[rabbitmq-discuss] web-stomp SSL config causing SASL crash?

kz kirk at stork.name
Wed Jun 18 01:51:40 BST 2014


So I've followed the instructions for setting up SSL listener for web-stomp.

eg:

[
{rabbit, [{loopback_users, []}]},
{rabbitmq_web_stomp, [
  {ssl_config, [
    {port, 15671},
    {backlog, 1024},
    {cacertfile, "/etc/rabbitmq/certs/cacerts.pem"},
    {certfile, "/etc/rabbitmq/certs/server.pem"},
    {keyfile, "/etc/rabbitmq/certs/serverkey.pem"},
    {password, "changeme"}
    ]}]}
].


This results in the log stating there's an HTTPS listener on port 15671 -- 
check.

But local requests to that port result in an openssl error 111, and remote 
requests result in an  openssl error 61.

The certificate is a wildcard cert that is issued by a commercial vendor.  I've
 installed their 
intermediate certs in the cacerts.pem mentioned above.

My key file is signed with -des and functions when testing with openssl 
s_server and s_client

(however, that test does indicate error 19 (some certificate in the chain is 
self-signed).  This is 
false, but the warning is issued nonetheless.

The only log that indicates an error has occurred is the sasl log.

eg:

=CRASH REPORT==== 18-Jun-2014::00:22:07 ===
  crasher:
    initial call: supervisor:cowboy_acceptors_sup/1
    pid: <0.352.0>
    registered_name: []
    exception exit: {{case_clause,{error,{not_started,asn1}}},
                     [{cowboy_ssl_transport,require,1,[]},
                      {cowboy_ssl_transport,listen,1,[]},
                      {cowboy_acceptors_sup,init,1,[]},
                      {supervisor,init,1,[{file,"supervisor.erl"},{line,239}]},
                      {gen_server,init_it,6,
                                  [{file,"gen_server.erl"},{line,304}]},
                      {proc_lib,init_p_do_apply,3,
                                [{file,"proc_lib.erl"},{line,239}]}]}
      in function  gen_server:init_it/6 (gen_server.erl, line 328)
    ancestors: [<0.349.0>,cowboy_sup,<0.57.0>]
    messages: []
    links: [<0.349.0>]
    dictionary: []
    trap_exit: true
    status: running
    heap_size: 610
    stack_size: 27
    reductions: 169
  neighbours:
root at ip-10-221-13-201:/var/log/rabbitmq#


Now, I'm not trying to challenge web requests with a certificate, and anyway 
this error shows up 
before any requests are made.

The other aspects of RabbitMQ appear to be operating normally.  AMQP 
connections  can be made, and the web interface can be reached over 
http on the normal port.  If I don't 
configure SSL for  web-stomp, then non-ssl http requests to the stomp
endpoint work as expected.

So my questions:

1. Is there ANY OTHER place in the setup that I have to configure 
certificates in addition to the  web-stomp plugin config?

2. Is the self-signed warning an indication that I need to place the ENTIRE
 certificate chain of trust 
into my cacerts file? (currently I only put the vendor's intermediate certs, 
per their instructions)

3. Can firewall rules cause this kind of startup error? (I'm running on AWS 
and I've only opened the 
ports I need for RabbitMQ and the web-related plugins for RabbitMQ.


This is ubuntu trusty 64 bit with Erlang R16B03 (erts-5.10.4) and 
 rabbitmq-server_3.3.3-1_all.deb 
package.








More information about the rabbitmq-discuss mailing list