[rabbitmq-discuss] facing issues with the SSL implementations with RabbitMQ + Windows + .Net
Abhijit
abhijit.sinha at kiprosh.com
Wed Aug 10 08:10:19 BST 2011
Hi sir,
i gave it a try and checked log files and found these errors:
> =ERROR REPORT==== 10-Aug-2011::12:24:36 ===
> SSL: certify_certificate: ./ssl_handshake.erl:566:Fatal error: unknown ca
>
> =ERROR REPORT==== 10-Aug-2011::12:24:36 ===
> error on TCP connection <0.236.0>:{ssl_upgrade_error,"unknown ca"}
>
> =INFO REPORT==== 10-Aug-2011::12:24:36 ===
> closing TCP connection <0.236.0>
i checked for the trusted root certificates and found the certificates i
made in this section.
Still am getting these errors sir,
> base {System.Runtime.InteropServices.ExternalException} = {"The
> certificate chain was issued by an authority that is not trusted"}
Any Suggestions.
Thanks and Regards,
Abhijit
On 8/9/2011 8:32 PM, Alexandru Scvorţov wrote:
> Is there anything in the server logs other than an abrupt connection
> termination? If not, then it's strictly a client error. I'd check that
> the CA certificate is indeed in the Trusted Root Certificate Authorities store
> and then I'd play around with setting the SslPolicyErrors.
>
> Other than that, I don't have any suggestions. I've just set up
> something similar (RabbitMQ with SSL on Win2008 with .NET 3.5, OpenSSL
> 1.0 and RabbitMQ .NET on the same machine) and it works fine, so there's
> not intrinsic reason why it wouldn't work.
>
> Cheers,
> Alex
>
> On Tue, Aug 09, 2011 at 08:10:37PM +0530, Abhijit wrote:
>
>> hi sir ,
>>
>> i have added all those certificates as trusted, still am getting this
>>
>>
>>> base {System.Runtime.InteropServices.ExternalException} = {"The
>>> certificate chain was issued by an authority that is not trusted"}
>>>
>> thanks a lot for the replies let me know if any suggestions.
>>
>> Thanks and Regards,
>> Abhijit
>>
>>
>> On 8/9/2011 7:58 PM, Alexandru Scvorţov wrote:
>>
>>>> http://www.rabbitmq.com/ssl.html#trust-dotNET,
>>>> i have executed them but all they do is opens the certmanager window.
>>>>
>>>>
>>> There are two versions of the certmgr program. One of the is shipped
>>> with Windows and is the graphical version you use. The other is shipped
>>> with the Windows SDK and is a command line version.
>>>
>>> You can use the graphical version: start it up, click Import, select
>>> testca/cacert.cer, click Next, *IMPORTANT* select the Trusted Root
>>> Certification Authorities store, click Next... until it's imported.
>>>
>>>
>>>
>>>>> [{amqp-0-9://localhost:5671}] =
>>>>> {System.Security.Authentication.AuthenticationException: A call to
>>>>> SSPI failed, see inner exception. --->
>>>>> System.ComponentModel.Win32Exception: The message received was
>>>>> unexpected or badly formatted
>>>>>
>>>>>
>>> The error you're getting doesn't sound like it's because of this, but
>>> you'll need to import the certificate anyway. Maybe it will help.
>>>
>>> Cheers,
>>> Alex
>>>
>>> On Tue, Aug 09, 2011 at 07:43:26PM +0530, Abhijit wrote:
>>>
>>>
>>>> hello sir,
>>>>
>>>>
>>>>
>>>>> [{amqp-0-9://localhost:5671}] =
>>>>> {System.Security.Authentication.AuthenticationException: A call to
>>>>> SSPI failed, see inner exception. --->
>>>>> System.ComponentModel.Win32Exception: The message received was
>>>>> unexpected or badly formatted
>>>>>
>>>>>
>>>> i got this error after changing it to pem sir, and also i created the
>>>> certificates properly as per the rabbitmq ssl steps but i haven't able
>>>> to understand this steps mentioned:
>>>> http://www.rabbitmq.com/ssl.html#trust-dotNET,
>>>> i have executed them but all they do is opens the certmanager window.
>>>>
>>>> Any suggestions.
>>>>
>>>> Thanks and Regards,
>>>> Abhijit
>>>>
>>>>
>>>> On 8/9/2011 7:36 PM, Alexandru Scvorţov wrote:
>>>>
>>>>
>>>>> I managed to reproduce your error.
