[rabbitmq-discuss] facing issues with the SSL implementations with RabbitMQ + Windows + .Net

Alexandru Scvorţov alexandru at rabbitmq.com
Wed Aug 10 10:16:49 BST 2011


I notice you already sent the config file.  Still, please ensure that
it's really the one in use.

You can check the certificates on both sides of the connection as
well:

To check the server:
  openssl s_client -connect localhost:5671 -CAfile testca/cacert.pem
  -cert client/cert.pem -key client/key.pem -showcerts
This will either result in a short error or will succeed and print the
certificate chain and details about the ssl session.

Doing this right now will probably just give you the server's
certificate chain and then:
...tlsv1 alert unknown ca:...:SSL alert number 48
I got this by using testca.cer rather than testca.pem, but it could
probably happen for a variety of reasons.


To check the client, first stop the server, then run:
  openssl s_server -accept 5671 -CAfile testca/cacert.pem -cert
  server/cert.pem -key server.key.pem -state
Then, run the client program.  S_server should accept the connection and
it should eventually fail with an "AMQP    ERROR".

I suspect this will work for you.


The default install of OpenSSL is in C:\, I see.  The executable is in
C:\OpenSSL-Win32\bin on my system.

Cheers,
Alex

On Wed, Aug 10, 2011 at 12:40:19PM +0530, Abhijit wrote:
> Hi sir,
> 
> i gave it a try and checked log files and found these errors:
> 
> > =ERROR REPORT==== 10-Aug-2011::12:24:36 ===
> > SSL: certify_certificate: ./ssl_handshake.erl:566:Fatal error: unknown ca
> >
> > =ERROR REPORT==== 10-Aug-2011::12:24:36 ===
> > error on TCP connection <0.236.0>:{ssl_upgrade_error,"unknown ca"}
> >
> > =INFO REPORT==== 10-Aug-2011::12:24:36 ===
> > closing TCP connection <0.236.0>
> 
> i checked for the trusted root certificates and found the certificates i 
> made in this section.
> 
> Still am getting these errors sir,
> 
> > base {System.Runtime.InteropServices.ExternalException} = {"The
> > certificate chain was issued by an authority that is not trusted"}
> 
> Any Suggestions.
> 
> Thanks and Regards,
> Abhijit
> 
> 
> 
> 
> 
> 
> On 8/9/2011 8:32 PM, Alexandru Scvorţov wrote:
> > Is there anything in the server logs other than an abrupt connection
> > termination?  If not, then it's strictly a client error.  I'd check that
> > the CA certificate is indeed in the Trusted Root Certificate Authorities store
> > and then I'd play around with setting the SslPolicyErrors.
> >
> > Other than that, I don't have any suggestions.  I've just set up
> > something similar (RabbitMQ with SSL on Win2008 with .NET 3.5, OpenSSL
> > 1.0 and RabbitMQ .NET on the same machine) and it works fine, so there's
> > not intrinsic reason why it wouldn't work.
> >
> > Cheers,
> > Alex
> >
> > On Tue, Aug 09, 2011 at 08:10:37PM +0530, Abhijit wrote:
> >    
> >> hi sir ,
> >>
> >> i have added all those certificates as trusted, still am getting this
> >>
> >>      
> >>> base {System.Runtime.InteropServices.ExternalException} = {"The
> >>> certificate chain was issued by an authority that is not trusted"}
> >>>        
> >> thanks a lot for the replies let me know if any suggestions.
> >>
> >> Thanks and Regards,
> >> Abhijit
> >>
> >>
> >> On 8/9/2011 7:58 PM, Alexandru Scvorţov wrote:
> >>      
> >>>> http://www.rabbitmq.com/ssl.html#trust-dotNET,
> >>>> i have executed them but all they do is opens the certmanager window.
> >>>>
> >>>>          
> >>> There are two versions of the certmgr program.  One of the is shipped
> >>> with Windows and is the graphical version you use.  The other is shipped
> >>> with the Windows SDK and is a command line version.
> >>>
> >>> You can use the graphical version: start it up, click Import, select
> >>> testca/cacert.cer, click Next, *IMPORTANT* select the Trusted Root
> >>> Certification Authorities store, click Next... until it's imported.
> >>>
> >>>
> >>>        
> >>>>> [{amqp-0-9://localhost:5671}] =
> >>>>> {System.Security.Authentication.AuthenticationException: A call to
> >>>>> SSPI failed, see inner exception. --->
> >>>>> System.ComponentModel.Win32Exception: The message received was
