[rabbitmq-discuss] [RUBY AMPQ] SSL LOGIN ERROR EXTERNAL login refused

Loganathan Sellapa loganathan.ms at gmail.com
Tue Apr 29 09:05:40 BST 2014 

Hi All,

I tried to setup SSL onmy development machine by following the instructions
provided in  https://www.rabbitmq.com/ssl.html. And then created
rabbitmq.cong file with the below settings.

[
  {rabbit, [
     {ssl_listeners, [5671]},
     {ssl_options, [{cacertfile,"/opt/ssl/testca/cacert.pem"},
                    {certfile,"/opt/ssl/server/cert.pem"},
                    {keyfile,"/opt/ssl/server/key.pem"},
                    {verify,verify_peer},
                    {fail_if_no_peer_cert,true}]},
     {auth_mechanisms, ['EXTERNAL']},
     {ssl_cert_login_from, common_name}
  ]}
].

After restarting the rabbitmq server I tried to connect to RabbitMq via
AMQP Gem with the below code, but I am getting authentication failure error.

*RUBY CODE:*

RMQ_CONFIGURATIONS = {:host=>"127.0.0.1", :port=>5671, :vhost=>"/",
:auth_mechanism=>"EXTERNAL",
:ssl=>{:cert_chain_file=>"/opt/ssl/client/cert.pem",
:private_key_file=>"/opt/ssl/client/key.pem"}}

AMQP.start(RMQ_CONFIGURATIONS) do |connection|
puts "Connected, authenticated. TLS seems to work."

connection.disconnect { puts "Now closing the connection...";
EventMachine.stop }
end


AMQP::PossibleAuthenticationFailureError: AMQP broker closed TCP connection
before authentication succeeded: this usually means authentication failure
due to misconfiguration. Settings are {:host=>"127.0.0.1", :port=>5671,
:user=>"guest", :pass=>"[filtered]", :auth_mechanism=>"EXTERNAL",
:vhost=>"/", :timeout=>nil, :logging=>false,
:ssl=>{:cert_chain_file=>"/opt/ssl/client/cert.pem",
:private_key_file=>"/opt/ssl/client/key.pem"}, :frame_max=>131072,
:heartbeat=>0}


*RABBITMQ LOG:*


==> /var/log/rabbitmq/rabbit at ubuntu.log <==

=INFO REPORT==== 29-Apr-2014::13:26:19 ===
accepting AMQP connection <0.862.0> (127.0.0.1:40657 -> 127.0.0.1:5671)

=ERROR REPORT==== 29-Apr-2014::13:26:22 ===
closing AMQP connection <0.862.0> (127.0.0.1:40657 -> 127.0.0.1:5671):
{handshake_error,starting,0,
                 {amqp_error,access_refused,
                   *          "EXTERNAL login refused: user 'ubuntu' -
invalid credentials",*
                             'connection.start_ok'}}


I validated the SSL certificates using the below command and I got the
VERIFY OK as response.

*SSL VALIDATION I/P*

openssl s_server -accept 443 -cert /opt/ssl/server/cert.pem -key
/opt/ssl/server/key.pem   -CAfile /opt/ssl/testca/cacert.pem

openssl s_client -connect localhost:443 -cert /opt/ssl/client/cert.pem -key
/opt/ssl/client/key.pem   -CAfile testca/cacert.pem