>>>>>
>>>>> Solution: do not use the .cer file in the broker config; use the .pem
>>>>> file. For some reason, rather than complaining that it can't read the
>>>>> CA certificate, Erlang just silently ignores that and throws an "unknown
>>>>> CA" error. Hurray!
>>>>>
>>>>> So, change
>>>>> {cacertfile,"C:\\testca\\cacert.cer"}
>>>>> with
>>>>> {cacertfile,"C:\\testca\\cacert.pem"}
>>>>>
>>>>> Please let me know if this helps.
>>>>>
>>>>> Cheers,
>>>>> Alex
>>>>>
>>>>> On Tue, Aug 09, 2011 at 06:22:23PM +0530, Abhijit wrote:
>>>>>
>>>>>
>>>>>
>>>>>> ya sir that was set true, i would go back and look at my certification
>>>>>> creation steps and find out whether i did everything properly.
>>>>>>
>>>>>> and would let you know once that i done.
>>>>>>
>>>>>> Thanks and Regards,
>>>>>> Abhijit
>>>>>>
>>>>>> On 8/9/2011 6:18 PM, Alexandru Scvorţov wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> Am basically getting this error, i tried debugging and solved most of
>>>>>>>> the problems but still getting this:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> Oh, great. My guess about the really long error was that you needed some
>>>>>>> clients to connect without providing certificates, but
>>>>>>> fail_if_no_peer_cert was set to true in the config file. Was that
>>>>>>> right?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> [{amqp-0-9://localhost:5671}] =
>>>>>>>>> {System.Security.Authentication.AuthenticationException: A call to
>>>>>>>>> SSPI failed, see inner exception. --->
>>>>>>>>> System.ComponentModel.Win32Exception: The certificate chain was issued
>>>>>>>>> by an authority that is not trusted
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> I haven't seen that before. Did you follow the steps in our SSL guide
>>>>>>> to generate the certificate (in particular, were the client certificates
>>>>>>> signed by the CA set in the broker)?
>>>>>>>
>>>>>>> Alex
>>>>>>>
>>>>>>> On Tue, Aug 09, 2011 at 06:08:19PM +0530, Abhijit wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> hi sir,
>>>>>>>>
>>>>>>>> Am basically getting this error, i tried debugging and solved most of
>>>>>>>> the problems but still getting this:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> [{amqp-0-9://localhost:5671}] =
>>>>>>>>> {System.Security.Authentication.AuthenticationException: A call to
>>>>>>>>> SSPI failed, see inner exception. --->
>>>>>>>>> System.ComponentModel.Win32Exception: The certificate chain was issued
>>>>>>>>> by an authority that is not trusted
>>>>>>>>> --- End of inner exception stack trace -...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>> Thanks and Regards,
>>>>>>>> Abhijit
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 8/9/2011 5:39 PM, Alexandru Scvorţov wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>>> i would go ahead for now, if any queries i would again seek your help.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>> Excellent. Don't hesitate to ask us any more questions.
>>>>>>>>>
>>>>>>>>> Also, in the future, could you please make sure to CC the mailing list
>>>>>>>>> when replying?
>>>>>>>>>
>>>>>>>>> Cheers,
>>>>>>>>> Alex
>>>>>>>>>
>>>>>>>>> On Tue, Aug 09, 2011 at 05:31:22PM +0530, Abhijit wrote:
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> hi sir,
>>>>>>>>>>
>>>>>>>>>> finally got this:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::17:28:33 ===
>>>>>>>>>>> started TCP Listener on 0.0.0.0:5672
>>>>>>>>>>>
>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::17:28:33 ===
>>>>>>>>>>> started SSL Listener on 0.0.0.0:5671
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>> your this step
>>>>>>>>>>
>>>>>>>>>> Could you copy the config file to "...\AppData\Roaming\RabbitMQ.config"
>>>>>>>>>> and try again
>>>>>>>>>>
>>>>>>>>>> helped...
>>>>>>>>>>
>>>>>>>>>> i would go ahead for now, if any queries i would again seek your help.
>>>>>>>>>>
>>>>>>>>>> Thanks and Regards,
>>>>>>>>>> Abhijit
>>>>>>>>>>
>>>>>>>>>> On 8/9/2011 5:20 PM, Alexandru Scvorţov wrote:
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>> That's a bit odd. I'm not sure how that can happen. It looks like you
>>>>>>>>>>> somehow set the RABBITMQ_CONFIG_FILE variable at some point.