> >>>>> unexpected or badly formatted
> >>>>>
> >>>>>            
> >>> The error you're getting doesn't sound like it's because of this, but
> >>> you'll need to import the certificate anyway.  Maybe it will help.
> >>>
> >>> Cheers,
> >>> Alex
> >>>
> >>> On Tue, Aug 09, 2011 at 07:43:26PM +0530, Abhijit wrote:
> >>>
> >>>        
> >>>> hello sir,
> >>>>
> >>>>
> >>>>          
> >>>>> [{amqp-0-9://localhost:5671}] =
> >>>>> {System.Security.Authentication.AuthenticationException: A call to
> >>>>> SSPI failed, see inner exception. --->
> >>>>> System.ComponentModel.Win32Exception: The message received was
> >>>>> unexpected or badly formatted
> >>>>>
> >>>>>            
> >>>> i got this error after changing it to pem sir, and also i created the
> >>>> certificates properly as per the rabbitmq ssl steps but i haven't able
> >>>> to understand this steps mentioned:
> >>>> http://www.rabbitmq.com/ssl.html#trust-dotNET,
> >>>> i have executed them but all they do is opens the certmanager window.
> >>>>
> >>>> Any suggestions.
> >>>>
> >>>> Thanks and Regards,
> >>>> Abhijit
> >>>>
> >>>>
> >>>> On 8/9/2011 7:36 PM, Alexandru Scvorţov wrote:
> >>>>
> >>>>          
> >>>>> I managed to reproduce your error.
> >>>>>
> >>>>> Solution: do not use the .cer file in the broker config; use the .pem
> >>>>> file.  For some reason, rather than complaining that it can't read the
> >>>>> CA certificate, Erlang just silently ignores that and throws an "unknown
> >>>>> CA" error.  Hurray!
> >>>>>
> >>>>> So, change
> >>>>>      {cacertfile,"C:\\testca\\cacert.cer"}
> >>>>> with
> >>>>>      {cacertfile,"C:\\testca\\cacert.pem"}
> >>>>>
> >>>>> Please let me know if this helps.
> >>>>>
> >>>>> Cheers,
> >>>>> Alex
> >>>>>
> >>>>> On Tue, Aug 09, 2011 at 06:22:23PM +0530, Abhijit wrote:
> >>>>>
> >>>>>
> >>>>>            
> >>>>>> ya sir that was set true, i would go back and look at my certification
> >>>>>> creation steps and find out whether i did everything properly.
> >>>>>>
> >>>>>> and would let you know once that i done.
> >>>>>>
> >>>>>> Thanks and Regards,
> >>>>>> Abhijit
> >>>>>>
> >>>>>> On 8/9/2011 6:18 PM, Alexandru Scvorţov wrote:
> >>>>>>
> >>>>>>
> >>>>>>              
> >>>>>>>> Am basically getting this error, i tried debugging and solved most of
> >>>>>>>> the problems but still getting this:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>                  
> >>>>>>> Oh, great. My guess about the really long error was that you needed some
> >>>>>>> clients to connect without providing certificates, but
> >>>>>>> fail_if_no_peer_cert was set to true in the config file.  Was that
> >>>>>>> right?
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>                
> >>>>>>>>> [{amqp-0-9://localhost:5671}] =
> >>>>>>>>> {System.Security.Authentication.AuthenticationException: A call to
> >>>>>>>>> SSPI failed, see inner exception. --->
> >>>>>>>>> System.ComponentModel.Win32Exception: The certificate chain was issued
> >>>>>>>>> by an authority that is not trusted
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>                    
> >>>>>>> I haven't seen that before.  Did you follow the steps in our SSL guide
> >>>>>>> to generate the certificate (in particular, were the client certificates
> >>>>>>> signed by the CA set in the broker)?
> >>>>>>>
> >>>>>>> Alex
> >>>>>>>
> >>>>>>> On Tue, Aug 09, 2011 at 06:08:19PM +0530, Abhijit wrote:
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>                
> >>>>>>>> hi sir,
> >>>>>>>>
> >>>>>>>> Am basically getting this error, i tried debugging and solved most of
> >>>>>>>> the problems but still getting this:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>                  
> >>>>>>>>> [{amqp-0-9://localhost:5671}] =
> >>>>>>>>> {System.Security.Authentication.AuthenticationException: A call to
> >>>>>>>>> SSPI failed, see inner exception. --->
> >>>>>>>>> System.ComponentModel.Win32Exception: The certificate chain was issued
> >>>>>>>>> by an authority that is not trusted
> >>>>>>>>>        --- End of inner exception stack trace -...
