[rabbitmq-discuss] Not able to get ssl working with rabbitMQ server
Kausik Chattopadhyay
connect_kausik at yahoo.com
Tue Jan 28 09:55:00 GMT 2014
Thank you Gavin.
Actually I tried with your code-sample.py. It worked and then it worked with my client as well. A bit surprised. This s my ssl_options
ssl_options = {"ca_certs": "cacert.pem",
"certfile": "cert.pem",
"keyfile": "key.pem",
"cert_reqs": True}
In the serverside the configuration is as follows:
rabbitmq at ubuntuvm:~$ rabbitmqctl environment
Application environment of node rabbit at ubuntuvm ...
[{auth_backends,[rabbit_auth_backend_internal]},
{auth_mechanisms,['PLAIN','AMQPLAIN']},
{backing_queue_module,rabbit_variable_queue},
{cluster_nodes,{[],disc}},
{collect_statistics,none},
{collect_statistics_interval,5000},
{default_permissions,[<<".*">>,<<".*">>,<<".*">>]},
{default_user,<<"guest">>},
{default_user_tags,[administrator]},
{default_vhost,<<"/">>},
{delegate_count,16},
{disk_free_limit,1000000000},
{enabled_plugins_file,"/etc/rabbitmq/enabled_plugins"},
{error_logger,{file,"/var/log/rabbitmq/rabbit at ubuntuvm.log"}},
{frame_max,131072},
{heartbeat,600},
{hipe_compile,false},
{included_applications,[]},
{log_levels,[{connection,info}]},
{msg_store_file_size_limit,16777216},
{msg_store_index_module,rabbit_msg_store_ets_index},
{plugins_dir,"/usr/lib/rabbitmq/lib/rabbitmq_server-3.0.2/sbin/../plugins"},
{plugins_expand_dir,"/var/lib/rabbitmq/mnesia/rabbit at ubuntuvm-plugins-expand"},
{queue_index_max_journal_entries,262144},
{reverse_dns_lookups,false},
{sasl_error_logger,{file,"/var/log/rabbitmq/rabbit at ubuntuvm-sasl.log"}},
{server_properties,[]},
{ssl_cert_login_from,distinguished_name},
{ssl_listeners,[5671]},
{ssl_options,[{cacertfile,"/home/rabbitmq/testca/cacert.pem"},
{certfile,"/home/rabbitmq/server/cert.pem"},
{keyfile,"/home/rabbitmq/server/key.pem"},
{verify,verify_peer},
{fail_if_no_peer_cert,false}]},
{tcp_listen_options,[binary,
{packet,raw},
{reuseaddr,true},
{backlog,128},
{nodelay,true},
{linger,{true,0}},
{exit_on_close,false}]},
{tcp_listeners,[5672]},
{trace_vhosts,[]},
{vm_memory_high_watermark,0.4}]
...done.
Trying to debug why it was failing earlier.
On Monday, January 27, 2014 10:12 PM, Gavin M. Roy <gavinmroy at gmail.com> wrote:
Here’s a gist of both my rabbitmq.config, an example python script using BlockingConnection on 0.9.13 and the interactive session running the script, all working with SSL using pika:
https://gist.github.com/gmr/8651586
I’m going to guess that either your RabbitMQ SSL configuration is incorrect or that your ssl_options specified are preventing you from connecting.
Also, looking at your output, you appear to be connecting just fine. Any abrupt connection disconnects are happening after your connection is established. These last two lines specify:
DEBUG 2014-01-27 16:25:27,927 pika.callback process 231 : Calling <bound method BlockingConnection._on_connection_open of <pika.adapters.blocking_connection.BlockingConnection object at 0x2d6be90>> for "0:Connection.OpenOk"
The connection has been established ok
DEBUG 2014-01-27 16:25:27,927 pika.callback add 161 : Added: {'callback': <bound method BlockingConnection._on_connection_closed of <pika.adapters.blocking_connection.BlockingConnection object at 0x2d6be90>>, 'only': None, 'one_shot': True, 'arguments': None, 'calls': 1}
The adapter has registered to be notified when the connection is closed.