*SSL VALIDATION O/P*

CONNECTED(00000003)
depth=1 CN = MyTestCA
verify return:1
depth=0 CN = ubuntu, O = server
verify return:1
---
Certificate chain
 0 s:/CN=ubuntu/O=server
   i:/CN=MyTestCA
 1 s:/CN=MyTestCA
   i:/CN=MyTestCA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC3zCCAcegAwIBAgIBATANBgkqhkiG9w0BAQUFADATMREwDwYDVQQDEwhNeVRl
c3RDQTAeFw0xNDA0MjkwNzIzMTFaFw0xNTA0MjkwNzIzMTFaMCIxDzANBgNVBAMM
BnVidW50dTEPMA0GA1UECgwGc2VydmVyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEAw7066GHqFC4xtEwi4tRTDscHCsuSXFne6wpPl3kQ/Cf+91YVosgC
fNmsxj4MQQxiPFqr/l6Dhscsdd6OL3PuSfetu+MSS+lD+UmF5QZ5D3ezN9I35sVw
NigQ9CCfsBxfGfQDc6llJpt/3V3p/ropijGO2FaIBGp/Xn42FQJSbe8wCwMlulBV
9rSPbFfo71OjXhHH9PcG+RL29omNDY6a2c0vCr9LOJZH8qpCPTFjO0ueFUqIpi31
uaZ/DojNHb/KfZOfaWXRn/oLknfbNdDnxyt+VwNGTJ7NlMo6PuhiB6H60kzZ+44V
c8jtR+skt2MMo0WKWCeaqFzM/kWtmU2AzwIDAQABoy8wLTAJBgNVHRMEAjAAMAsG
A1UdDwQEAwIFIDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOC
AQEAm1khz04OM/rssO4biVbMKv5g2d7skRByN1TuPVpnc34vVBTVErEBeL19S4VA
PwhJm0+E+fVgdPPR/m3Yjh5LvXYpq4pkdFjvHmbdzj5CTiRRJ/SUdCGVKOFuFnU8
ecJtfjz9qK8BKvqlIb0J1FYmUalFaTvpqNYa96y1SmF4MFbcVgu0ZjqKXcHpU0vH
5rsX0VqbqbyQv3oI05BmuR0Ta0AGxMc/VDGRI25oCpcEjICa7shYZDVa8uISZMlc
pnPLUxNBKjD7INqwx9y3Ikl70zou3xA6akZHnTFhcn0ak0WSob+O/L8rlNM4ANM/
n3fWiKRnyZ9zRPmx7cB6MsUx0w==
-----END CERTIFICATE-----
subject=/CN=ubuntu/O=server
issuer=/CN=MyTestCA
---
No client certificate CA names sent
---
SSL handshake has read 2137 bytes and written 375 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID:
A74004CB078A50AFE2CDA0550BE606DB7747BBF9386ED348129CEDCADDB8B753
    Session-ID-ctx:
    Master-Key:
366B450D2C99556844C47A27B280AAA1F7BA1CC5196B1BB9FC4E5FABC95493C873DBF9375116E3E3036DAC51D406741C
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 4f 5f 65 19 7c 30 46 78-34 58 21 af 6b aa 4e 39
O_e.|0Fx4X!.k.N9
    0010 - 58 4a a4 70 0d bb 00 fe-e4 8c 5e dd 9f 66 6d 33
XJ.p......^..fm3
    0020 - bf 0a e6 37 a2 8c 07 a4-88 43 de c3 b0 77 2c 9d
...7.....C...w,.
    0030 - f1 f4 8a 1b de d5 10 fd-7b 0f bc 91 91 3b ed ba
........{....;..
    0040 - fe bc 9a 35 75 a0 b9 b2-f3 a1 12 da 4c 7a 81 fb
...5u.......Lz..
    0050 - 42 c7 68 7c e8 38 16 d2-dc a9 c3 d6 6e 7a 5d 7d
B.h|.8......nz]}
    0060 - f6 51 7c ed 9f 0d fe 7d-f1 d2 65 03 3d 56 75 23
.Q|....}..e.=Vu#
    0070 - 8c 70 de fb 40 a1 f8 9a-fa 28 85 7a 97 1f e0 5d   .p..@
....(.z...]
    0080 - 9b d2 2c e4 67 91 e6 51-d0 05 c9 cc 8f 8e 38 a3
..,.g..Q......8.
    0090 - 9c b7 4d b1 8f 98 c8 1f-a6 59 26 fd fe e1 94 1b
..M......Y&.....

    Start Time: 1398758603
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---


regards,
Loganathan
Mob: +91 7760780741 | +91 9944414388
Skype: loganathan.sellappa
ViewMe <http://vizualize.me/loganathan>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140429/c8a61190/attachment.html>

More information about the rabbitmq-discuss mailing list