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>                    
> >>>>>>>> Thanks and Regards,
> >>>>>>>> Abhijit
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> On 8/9/2011 5:39 PM, Alexandru Scvorţov wrote:
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>                  
> >>>>>>>>>> i would go ahead for now, if any queries i would again seek your help.
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>                      
> >>>>>>>>> Excellent.  Don't hesitate to ask us any more questions.
> >>>>>>>>>
> >>>>>>>>> Also, in the future, could you please make sure to CC the mailing list
> >>>>>>>>> when replying?
> >>>>>>>>>
> >>>>>>>>> Cheers,
> >>>>>>>>> Alex
> >>>>>>>>>
> >>>>>>>>> On Tue, Aug 09, 2011 at 05:31:22PM +0530, Abhijit wrote:
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>                    
> >>>>>>>>>> hi sir,
> >>>>>>>>>>
> >>>>>>>>>> finally got this:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>                      
> >>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::17:28:33 ===
> >>>>>>>>>>> started TCP Listener on 0.0.0.0:5672
> >>>>>>>>>>>
> >>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::17:28:33 ===
> >>>>>>>>>>> started SSL Listener on 0.0.0.0:5671
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>                        
> >>>>>>>>>> your this step
> >>>>>>>>>>
> >>>>>>>>>> Could you copy the config file to "...\AppData\Roaming\RabbitMQ.config"
> >>>>>>>>>> and try again
> >>>>>>>>>>
> >>>>>>>>>> helped...
> >>>>>>>>>>
> >>>>>>>>>> i would go ahead for now, if any queries i would again seek your help.
> >>>>>>>>>>
> >>>>>>>>>> Thanks and Regards,
> >>>>>>>>>> Abhijit
> >>>>>>>>>>
> >>>>>>>>>> On 8/9/2011 5:20 PM, Alexandru Scvorţov wrote:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>                      
> >>>>>>>>>>> That's a bit odd.  I'm not sure how that can happen.  It looks like you
> >>>>>>>>>>> somehow set the RABBITMQ_CONFIG_FILE variable at some point.
> >>>>>>>>>>>
> >>>>>>>>>>> The file is normally in:
> >>>>>>>>>>> ...\AppData\Roaming\RabbitMQ\rabbitmq.config
> >>>>>>>>>>> but your system is looking for it in:
> >>>>>>>>>>> ...\AppData\Roaming\RabbitMQ.config
> >>>>>>>>>>>
> >>>>>>>>>>> Could you copy the config file to "...\AppData\Roaming\RabbitMQ.config"
> >>>>>>>>>>> and try again?  Alternatively, unset the RABBITMQ_CONFIG_FILE variable
> >>>>>>>>>>> and try again without copying the file.
> >>>>>>>>>>>
> >>>>>>>>>>> Cheers,
> >>>>>>>>>>> Alex
> >>>>>>>>>>>
> >>>>>>>>>>> On Tue, Aug 09, 2011 at 05:02:04PM +0530, Abhijit wrote:
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>>                        
> >>>>>>>>>>>> I deleted the dot as you asked to and also wrote the line find which
> >>>>>>>>>>>> config we are using, and found we are using the same config file and
> >>>>>>>>>>>> also broker is running successfully without the dot. Am attaching the
> >>>>>>>>>>>> print-screen for the command line output i received when i tried running
> >>>>>>>>>>>> rabbit-mq server
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>> thanks and regards,
> >>>>>>>>>>>> Abhijit
> >>>>>>>>>>>>
> >>>>>>>>>>>> On 8/9/2011 4:50 PM, Alexandru Scvorţov wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>
> >>>>>>>>>>>>                          
> >>>>>>>>>>>>> Ok.  Could you delete the dot at the end (or introduce some other
> >>>>>>>>>>>>> syntactic error) and try again?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> If it still runs, it's using a different configuration file.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Could you also add the following line to the rabbitmq-server.bat file?
> >>>>>>>>>>>>>          echo CONFIG_FILE: !RABBITMQ_CONFIG_FILE!.config
> >>>>>>>>>>>>> It should go in towards the end, right before the "!ERLANG_HOME!\bin\erl.exe"
> >>>>>>>>>>>>> line.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> That way, when you start the server manually with the .bat, we will know
> >>>>>>>>>>>>> which config file it's using.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Alex