If your python app stops there, the connection will be closed abruptly with RabbitMQ since you’re not telling it to shutdown the connection.
Hope this helps,
Gavin
________________________________
From: Gavin M. Roy Gavin M. Roy
Reply: Gavin M. Roy gavinmroy at gmail.com
Date: January 27, 2014 at 10:56:25 AM
To: Michael Klishin mklishin at gopivotal.com, Kausik Chattopadhyay connect_kausik at yahoo.com
Subject: Re: [rabbitmq-discuss] Not able to get ssl working with rabbitMQ server
Your ssl_options are a pretty important
part of the SSL connection in this code and they are omitted, same
with your other email thread. Without them, it’s hard to debug for
you. The underlying code is the same regardless of the connection
adapter. If we can see what those are, it should help.
Also, any related snippets from rabbit@[NODE].log could be
helpful.
Gavin
________________________________
From: Kausik Chattopadhyay Kausik
Chattopadhyay
Reply: Kausik Chattopadhyay connect_kausik at yahoo.com, Discussions about RabbitMQ rabbitmq-discuss at lists.rabbitmq.com
Date: January 27, 2014 at 6:03:05
AM
To: Michael Klishin mklishin at gopivotal.com
Subject: Re: [rabbitmq-discuss] Not
able to get ssl working with rabbitMQ server
Hi
Michael,
>So far I
was working with SelectConnection using pika and it is
good.
>Today I
tried to get a publisher working with BlockingConnection with SSL.
Normal connection works however failing with SSL. The same setup
works with SelectConnection. Any idea ?
>
>
>My
publisher code is as follows:
>
>
> parameters =
ConnectionParameters(HOST, PORT,
>
ssl=True,
>
ssl_options=ssl_options)
>connection =
pika.BlockingConnection(parameters)
>
>
>
>
>
>
>
>
>I am
getting the following error:
>
>------------------------------------------
>DEBUG
2014-01-27 16:25:27,901 pika.callback
add
161 : Added: {'callback':
<bound method BlockingConnection._on_connection_error of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>>, 'only': None, 'one_shot': False, 'arguments':
None}
>
>DEBUG
2014-01-27 16:25:27,901 pika.callback
add
161 : Added: {'callback':
<bound method BlockingConnection._on_connection_start of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>>, 'only': None, 'one_shot': True, 'arguments':
None, 'calls': 1}
>INFO
2014-01-27 16:25:27,901 pika.adapters.base_connection
_create_and_connect_to_socket 164
: Connecting to 172.16.47.133:5671 with SSL
>DEBUG
2014-01-27 16:25:27,925 pika.callback
process
217 : Processing
0:Connection.Start
>DEBUG
2014-01-27 16:25:27,925 pika.callback
_use_one_shot_callback
390 : Processing
use of oneshot callback
>DEBUG
2014-01-27 16:25:27,925 pika.callback
_use_one_shot_callback
392 : 0 registered
uses left
>DEBUG
2014-01-27 16:25:27,925 pika.callback
remove
260 : Removing callback #0:
{'callback': <bound method
BlockingConnection._on_connection_start of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>>, 'only': None, 'one_shot': True, 'arguments':
None, 'calls': 0}
>DEBUG
2014-01-27 16:25:27,926 pika.callback
process
231 : Calling <bound method
BlockingConnection._on_connection_start of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>> for "0:Connection.Start"
>DEBUG
2014-01-27 16:25:27,926 pika.callback
add
161 : Added: {'callback':
<bound method BlockingConnection._on_connection_tune of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>>, 'only': None, 'one_shot': True, 'arguments':
None, 'calls': 1}
>DEBUG
2014-01-27 16:25:27,926 pika.callback
process
217 : Processing 0:Connection.Tune
>DEBUG
2014-01-27 16:25:27,926 pika.callback
_use_one_shot_callback
390 : Processing
use of oneshot callback
>DEBUG
2014-01-27 16:25:27,926 pika.callback
_use_one_shot_callback