>>>>>>>>>>>
>>>>>>>>>>> The file is normally in:
>>>>>>>>>>> ...\AppData\Roaming\RabbitMQ\rabbitmq.config
>>>>>>>>>>> but your system is looking for it in:
>>>>>>>>>>> ...\AppData\Roaming\RabbitMQ.config
>>>>>>>>>>>
>>>>>>>>>>> Could you copy the config file to "...\AppData\Roaming\RabbitMQ.config"
>>>>>>>>>>> and try again? Alternatively, unset the RABBITMQ_CONFIG_FILE variable
>>>>>>>>>>> and try again without copying the file.
>>>>>>>>>>>
>>>>>>>>>>> Cheers,
>>>>>>>>>>> Alex
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Aug 09, 2011 at 05:02:04PM +0530, Abhijit wrote:
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> I deleted the dot as you asked to and also wrote the line find which
>>>>>>>>>>>> config we are using, and found we are using the same config file and
>>>>>>>>>>>> also broker is running successfully without the dot. Am attaching the
>>>>>>>>>>>> print-screen for the command line output i received when i tried running
>>>>>>>>>>>> rabbit-mq server
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> thanks and regards,
>>>>>>>>>>>> Abhijit
>>>>>>>>>>>>
>>>>>>>>>>>> On 8/9/2011 4:50 PM, Alexandru Scvorţov wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>> Ok. Could you delete the dot at the end (or introduce some other
>>>>>>>>>>>>> syntactic error) and try again?
>>>>>>>>>>>>>
>>>>>>>>>>>>> If it still runs, it's using a different configuration file.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Could you also add the following line to the rabbitmq-server.bat file?
>>>>>>>>>>>>> echo CONFIG_FILE: !RABBITMQ_CONFIG_FILE!.config
>>>>>>>>>>>>> It should go in towards the end, right before the "!ERLANG_HOME!\bin\erl.exe"
>>>>>>>>>>>>> line.
>>>>>>>>>>>>>
>>>>>>>>>>>>> That way, when you start the server manually with the .bat, we will know
>>>>>>>>>>>>> which config file it's using.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Alex
>>>>>>>>>>>>>
>>>>>>>>>>>>> On Tue, Aug 09, 2011 at 04:42:32PM +0530, Abhijit wrote:
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>> hi sir,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> It didn't worked as we wanted...this are the last two phrases in the log
>>>>>>>>>>>>>> file of the broker.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::16:39:52 ===
>>>>>>>>>>>>>>> started TCP Listener on [::]:5692
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::16:39:53 ===
>>>>>>>>>>>>>>> started TCP Listener on 0.0.0.0:5692
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> i copied the rabbitmq.config which you sent me but didn't worked out.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thanks and Regards,
>>>>>>>>>>>>>> Abhijit
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> On 8/9/2011 4:19 PM, Alexandru Scvorţov wrote:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Am using the same path, C:\Users\Administrator\AppData\Roaming\RabbitMQ\rabbitmq.config for including ssl in my app.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Ok.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> But the file wasn't present earlier i had created that file in order to have SSL in my app at the same location.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> That's fine.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> i tried running the bat file for the rabbitmq-server that didn't help sir, do you need any part of code for inspection.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> The code isn't the problem right now. It's getting rabbit to enable
>>>>>>>>>>>>>>> ssl.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> I'm attaching a rabbitmq.config. Please try using that one. Restart
>>>>>>>>>>>>>>> the broker and the last lines in the broker log should be:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::11:44:37 ===
>>>>>>>>>>>>>>> started TCP Listener on [::]:5672
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::11:44:37 ===
>>>>>>>>>>>>>>> started SSL Listener on 0.0.0.0:5671
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Let me know how it goes, please.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Cheers,
>>>>>>>>>>>>>>> Alex
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Tue, Aug 09, 2011 at 04:09:42PM +0530, Abhijit wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Hi Sir,
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Am using the same path, C:\Users\Administrator\AppData\Roaming\RabbitMQ\rabbitmq.config for including ssl in my app.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> But the file wasn't present earlier i had created that file in order to have SSL in my app at the same location.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> i tried running the bat file for the rabbitmq-server that didn't help sir, do you need any part of code for inspection.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Thanks a lot for your time and replies.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> Regards,
>>>>>>>>>>>>>>>> Abhijit
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>
>>>>>>
>>>>
>>>>
>>
More information about the rabbitmq-discuss
mailing list