[rabbitmq-discuss] Problem opening an SSL connection

Chris Duncan celldee at gmail.com
Thu Sep 24 17:49:28 BST 2009

Hi Matthew,

I've now got this working :)

On 23 Sep 2009, at 16:50, Matthew Sackman wrote:

> Hi Chris,
> On Wed, Sep 23, 2009 at 04:32:13PM +0100, Chris Duncan wrote:
>> I wanted to get the simplest case running which is to connect without
>> using any certificates. I decided to try to follow the instructions
>> in the wiki - https://dev.rabbitmq.com/wiki/SslSupport - and so
>> created a rabbit.conf file with similar contents to the example (only
>> the paths differ).
> Please note that the instructions on that wiki page are not entirely
> correct and indeed we are going to remove it. The SSL instructions  
> have
> been rewritten and will appear on the main website (not on  
> dev.rabbitmq)
> when v1.7 gets released.
>> It contains -
>> RABBITMQ_SERVER_START_ARGS="-rabbit ssl_listeners [{\"\",
>> 5671}] -rabbit ssl_options
>> [{cacertfile,\"/path/to/testca/cacert.pem\"},{certfile,\"/path/to/
>> server/cert.pem\"},
>>   {keyfile,\"/path/to/server/key.pem\"},{verify,verify_peer},
>> {fail_if_no_peer_cert,false}]"
>> When I try to connect I get a 'Connection reset by peer' error and
>> these entries in rabbit.log -
>> =INFO REPORT==== 23-Sep-2009::09:22:24 ===
>> accepted TCP connection on from
>> =ERROR REPORT==== 23-Sep-2009::09:22:24 ===
>> failed to upgrade TCP connection from to SSL:
>> {eoptions,{cacertfile,[]}}
> I think that it's not happy with your cacert file. That line in your
> rabbit.conf file must be one single line. Also make sure there are no
> spaces anywhere between the square brackets.

Thanks for the pointer. I regenerated a self-signed server  
certificate and key (I think I messed up the CN bit before) then I  
put the following in my rabbit.conf file -

RABBITMQ_SERVER_START_ARGS="-rabbit ssl_listeners [{\"\", 
5671}] -rabbit ssl_options [{cacertfile,\"/path/to/testca/server.crt 

I connected using openssl s_client and my Ruby code :)

> If you can't make any progress, can you send in your cacert.pem,
> cert.pem and key.pem files (obviously, fakes, not the real thing!),  
> and
> we'll see if we can make it work.
> Matthew
> _______________________________________________
> rabbitmq-discuss mailing list
> rabbitmq-discuss at lists.rabbitmq.com
> http://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss

More information about the rabbitmq-discuss mailing list