392 : 0 registered
uses left
>DEBUG
2014-01-27 16:25:27,926 pika.callback
remove
260 : Removing callback #0:
{'callback': <bound method
BlockingConnection._on_connection_tune of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>>, 'only': None, 'one_shot': True, 'arguments':
None, 'calls': 0}
>DEBUG
2014-01-27 16:25:27,926 pika.callback
process
231 : Calling <bound method
BlockingConnection._on_connection_tune of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>> for "0:Connection.Tune"
>DEBUG
2014-01-27 16:25:27,926 pika.connection
_create_heartbeat_checker
946 : Creating a
HeartbeatChecker: 600
>DEBUG
2014-01-27 16:25:27,926 pika.callback
add
161 : Added: {'callback':
<bound method BlockingConnection._on_connection_open of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>>, 'only': None, 'one_shot': True, 'arguments':
None, 'calls': 1}
>DEBUG
2014-01-27 16:25:27,927 pika.callback
process
217 : Processing
0:Connection.OpenOk
>DEBUG
2014-01-27 16:25:27,927 pika.callback
_use_one_shot_callback
390 : Processing
use of oneshot callback
>DEBUG
2014-01-27 16:25:27,927 pika.callback
_use_one_shot_callback
392 : 0 registered
uses left
>DEBUG
2014-01-27 16:25:27,927 pika.callback
remove
260 : Removing callback #0:
{'callback': <bound method
BlockingConnection._on_connection_open of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>>, 'only': None, 'one_shot': True, 'arguments':
None, 'calls': 0}
>DEBUG
2014-01-27 16:25:27,927 pika.callback
process
231 : Calling <bound method
BlockingConnection._on_connection_open of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>> for "0:Connection.OpenOk"
>DEBUG
2014-01-27 16:25:27,927 pika.callback
add
161 : Added: {'callback':
<bound method BlockingConnection._on_connection_closed of
<pika.adapters.blocking_connection.BlockingConnection object at
0x2d6be90>>, 'only': None, 'one_shot': True, 'arguments':
None, 'calls': 1}
>
>
>---------------------------------------
>
>
>
>Serverside log shows:
>
>
>=INFO REPORT====
27-Jan-2014::05:55:47 ===
>accepting AMQP connection
<0.6427.1> (172.16.47.1:56458 -> 172.16.47.133:5671)
>
>
>=WARNING REPORT====
27-Jan-2014::05:55:47 ===
>closing AMQP connection
<0.6427.1> (172.16.47.1:56458 ->
172.16.47.133:5671):
>connection_closed_abruptly
>
>
>
>
>
>
>
>On Wednesday, January
22, 2014 8:07 PM, Kausik Chattopadhyay
<connect_kausik at yahoo.com> wrote:
>
>Hi Michael,
>Thanks.
> Actually the
certificates were owned by root.
>I tried the
followings:
>1. Adding user
rabbitmq to group root --- didnt work
>2. Changing the
ownership of all the certficates to rabbitmq:rabbitmq --- didnt
work
>
>
>Finally I tried
this. Created a "rabbitmq" sudoer. Installing rabbitmq server.
Generating the certificates as a "rabbitmq" user --> this
worked
>
>
>Thanks
>Kausik
>
>
>
>On Wednesday, January
22, 2014 4:54 PM, Michael Klishin <mklishin at gopivotal.com>
wrote:
>
>
>On 22 Jan 2014, at 14:59, Kausik Chattopadhyay <connect_kausik at yahoo.com>
wrote:
>
>> Interestingly, this is the log from rabbit at master1-sasl.log
>
>There is nothing new in the SASL log.
>
>ecacertfile indicates there was an issue with the CA certificate,
which cannot
>be loaded due to eaccess (according to the other log file).
>
>--
>MK
>
>Software Engineer, Pivotal/RabbitMQ
>
>
>
>
>
_______________________________________________
>rabbitmq-discuss mailing list
>rabbitmq-discuss at lists.rabbitmq.com
>https://lists.rabbitmq.com/cgi-bin/mailman/listinfo/rabbitmq-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rabbitmq.com/pipermail/rabbitmq-discuss/attachments/20140128/7f70e6b0/attachment.html>
More information about the rabbitmq-discuss
mailing list