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> On Tue, Aug 09, 2011 at 04:42:32PM +0530, Abhijit wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>                            
> >>>>>>>>>>>>>> hi sir,
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> It didn't worked as we wanted...this are the last two phrases in the log
> >>>>>>>>>>>>>> file of the broker.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>                              
> >>>>>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::16:39:52 ===
> >>>>>>>>>>>>>>> started TCP Listener on [::]:5692
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::16:39:53 ===
> >>>>>>>>>>>>>>> started TCP Listener on 0.0.0.0:5692
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>                                
> >>>>>>>>>>>>>> i copied the rabbitmq.config which you sent me but didn't worked out.
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> Thanks and Regards,
> >>>>>>>>>>>>>> Abhijit
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> On 8/9/2011 4:19 PM, Alexandru Scvorţov wrote:
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>                              
> >>>>>>>>>>>>>>>> Am using the same path, C:\Users\Administrator\AppData\Roaming\RabbitMQ\rabbitmq.config for including ssl in my app.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>                                  
> >>>>>>>>>>>>>>> Ok.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>                                
> >>>>>>>>>>>>>>>> But the file wasn't present earlier i had created that file in order to have SSL in my app at the same location.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>                                  
> >>>>>>>>>>>>>>> That's fine.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>                                
> >>>>>>>>>>>>>>>> i tried running the bat file for the rabbitmq-server that didn't help sir, do you need any part of code for inspection.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>                                  
> >>>>>>>>>>>>>>> The code isn't the problem right now.  It's getting rabbit to enable
> >>>>>>>>>>>>>>> ssl.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> I'm attaching a rabbitmq.config.  Please try using that one.  Restart
> >>>>>>>>>>>>>>> the broker and the last lines in the broker log should be:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::11:44:37 ===
> >>>>>>>>>>>>>>> started TCP Listener on [::]:5672
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> =INFO REPORT==== 9-Aug-2011::11:44:37 ===
> >>>>>>>>>>>>>>> started SSL Listener on 0.0.0.0:5671
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Let me know how it goes, please.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Cheers,
> >>>>>>>>>>>>>>> Alex
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> On Tue, Aug 09, 2011 at 04:09:42PM +0530, Abhijit wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>                                
> >>>>>>>>>>>>>>>> Hi Sir,
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Am using the same path, C:\Users\Administrator\AppData\Roaming\RabbitMQ\rabbitmq.config for including ssl in my app.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> But the file wasn't present earlier i had created that file in order to have SSL in my app at the same location.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> i tried running the bat file for the rabbitmq-server that didn't help sir, do you need any part of code for inspection.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Thanks a lot for your time and replies.
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> Regards,
> >>>>>>>>>>>>>>>> Abhijit
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>                                  
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>>                              
> >>>>>>>>>>>>
> >>>>>>>>>>>>                          
> >>>>>>>>>>
> >>>>>>>>>>                      
> >>>>>>>>
> >>>>>>>>                  
> >>>>>>
> >>>>>>              
> >>>>
> >>>>          
> >>      
> 


More information about the rabbitmq-discuss mailing list