt/data$ ./mosquitto-1.2.2/client/
mosquitto_sub -h **.***.***.** -p 8883 -t "#" -d --cafile DigiCertEA.pem 
--tls-version tlsv1
Client mosqsub/3530-precise32 sending CONNECT
OpenSSL Error: error:14090086:SSL 
routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Error: Protocol error

RabbitMQ = 3.2.0
OpenSSL = 1.0.1
Erlang = R16B

This is the detail from my log in RabbitMQ. The CAfiles have slightly 
different names but using openssl x509 -in -text -noout gives the same 
serial number

=ERROR REPORT==== 28-Oct-2013::12:52:02 ===
SSL: certify: tls_connection.erl:2286:Fatal error: certificate unknown

=ERROR REPORT==== 28-Oct-2013::12:52:07 ===
** Generic server <0.594.0> terminating 
** Last message in was {inet_async,#Port<0.14157>,35762,{ok,#Port<0.15830>}}
** When Server state == {state,
                            {rabbit_mqtt_sup,start_ssl_client,
                                
[[{cacertfile,"/etc/ssl/certs/DigiCertCA.pem"},
                                  {certfile,
                                      
"/etc/ssl/certs/star_*****_****_net_chain.pem"},
                                  {keyfile,
                                      
"/etc/ssl/private/*****.****.net.key"},
                                  {verify,verify_none},
                                  {fail_if_no_peer_cert,false}]]},
                            #Port<0.14157>,35762}
** Reason for termination == 
** {timeout,{gen_server2,call,
                         [<0.596.0>,
                          {go,#Port<0.15830>,
                              #Fun<rabbit_networking.2.65720357>}]}}

=ERROR REPORT==== 28-Oct-2013::12:52:07 ===
** Generic server <0.596.0> terminating
** Last message in was 
{go,#Port<0.15830>,#Fun<rabbit_networking.2.65720357>}
** When Server state == undefined
** Reason for termination == 
** {{badmatch,{error,{ssl_upgrade_error,{tls_alert,"certificate 
unknown"}}}},
    [{rabbit_mqtt_reader,handle_call,3,[]},
     {gen_server2,handle_msg,2,[]},
     {proc_lib,init_p_do_apply,3,[{file,"proc_lib.erl"},{line,239}]}]}

Is this a problem with RabbitMQ or perhaps the mosquitto_sub client? If it 
belongs to the latter I guess I should redirect my question :)

Cheers,
Dan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20131028/3ceb28e4/attachment.htm>

More information about the rabbitmq-discuss mailing list